One of the most buzzworthy infosec terms in recent years is Zero Trust. If they hand out buzzword bingo cards at the next security conference you attend, you can almost guarantee that Zero Trust will be on it.
There’s a reason for all the buzz, though. Zero Trust is the real deal.
The term was originally coined by John Kindervag back in the Forrester Days. To put it simply, following a Zero Trust security model means that you only let people have access to data when they need it, and that they have to prove that they are who they claim to be before you grant them that access.
Sounds like something we should have been doing this all along, huh? Well, we have been. Sort of. Zero Trust is just the next iteration of the data security cycle.
Remember LPARs? Kudos to you if you knew what an LPAR was without Googling it first! LPAR stands for Logical PARtition. It’s a term from the mainframe days, when we segmented resources from one another (process, memory, storage… the whole shebang) before laying down access controls on top of them. LPARs did a pretty good job of protecting data back in the greenscreen terminal days.
Then the internet came along…
When we started embracing distributed computing, we took that data that we’d been keeping nice and safe inside our LPARs and we scattered it to the wind. We started storing it on any device with a network card, which meant that the people we’d kept out of our LPARs could potentially get to that data. And what did we do to keep them out?
Now a firewall with a permit IP any any ruleset is little more than a glorified paperweight, so we had to lay down some rules. Computer A was only allowed to talk to Computer B over a predetermined set of network ports. If the firewall saw any traffic that didn’t follow those rules, it blocked it. Shut it down.
This was a little trickier to manage than LPARs, but at least we were back in business with our defense-in-depth strategy.
We were, anyway, until everyone started using mobile devices and SaaS applications.
Back to square one.
That’s how it felt, anyway, until this notion of Zero Trust started to take hold.
After all, what were we trying to protect, anyway? The data! Exactly!
Maybe, just maybe, it was time for us to revisit how we were approaching this whole data security practice. Instead of putting controls all the way out at the edge, what if took a good look at the resource that we were trying to keep safe and started putting our controls as close to that resource as we possibly can?
Tricky? Maybe. It was a few decades ago, any. The cool thing about technology is that it keeps changing. It keeps getting better and more advanced.
Today, we’ve got the ability to figure out what people need to access, as well as who those people are. We’ve got the ability to automate the entire process, from enabling users to request access to data, to removing that access when it’s no longer required.
We have the technology. We have the capability to make the world’s first Bionic Man…er, Zero Trust Architecture.
If you haven’t read up on Zero Trust yet, it’s definitely worth checking out. The National Institute of Standards and Technology has a draft Special Publication on the topic (800-207), and there’s a solid whitepaper on the topic out on the US Department of Defense website.
Zero Trust isn’t the be-all end-all security solution, but it is the next step along the path toward enabling businesses to embrace technology securely. And let’s face it… that’s a pleasant alternative to crossing our fingers and hoping everything works out for the best.
Don’t fall into the buzzword bingo trap. Give Zero Trust the chance it deserves.
By day, Jerod Brennen (@slandail) is a storyteller, teacher, speaker, advisor, and security architect.
By night, he’s a husband, father, writer, filmmaker, martial artist, musician, and gamer. It’s fair to say that he’s earned every gray hair in his beard, having spent his career fulfilling infosec roles in consulting, higher education, retail, and public utilities.
Jerod loves to share what he’s learned over the years every chance he gets: at local and regional professional meetings, at larger conferences, and online via blogs and podcasts. He has published multiple online information security courses with Pluralsight and LinkedIn Learning, and he also teaches courses in person, both domestically and internationally.
At the end of the day, Jerod just wants to help folks get one step closer to doing what they want to do securely.
The SolarWinds hack that impacted the U.S. Treasury, Department of Homeland Security and Commerce departments, as well as other government agencies and private companies was a big wake up call … Read More