Pretty sure I know what zero trust is as I use it. Can I define zero trust, though? We’ll find out.
You’ve probably heard at least one person in IT grumble, “Never trust, always verify.” And that’s about the bulk of zero trust. There’s a whole NIST publication (NIST SP 800-207 Zero Trust Architecture) on zero trust and that’s what I slogged through, but really you just need to remember what that person grumbled in a meeting about cybersecurity three years ago. What that saying means is that everything on the network is verified for identity and context every time it tries to access a resource.
To really get it I had to take a little trip down memory lane to what apparently was only the year 2018 when there was no zero trust and everything was implicitly trusted (not true, but it’s my story so stay with me). AdminJane logged into the VPN while on vacation in Eastern Europe so she could do some server updating. After logging in through SSH using her admin username and a password she could update that fancy web server and then jump on over to the print server no questions asked. And apparently, that’s how things were back in the day. Once you get through the firewall everything on the network just assumes you are good to go. But what if AdminJane isn’t really on vacation and all that happens at 3 am? Probably not cool, but apparently once you are in you are in. Nefarious or not. Was it really like this? ehh, not really. But close; and for the most part, it still is pretty close today.
Okay, so back in the day you get through the perimeter and you’re into everything. With zero-trust, though, all that communication between enterprise resources is checked and double-checked and, of course, encrypted. Not only does it ask for the correct password from AdminJane (and hopefully now some multifactor), but it also uses some context. That fancy $15k next-gen firewall is making some choices now and some of those include location and time. Ever get an alert that someone tried to use your credit card number and it was caught because you used it in Kalamazoo, Michigan but then someone tried to use it in Sacramento, California three minutes later? Your firewall is doing something like that. Once you get in, though, the verifying continues. Various parts of your security infrastructure are working together to constantly be vigilant. Identity and access management is making sure the right resources go to the right person when they need them, the firewall makes sure that person isn’t using ports they don’t need at times and places they shouldn’t, the SIEM is pulling all the info and tracking. On and on in what is now called the Software Defined Perimeter.
The one thing you should keep in mind is that zero trust isn’t a set of tools. Zero trust is a process and culture. Zero Trust is the idea that something shouldn’t be inherently trusted just because it made it through the front door and everything you do to implement it should be based on that idea.