In 2010, John Kindervag of Forrester Research piqued a new concept, the ‘Zero Trust’ model. In the traditional information security model, there are essentially 2 zones – the trusted zone which is regarded as ‘secure’ and the untrusted zone as ‘insecure’. The zero trust model essentially says not to trust anyone on the network – internal or external.
In the traditional sense, it was always assumed that the trusted network, regardless of the security controls will always be secure (for instance the internal network) whereas the rest is insecure, needs additional security controls and should not be trusted. The trusted network works on the principle of ‘Trust, but verify’.
According to this deck, the 5 core principles of Zero-trust model are:
- All resources should be accessed via a secure manner irrespective of the location.
- Access control should be on the ‘need-to-know’ basis.
- Verify but never trust.
- Inspect and log all traffic.
- The network is designed from the inside-out.
Aren’t the above principles look familiar?
Any company which is remotely proactive to the security measures know that all the resources must be stored in a secure area with effective access controls. For instance, no DBA will give open access to the data to everyone or no HR system admin will give write access to unauthorized employees and will always follow the ‘need-to-know’ and/or ‘least-privilege’ principle.
Even if the access is granted, the sensitive transactions will always be verified if the ‘Segregation of Duties’ principle is followed. And when we say ‘verify but never trust’, how are we supposed to verify the iPhones and routers manufactured in China and used in the rest of the world as is? Do we trust the manufacturer that he won’t install a backdoor? Do we trust the supply chain that he will not let it infiltrate the hardware while in the shipment? If yes, good for us, otherwise how do we plan to verify those?
Continuing on the principles, anyone who has worked on a Firewall or logging and monitoring tool know they are like expensive elephants. It’s easy to buy an elephant but difficult to maintain. Similarly, logging and analyzing the entire traffic is like finding a needle in a haystack. It is just not possible. And even if the automated tools like Splunk are employed to perform such a task, it will be a nightmare for the network team to find key inferences from the logs.
From what I understand, the Zero-trust model looks like just another industry buzzword wrapped in fancy words. Rather than trying to implement and adopt the latest frameworks, the need of the hour is to educate the employees at all level and follow the basic principles of security. Unless you manufacture each of your own hardware and software, the zero-trust model is a fallacy.