Confusion about the true meaning and purpose of zero trust makes it difficult for people to put ideas into practice. Supporters largely agree on the common goals and objectives behind the phrase, but busy executives or IT administrators with other things to worry about can easily be misled and ultimately enforce security protection that simply reinforces old approaches. instead of introducing something new.
“What the security industry has been doing for the past 20 years is simply adding more bells – like AI and machine learning – to the same methodology,” said Paul Walsh, founder and CEO of zero-trust anti-phishing firm MetaCert. “If it’s not zero trust, it’s just traditional security, no matter what you add.”
In particular, cloud providers are able to incorporate zero trust concepts into their platforms, helping customers to embrace them in their own organizations. But Phil Venables, chief information officer at Google Cloud, notes that he and his team spend a lot of time talking to customers about what zero trust really is and how they can apply the principles to their own use of Google. Cloud and beyond.
“There’s a lot of confusion.” He says. “Customers say, ‘I thought I knew what zero trust was, and now that everyone describes everything as zero trust, I understand it less.’ “
Apart from agreeing on what the phrase means, the biggest obstacle to spreading zero trust is that most of the infrastructure currently in use is designed according to the old moat and castle network model. There is no easy way to upgrade these types of zero trust systems because the two approaches are so radically different. As a result, applying the ideas behind zero trust throughout an organization potentially involves significant investment and inconvenience to re-architect legacy systems. And it is precisely these types of projects that are at risk of never being realized.
This makes the implementation of zero trust in the federal government – which uses a mix of vendors and legacy systems that will take huge investments of time and money for major repairs – particularly daunting, despite the Biden administration’s plans. Janet Manfra, a former assistant director of cybersecurity at CISA, which joined Google in late 2019, saw the difference first hand, moving from government IT to internal infrastructure focused on the technology giant’s zero confidence.
“I came from an environment where we’ve invested huge amounts of taxpayer dollars in providing very sensitive personal data, mission data, and I see the friction you’re experiencing as a consumer, especially in more security-oriented agencies,” she said. “That you can have more security and the better user experience was just amazing to me. “
Which is not to say that zero trust is a panacea for security. Security professionals who are paid to hack organizations and detect their digital vulnerabilities – known as “red teams” – have begun to study what it takes to break into networks with zero trust. And for the most part, it’s still easy enough to simply target parts of the victim’s network that haven’t yet been upgraded with zero trust concepts.
“A company that moves its infrastructure off the premises and puts it in the cloud with a zero-trusted provider will close some traditional avenues of attack,” said longtime Red Star player Cedric Owens. “But honestly, I’ve never worked or allied myself in an environment with complete zero confidence.” Owens also emphasizes that while the concepts of zero trust can be used to significantly strengthen the organization’s defenses, they are not armored. He points to incorrect cloud configurations as just one example of the weaknesses that companies can inadvertently introduce when they move to a zero-confidence approach.
Manfra says it will take time for many organizations to fully understand the benefits of a zero-confidence approach over what they have relied on for decades. However, she adds that the abstract nature of zero trust has its advantages. Designing concepts and principles rather than specific products gives flexibility and potential longevity that specific software tools do not.
“It seems lasting to me philosophically,” she says. “The desire to know what and who touches what and whom in your system are always things that will be useful for understanding and protection.”
More great stories