The term zero trust has been cropping up a lot recently, with even a small conference on the topic recently. It sounds like an ideal security goal, but some caution is warranted. When you step back and consider the reason security is important – keeping organizations running – it’s not so clear that zero trust is really what we want.
I see the label zero trust as an over-reaction to the challenges we face in security. To the extent that the term means “be less trusting”, I agree. Look at our lack of success in stopping breaches.
For well over a decade we’ve known that a simple perimeter around your organization’s assets is untenable. You can’t build something like a moat around a castle because your network is too mobile, too virtual, and too diffuse. But even if you could, it wouldn’t stop insiders who want to behave badly or have been tricked.
Even outsiders are well practiced now in lateral movement techniques – first they get inside, then go wherever they want. The old model of “hard shell, soft interior” is gone – we segment, we use zone defense, we sometimes even micro-segment.
Saying that we need to get to zero trust, though, implies we have a lot further to go. It suggests a world where every single access port is controlled, every server is tightly controlled, and no traffic moves that is not authorized.
This seems like an appealing vision – isn’t it just what we’ve been building up towards over the last couple of decades of security technology? Not necessarily. Just because we go on a diet to lose weight, it doesn’t follow that the ideal target is zero calorie intake. Security has always been a tradeoff. We have to balance it against the needs of the organizations we’re trying to keep safe.
Consider what makes a successful business. Capitalists and economists agree that it boils down to growth, and how do we achieve growth? Through innovation and change. Healthy businesses innovate constantly, and this means they are always changing.
Among other things, this means the interactions inside an organization are always shifting. Department X suddenly needs to work with Department Y for some new and innovative experiment – how does that fit in a zero-trust model? If we’re not careful, zealous adherence to zero trust means allowing only what we already know should be allowed.
In practice, this permission means we only permit what we knew about yesterday, when we placed the controls and enforcement points into the network. But what about today and tomorrow? Some might argue that this is just a technology issue, about how quickly you can roll out new rules to say what is permitted, but that’s too optimistic – it assumes the people doing the approving are fully aware of all the constraints, benefits, and trade-offs in each business innovation.
That’s impractical; at root, this is a people and process problem, about imperfect information. Innovation is messy, and done vigorously as a competitive advantage, it does not follow a pre-set plan. Security teams can’t afford to be in a position of saying “innovation will be allowed, so long as you adhere to this standardized workflow, and let our change control board know in advance precisely what network usage you’re going to need.”
Business innovators don’t work that way – they aim to fail fast and fail often. One innovation mantra is to fire pea-shooters, then cannon balls – this is how you learn faster than your competitors. That speed gets lost if you have to pre-approve each pea-shooter experiment with central security. Innovation is messy, experimental, noisy, and highly productive.
Zero trust can be too much of a good thing when it starts to threaten creativity and essential business flexibility. Security would be a far easier game if the business would just stop changing and let us catch up!
The inconvenient truth, though, is that business needs the polar opposite. Tight security is an important and nice goal, but a business that sacrifices innovation on the high altar of reliability is behaving like an ancient culture destined to get swept away by the guns, germs, and steel of the next invaders. Frankly, while cyber adversaries are bad, business people are more afraid of falling behind the competition in the endless race to innovate.
So, is all hope for security lost? Far from it. As Rhonda Maclean famously observed, you put brakes on a car so it can go faster, not to slow it down. Security is about balance – let the business innovate, don’t be a barrier, but make sure you know what is going on better than your adversaries do.
We can never really expect to have a tight strangle-hold on our business infrastructures. Instead, we have to loosen our grip just enough. We can keep a flexible grip while monitoring, mapping, and understanding new interactions to find and eliminate the bad ones.
Perhaps the worst problem with zero trust is that it updates the old paradigm of perfect protection – an unrealizable goal. Today’s CISO understands that perfect protection won’t happen. The more effective goal is to be resilient. Digital resilience still means being as hard to hit as you can, but not via locking down everything. Instead, you work like a military strategist – you map your cyber terrain, understand your internal segmentation, watch for breaches, and respond faster and more effectively through superior knowledge of your own environment.
You can’t expect to be more advanced or more persistent than your adversaries, but you can expect to get ahead in one decisive area: knowledge of your own business and how it functions. That’s the path to resilience.