infoSource is a cybersecurity newsletter. By subscribing to infoSource you will remain up-to-date on the latest in communication, computer and software cybersecurity issues.

What Is Zero Trust?

I only trust what I already know I can.

I'm old school, but, I've never stopped being an innovator. There's a buzzwordy construction of paradigms that has taken the entire technologically driven world by storm. Referred to as 'Zero Trust' (ZT) this strategy is in fact a concept as old as peer-to-peer computing itself. The security consideration is one of trust (not to be confused with the IETF Trust which is very worthy of your support) and specifically the evaluation of trustworthiness not based on proximal controls.

Internet has always been of things.

The InfoBro

When should you trust? 

Normally, when we think of trust for a person, the establishment of it is driven by reliably interacting with resources without negative consequences. Over time the interaction becomes trustworthy and is allowed without additional scrutiny. The assumption is couched in the 'honesty' presumed of the counterpart, the peer. Additionally, if you can see it or control it there is a proximal trust relationship established that imputes a reliability attribute.  It's sort of a "It's in my boundary of influence and I trust everything there" understanding.

For a long time the relationship of peers in a computer network, and the security considerations thereof , were considered perfunctorily when designing a network protocol, especially when that protocol relied on some trust or reputation based relationship. Unfortunately, in the earlier days of internetwork engineering those decisions fell often into a proprietary realm for implementers or as a security consideration outside of the engineering of the actual protocol. Many protocols were refashioned or discarded altogether not based on engineering but rather based on consumer adoption.

Access to resources driven by evaluation not location.

So, now we have that approach, the ZT strategy, which is planned as an architecture. To boil it down ZT is not allowing any peer to be trusted until it demonstrates it can be, period. For what it's worth that's the ideal state. Assume everything not evaluated as trusted is compromised. This is done without respect to any proximal assumptions about controls. That is to say just because it's in my network, behind my firewall, and it looks like my laptop doesn't mean I should trust it. Implicit trust should be reduced to as few cases as possible. The development of this thinking is couched in the evolved understanding of protection inside the network that includes new and expansive implementation of technologies that are not tethered within the boundaries that we control. There needs to be some other way to establish that trust.

This means also that any trust must be evaluated continually and not just once or based on past relationships. The evaluation should also be carried out for everything from the person to the infrastructure. To do this ZT access is governed by authentication and authorization as implemented through a policy. The policy sets up the parameters that make up the trust decision and then that decision is enforced and either accepts or denies the access to resources. This is called the Policy Decision/Policy Enforcement Point (PDP/PEP) gateway. Also, by that abstraction there can be established the smallest possible "implicit trust zone."

Behind the rope line 

Think about it like a club. Do you have ID? Wearing a jacket, shirt, shoes? Those are the rules. No one gets pass that first bouncer without those things, in proper order and at the right time. Everyone gets checked. Once you are pass the first bouncer you are in a zone where all of that which was used to let you in can be assumed to be true about everyone in the club. If you want to go to the VIP room, there's another bouncer (another PDP/PEP) and you're checked for your black card. Is it expired? Does it match your ID? etc., if you've got what's required you get into the party, and so on. This strategy can be implemented in a plethora of modes that defend the access to resources based on predetermined criteria.

The Bottom Line

It should be understood that this is not a new thing but a new way of thinking about things. I tend to say "Internet has always been of things." The reason being that many concepts have been around for quite some time. Zero Trust is another one of those things that has now been codified via a trusted source at NIST. Think about it the next time you get table service at an exclusive club. Engineering is sexy.

Stay safe. If you can define the problem you can solve it. Share and Subscribe.
Stay Informed

When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.

All Sprays Aren't Ultra Sheen™
What's your favorite color?

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 22 July 2024

Contact Me


1309 S Street S.E., Washington, DC, 20020
00 1 202-276-8641

Send Me a Message

Contact Me