Over a decade ago, I published a paper introducing the zero-trust model of information security. Today, I’m encouraged that organizations across all industries are embracing zero-trust.
Forrester's research found that 72% of security decision-makers at larger organizations today plan to embark on a zero-trust initiative or are already doing so. However, I worry some common misconceptions will stall their progress. It's a long list of misconceptions, so let’s focus on debunking the four I most often encounter.
Before we examine what zero-trust isn’t, let’s look at what it is: an alternative to the traditional “trust” model that was the predominant approach in the early days circa the 1990s and 2000s of using firewall technology to secure large perimeters without knowing or caring about the data or assets that needed protection.
The firewall algorithm assigned trust levels to interfaces: internal (trusted) at 100, external (untrusted) at 0, and others in between. Traffic from lower to higher trust levels required a policy, while traffic from higher to lower levels did not. The industry referred to this as the adaptive security algorithm, though it was neither adaptive nor secure.
The trust model allows malicious workloads that inevitably bypass the firewall to move freely within the network, accessing an organization’s highest-value data. This realization led me to advocate for a model that eliminated the concept of “trust” in digital systems, as organizations were leaving themselves vulnerable to data breaches, insider threats, and limited visibility and control.
That brings us to the first zero-trust misconception: “zero-trust means making a system trusted.”
It’s in the name: zero-trust. The zero-trust model demands that security teams eliminate the concept of trust from their cybersecurity strategy. All interfaces should have the same trust: zero. We don't want to make systems trusted; instead, we want to eliminate the concept of “trust” from all IT systems. That ensures the team grants every user, packet, network interface, and device the same default trust level: zero.
Trust pertains exclusively to individuals, not digital settings. Identity credentials are vulnerable to compromise, networks are susceptible to hacking, and malicious insiders often hold trusted positions. When a malicious external actor gets access to the internal network, they automatically become a “trusted insider.” That lets them exploit the trust model for their nefarious purposes. Consequently, it's impossible to be sure that the source of network traffic is genuinely “trustworthy”: an asserted identity is merely a claim, not the verification of a person.
Look at the Snowden and Manning data breaches. They were “trusted” users on “trusted” devices. They had the correct patch levels and updated patches on their devices. The network they compromised had robust identity systems and powerful multifactor authentication. But no one looked at their packets post-authentication. They exploited the “trust model” of the government networks on which they had credentials.
That leads us to debunk the second zero-trust misconception: “zero-trust is about identity.”
Avoid the identity trap. While zero-trust recognizes that the traditional security perimeter has become obsolete, considering identity as the new perimeter stands as a reductionist and inadequate security approach. Start with verifying identity, but just confirming who’s accessing data or the network falls short; context becomes equally crucial.
Think of identity as just a preliminary step into the zero-trust framework: a comprehensive approach that incorporates contextual data—such as time of day, device type, posture checks, and risk assessments. Do not ignore context while discussing access control. Start with identity, then add advanced contextual markers to ensure secure access.
How do we accomplish this? The answer leads us to the third zero-trust misconception: “There are zero-trust products.”
It’s a framework, not an SKU. The zero-trust framework requires companies to rethink their philosophy and approach to trusted network users and devices. It’s not a product, although security teams can use many tools to implement zero-trust-based security infrastructures. Moreover, zero-trust does not demand a complete overhaul of existing security systems. It leverages current technology to support the zero-trust mindset, adding new tools as needed.
That may seem daunting, leading organizations to mistakenly believe the fourth zero-trust misconception: “zero-trust is complicated.”
The zero-trust framework actually reduces cybersecurity complexity. The strategy has been rooted in simplicity, predicated on debunking the broad security industry myth that a cybersecurity teams must prevent all intrusions. That’s a fool’s errand; intrusions are unavoidable. However, zero-trust aims to prevent data breaches, which regulations like GDPR define as the unauthorized removal of sensitive data from our network.
The zero-trust framework represents the best-practice security strategy for modern cybersecurity environments that have become increasingly complex, distributed, and perimeterless.
A zero-trust architecture helps organizations manage the increased danger resulting from this evolution. It inverts the attack surface, reducing it to something small and easily known called a "protect surface." Implementing zero-trust one protect surface at a time offers three benefits: it's incremental, iterative, and non-disruptive, limiting any potential issues to a single protect surface.
I'm on a mission to debunk common misconceptions about the zero-trust model to help organizations understand and address them, thereby helping teams enhance their security posture and implement zero-trust more effectively.
John Kindervag, chief evangelist, Illumio
