Quick Read

Refocusing the Zero Trust Conversation

This article was recently featured in Intelligence Community News. Continue reading to see why ZKX believes the conversation on Zero Trust needs resetting.

Many benevolent titans in the technology and defense contracting space often recite that the COVID-19 pandemic alone served as the sole herald to drive the state of technology toward this new network security philosophy called Zero Trust. Sure, the pandemic may have spurred some of the notions consistent with Zero Trust networking, but the idea and proposed benefits of Zero Trust far precede COVID-19.

In fact, the idea of Zero Trust is more emergent from cyber-attacks made possible through insider leverage. The Edward Snowdens and Solarwinds of the world have done more to advance Zero Trust than a pandemic ever could. In truth, the projection of the pandemic onto the idea of Zero Trust is yet another thinly-veiled marketing campaign designed to be relatable while increasing fear and loosening dollars from the fattest and most gullible of wallets.

The Zero Trust Enterprise

The short-term successes that may stem from this tech-marketing strategy will, in time, be sufficiently outweighed by the negative impacts it will have on the functioning Zero Trust enterprise. The word enterprise here is a key concept whose full ramifications are seldom discussed regarding Zero Trust. See, enterprise, in the context of the modern conversation surrounding industry-wide migration to Zero Trust, seems to denote a fantasy-land ecosystem full of cloud-stationed application servers, infinite processing power and throughput capacity, no concern for technological footprint, and, perhaps the most dangerous of these pitfalls, the assumption that certain cultural problems can be solved with commercial product.

This vision of the Zero Trust landscape may be suitable for a few tech giants, but to those of us that operate in reality (with constrained budgets, strained security policies and cultures, and network architectures built from the early part of the century) the current picture being painted about Zero Trust couldn’t be further from the truth.

This problem is exacerbated even further when considering those outside the tech sector that will still be influenced by the motions we take in pursuit of Zero Trust. Namely, government, military, banking, finance, healthcare – really anybody that might depend on tech for outsourcing the knowledge and technical skill needed to keep pace in today’s information security environment.

Take for example tactical units within the U.S. military. Not only can they not afford to be provisioned with some of these novel Zero Trust technologies, they likely don’t want them in the first place. What good is a cloud-based SSO application if cloud connectivity is denied by an adversary? How can we expect a tactical unit to increase its technical and/or computational footprint by multiple factors, all in the name of Zero Trust? How does contextual biometric authentication help me in an environment where I am prone to catch a bullet? Why should we expect tactical players to abide by one set of security technologies and practices while in garrison and accost them with a different set of technologies and capabilities when deployed? How does the contemporary Zero Trust conversation consider the critical perspective put forward by our tactical executors? In short, it doesn’t, and if one part of the enterprise isn’t able to achieve Zero Trust, then you don’t have a Zero Trust enterprise.

Interoperability and vendor lock-in

Not all Zero Trust players will be massive companies; some will be smaller fish and several of these smaller fish need to be able to work together and technically interoperate with one another. Currently, designing a single Zero Trust network such that all of its components can fully interoperate is a massive technical challenge. Vendor lock-in, or, the act of being restricted in the technical and capability scopes due to proprietary software, protocols, and technologies, is a vital danger that must be considered, planned around, and avoided at all costs if a single instance of a Zero Trust network is expected to be functional.

Now imagine the complexity involved with multiple instances of Zero Trust networks. These multiple ZTA instances will have their own budgets, their own existing technological architecture, their own operating culture, and their own mission statements. If the real Zero Trust enterprise is to emerge and deliver security benefits to the whole of the interconnected world, the days of the “we sell this box that does this thing using our special language and our special interface” are over. The real Zero Trust enterprise is going to require a novel, out-of-the-box approach as to what security products are, what they look like, and, ultimately, what they do.

Fortunately for us, we get opportunities to hear the smaller players voice their opinions on this matter, but it is high time we found some consistency with the louder voices in the room. So – how do we correct the course here? How do we conduct ourselves such that the security promises theorized by the Zero Trust enterprise can actually come to fruition? How do we extend the security guarantees of Zero Trust to the less fortunate networks among us?

One of the most key insights to consider is the fact that the Zero Trust enterprise is only as strong as its weakest link. Yes, if all of us really are as serious about Zero Trust as we’ve all been posturing, instantiating the Zero Trust campus is just as critical as securing the Zero Trust end-node. This includes all of those remote, lightweight, legacy, and all-around inferior networked environments.

Shifting the Zero Trust Conversation

How do we adjust the pitch of the Zero Trust conversation to represent a more realistic and holistic Zero Trust enterprise? See, the cool thing about Zero Trust is that the theoretical guidelines that situate one’s network as one that executes ZT principles (as outlined in NIST SP 800-207) are intentionally left agnostic with regard to specific technologies that might be used to enforce these new abstract safeguards.

This leads us to one of the most attractive parts of the Zero Trust paradigm: if your old infrastructure can abide by the rules of ZT, you too can have a ZT network! This is the critical piece that is truly absent from the Zero Trust conversation – how can we maximize the existing architecture, to help migrate toward a Zero Trust architecture? How can we as a cohesive industry move forward toward Zero Trust in the most efficient and cost-effective manner possible? The answer is to focus on acquiring technologies that leverage what you already have, know, and love in the name of Zero Trust. If the Zero Trust conversation continues to forebodingly predict technology and process overhauls, we will end up right where we started: annoyed, incomplete, and most importantly, insecure.

A Solid Foundation for Zero Trust

The unfortunate reality with the advent of the Zero Trust architecture, as many organizations are currently on the pathway to discovering first-hand, is that the solution to ZTA adoption can’t simply be purchased. Functional zero trust is not something a single vendor will be able to provide you, nor is it a box that you will eventually check, breathing a single sigh of relief, and proclaiming “Yes, Zero Trust – we did it! It’s done.”

Zero Trust is doomed to forever be a moving target that organizations will only be able to sufficiently achieve with heightened awareness, agility, and, perhaps most importantly, an operating culture that is human-centered, progress-oriented, and not totally insufferable. These are things that cannot simply be purchased from the free market, despite what you might read on industry websites. These solutions literally must be architected, hence the A in ZTA.

Approaching functional Zero Trust for your organization is not strictly a game of tech acquisition. Sure, there will be the acquiring of new technologies and services in order to get you where you need to go. However, it’s more of an exercise in acquiring the right technologies that will elevate your existing architectures up to the operating standard of Zero Trust. Any good construction project begins with the planning and setting of some foundation – a structure so resolutely important as it determines the success of everything on top of it. Currently, our Zero Trust foundations are flawed, corrupted by the potential to inflate margins of profit by bloating unsuspecting organizations with tools, services, and expertise they don’t really need. In order to construct a truly functional, accessible, and usable ZT enterprise we must start on solid foundations that will support both the well-connected campus and the distributed, denied edge.

Collaboration is key for a successful Zero Trust migration

Zero Trust will never be a one-man-show, which means that industry (as well as government, military, and commercially aligned partners) will have to work together in order to make this Zero Trust ideal an operational reality. We can write editorial pieces like this one, or maybe even discuss how we’ve built our set of technologies to facilitate fast, simple, and secure ZT adoption, but we certainly can’t stand up the ZT enterprise on our own. This undertaking requires collaboration across all boundaries, borders, and modes of thinking. But to do that – we must re-orient the conversation and refocus the larger ZT strategy on securing a more rigid, accessible, and human-centered foundation.

Getting started with Zero Trust today

We believe authentication is the most natural starting place for transitioning your current ecosystem into a Zero Trust Architecture. Authentication is the act of proving that I (the user) am indeed consistent with the identity that I am claiming in order to traverse about the network and its various resources of varying levels of sensitivity.

The concept of Zero Trust is a two-way street. The organization should not inherently trust the user, so why should the user inherently trust the organization? Or, for that matter, why should they trust the device their organization has required them to input sensitive information into? Neither party should inherently have to trust the other, which is why authentication – dynamic, robust, and arbitrarily repeatable authentication – is the fundamentally integral foundation of the Zero Trust architecture.

There is a whole lot more to talk about when it comes to authentication, but we’ll save that discussion for a future article. If you can’t wait for that and want to learn more right now, visit www.zkxsolutions.com or drop me an email at collin@zkxsolutions.com.