The Zero Trust Journey — You're Already On It
“In the end, perfection is just a concept — an impossibility we use to torture ourselves and that contradicts nature.” - Guillermo del Toro
Some things in life are binary. On or off. 1 or 0. A light switch is on or it's off. I'm on mute or I'm not.
Then some things are analog. This means many values or levels are possible in a range. The thermostat in my house. My car's odometer.
Zero Trust is a secure remote access method that has recently re-gained quite a bit of attention due to the massive increase in remote work. I look at Zero Trust as analog. You can enforce it at low levels, mid levels, or high levels. This is important to consider because it helps to understand that implementing Zero Trust is not all or nothing and, contrary to a perfectionist's mindset, perfect Zero Trust could be perceived as out of reach.
But much like auto insurance, a little bit of Zero Trust is better than none at all. And currently, due to technology limitations, the vision of Zero Trust in its purest form is admittedly still a bit futuristic. But if you accept the fact that it is possible to achieve incremental amounts of Zero Trust, then you might also agree that you are already on the path to this worthy goal.
To break this down, let's review Zero Trust access basics.
What is Zero Trust?
With Zero Trust, in its simplest form, you have an entity that initiates traffic, which NIST refers to as a "Subject." This is typically a user on a computer. Then you have an entity to which the Subject is attempting to connect, which NIST calls a "Resource." The Resource is typically an application front end, which is ultimately what you are trying to protect.
The Subject has to prove that it is at a sufficient trust level to reach the Resource. And until it does that, the Subject is denied and considered to be at Trust Level 0.
It's really not much more complicated than that: a user on a device proving the right to reach an application.
What does the Subject need to show to prove its trust level? Zero Trust introduces a lot of options for that, but it varies and is essentially dictated by each organization's security policies. Current common trust requirements include Multi-Factor Authentication (MFA), certificates or tokens to validate that an asset is managed and basic posture checks. This is usually evaluated as a basic criteria checklist.
Zero Trust purists would want this criteria list to be more extensive and include things like behavioral analytics or advanced posture, and to be evaluated in more of a numeric weighted scoring method. The end result, for example, might be that if your trust level were determined to be 75 out of 100 then you can access the Resource; lower than 75 out of 100 and you cannot. This algorithmic approach is on the advanced end of the spectrum and the part that's a bit futuristic.
But what about the most fundamental form of proof? What about a basic username and password combination? Technically when you enter a username and password, you are proving a certain level of trust. Although modern policy is typically requiring slightly more than this (2-factor authentication, for example), this simple form of authentication does actually prove a certain level of trust and your policy might dictate this is sufficient.
Therefore, per the title of this article, even if you're only using usernames and passwords alone, it could be said that you are on the Zero Trust journey. If you've established a more sophisticated identity architecture than that, even better — you are farther down the path.
Where are you on the Zero Trust journey?
I think it's important to understand this. With Zero Trust, or whatever terminology is used in the future for this approach, we are all on a journey in which we are optimizing trust evaluation — always improving on identifying the Subject and assessing more and more characteristics or behaviors that prove the Subject is who it says it is.
I like to use the image below to illustrate this concept. You have the basic authentication we just described on the left end of the spectrum (username/password) and the advanced analytics on the far right. The industry and the technology it offers is making great progress and will make you more secure, but it has a long way to go in providing a more detailed assessment of a Subject, as well as applying this beyond basic User Access (to lateral access, for example, or what you might call East-West in the data center).
And the industry has a ways to go to be able to more dynamically or more frequently assess a Subject's trust level so that if your posture changes while you are connected (let's say malware is detected), then your trust level decreases and action is taken immediately with an appropriate user experience.
Despite these opportunities for improvement, what today's technologies offer currently is tremendous. That's how bright the future of Zero Trust is. There's no point in getting discouraged because the nirvana version of Zero Trust might be unreachable based on current technology limitations. But striving for it will still reap benefits and reduce your overall risk.
A perfectionist stance that Zero Trust is all or nothing is counter-productive and will keep you from moving forward at all. Without a great deal of effort, you can propel yourself farther down this path. You can make progress.
What are the next steps?
Investigate the technologies that are available. Many are cloud-based and relatively easy to implement. And there are a lot of players in the game now. If you'd like to test drive a few of the most common solutions, run the labs in our Compare Zero Trust Solutions offering. These are on-demand labs that will give you hands-on fundamentals with each solution, along with a bit of Zero Trust fundamental education in their documentation.
Good luck on your journey! It is worth the effort. For more information on Zero Trust, make sure to follow our Zero Trust topic area where you can review other articles, labs and related content.