Zero-Assumption-Trust?
I hadn’t realized that people took the name “zero trust” literally. I thought we all realized it was just a name made to be catchy and be enough to get the idea. Lots of names are similar, “black lives matter,” and “occupy wall st.” They are sayings that have some truth and some catchiness. Zero trust is around because the trust had gotten too trusty. Gotta swing a different way.
Zero Trust is not a misnomer. My firewall doesnt trust “allow” any traffic to go through that I have not personally verified as a trusted source to come in. Zero trust stems from the structure of nothing allows connections to each other that I have personally not implemented myself. Zero Trust is also a massive undertaking that isnt implemented immediately. If I want services to talk to each other, I personally pick the ports that is only required for it to operate. I do not allow new services to connect to different ports unless it is needed and then I open them myself. Zero Trust is a laborious endeavor, that has nothing to do with people. It doesnt mean reduce trust to zero, it means I dont trust anything that I have not personally verified to be trust worth and it wont be allowed in until otherwise. I start from Zero and build up.
If you come up with a catchier name than ZT, I’ll use it. ZTNA is more accurate but less catchy.
Part of technical marketing is to easily label things so non-technical stakeholders like executives and finance can understand the broad idea. If marketers do a bad job naming the technology (e.g. USB 3.2Gen2, USB3.2Gen2x2, USB Super Speed, passkeys vs passwords, EDR/XDR) the idea gets lost.
Arguably top level management don’t need to understand ZT. They need to understand risk and be advised of solutions/resource requirements. When speaking with execs, ESPECIALLY if you work for a cost center, you have to stop leading with technology and start addressing organizational risk. So many times I hear people pitch their projects like a university thesis: “ZT is a set of network architecture and identity integrations that deliver the principle of least privilege and normalize access methodology between internal and external staff…[5 minutes later]…and I need money”
To execs, ZT is just a thing that closes risk. I’d love to hear pitches like “Post-Covid WFH means our staff aren’t protected by office firewalls, I need $200k and 1 contractor to implement ZT”.
Well said!
I think zero trust is more of a mind set or approach best suited for privacy / cyber sec fanatics that fail to grasp basic realities. Just like open source is for the /r/Privacy peeps. Because just like FOSS, trust is always present for virtually all of us! Only the quantity differs from entity to entity
obtainable chubby repeat attractive rude roll disarm wrench materialistic point
This post was mass deleted and anonymized with Redact
Exactly! I just assume any device is not secure no matter what, everything is unmanaged BYOD, everyone need VPN with MFA and a modern web browser to access internal services access via a modern web browser. I just trust the VPN firewall, proxy server, RDS server, and web browser. I just don’t care if the access device is secure or not, anything can be hacked.
So instead of try managing hundreds of devices, I just need to make sure my core services are secure.
Thoughtful write up.
Zero trust to me assumes there is no trust therefore we must require taking every reasonable measure to restrict unauthenticated and unauthorized access to systems and data, so it brings into place identity, networking (even as limited as a single tcp session basis), authorization, potentially device parameters, other policy considerations, etc.
We built a solution on our smb firewall for access to systems behind it via rdp, ssh or https using dynamic port forwarding (single use firewall rule) after user is authenticated via mfa portal. In essence, authenticated user can be limited to a single session access to the approved system… that’s it. Be curious of your thoughts. As a small vendor in the space the noise and lack of technical transparency is extremely challenging. I’ll ping u on linked per your note.
The best articulations I have see are the google beyond corp papers but they only talk high level…and are for enterprise while we work with small biz.
Zero-trust simply means to stop trusting something because it’s on your network.
- Who are you?
- What device are you on?
- Where are you making requests from?
- What browser is this on?
I won’t just trust someone because they are in my office building. That would be silly. If they were suspicious I would want security to remove them until they verified who they were.
Yeah I also understand it as having zero trust into anything unless it authenticated
Not a fan of this TBH. If you have good controls on the Internal network it can be trusted far more than the Internet. That doesn’t mean you don’t use defense in depth.
I’ve had people use the term Zero trust to advocate putting shit on the internet that shouldn’t be there instead of just being exposed internally because it’s “all the same level of trust”, instead of “Just because it’s not exposed to the Internet doesn’t mean we don’t need to properly secure it”. Frustrating as fuck.
You took a lot of words right out of my mouth.
I’m going to delete and reframe my response in I think a better manner, because someone else made the same argument you did and with the benefit of hindsight, the response I gave them was the same concept as what I replied to yours, in far fewer words.
If we interpret ZT as “zero” trust, we’re talking absolutes. If ZT must be absolute, it’s doomed to fail. There are no absolutes in business (not any operational endeavor). I’m simply choosing to interpret the term in a more workable and viable manner than the absolute “zero” alternative. So you’re not wrong, it’s just that you and I are talking about two fundamentally very different things. Our interpretations are semantically very far apart. But I would argue that my interpretation is the one that will allow practical application and that any literal interpretation of the term is doomed to failure and frustration.
I’m arguing toward the position of de-valuing, disconnecting the meaning of a term from its (in my view) bad literal semantic definitions. You’re arguing for the definition with value placed on the literal semantic meaning of the term. We’re taking absolutely opposite approaches to interpreting the term. In other words, we’re effectively talking about two fundamentally different concepts under the same name.
Your first sentence is exactly right.
I do, ideally everything should be assume untrusted, with no direct internal network infrastructure access, all services must be accesed with VPN , proxy , RDS, etc. I just don’t really care if the client devices are secure or not, I just trust my firewall, proxy and rds servers.
I wouldn’t mind if this comment was pinned to the top of the sub. So, so true of so many comments on here.
That’s the feature of Marketing in general. No one in Marketing gets paid for an ad that something is “pretty okay” or “just like everyone else’s widget but a different color” That’s not something that is unique to security, at all.
Its actually insane how these people market lol. Apparently every single product on the market is an AI based zero trust EDR SIEM tool with high customizability to fit your business needs!
The roadmap is entirely dependent on your setup and how deep you want to go. Let’s say you wanted to start with your network. Try thinking of it as a guest network instead of a corporate network. This means that there is no access to any on-prem servers/services without authorization.
You could go about granting access a bunch of ways: go high-level and make users connect to VPN to use services while on your network, or you could use a NAC like Cisco ISE to control access to resources based on profiling, etc.
There is no real end goal in claiming your environment zero trust, its just the idea of not trusting any actions without authorizing. Do what is feasible for you environment and doesn’t kill employee productivity.
It’s not a destination. It’s a method of travel.
Your average American business wants to grow. Steady growth is a sign of maturity. Where do they want to land? That’s not really defined.
Identifying and controlling trust boundaries is something you have to do all the time. You will never be done.
Take Uber this year. They implemented a Pam, controlled all privileged accounts, but also created a new bridge for an attacker to cross via an api account that led to the Crown Jewels. By implementing a Pam, they reduced a bunch of risk, but added one small but important avenue of attack