Zero Trust is a Misnomer—All Attacks Come from Inside
Last year, the Biden administration issued an executive order, and later additional guidance, aimed at improving the nation’s cybersecurity. Agencies are now required to deploy Zero Trust architectures by 2024. As things go in government, so they tend to go in the private sector. Zero Trust is, therefore, the cybersecurity buzzword of the day.
The truth is, these high-profile federal actions landed with something of a thud among experts in the field. Concerns range from the lack of technical specificity in the recommendations to the likely operational impacts.
Unfortunately, those issues only scratch the surface. Zero Trust itself is a misnomer, and such a fundamental inaccuracy at the root of the model risks exacerbating our current cybersecurity crisis.
The Zero Trust Misunderstanding
Translate Zero Trust into layman’s terms and it simply means “trust no one.” But consider that statement for a moment. The only way to create a truly Zero Trust environment would be complete lockdown; no data or resources could be accessed by any individual, application, or device because none of these entities could be trusted. Technology applications would then serve no purpose.
In reality, organizations cannot operate without trust. Their mission must be to determine whom to trust and how to build an IT ecosystem in which trustworthiness can be reliably established.
Take as an example login credentials. If I have the ID and password for my bank account, it is assumed that I must “be me” and should be permitted to transfer funds. But of course, credentials are sometimes stolen and online identities forged. Multifactor authentication raises the trust bar by relying on more pieces of evidence that I am who I claim to be, but there is still a point at which trust is extended, sometimes mistakenly.
All Attacks are Internal
Zero Trust is predicated on the idea that we can clearly differentiate between trusted internal users and devices and unknown and thus untrusted external users and devices. In practice, this isn’t so easy and actually misses the point. Cybersecurity breaches can happen when:
- Internal users granted data, application, and network access aren’t as trustworthy as one would hope and abuse their privilege.
- Untrusted, external users (or internal users with limited permissions) “impersonate” trusted users and devices, such as by using compromised or forged credentials, to gain access they should not have.
In both cases, the bad actor finds a way through perimeter and endpoint defenses. Like the call in a horror movie, the breach is always coming from inside the house, at least as far as the IT security infrastructure can tell.
We can certainly demand that federal agencies and other enterprises work harder to verify before extending trust but to imply that such actions result in a Zero Trust architecture is a drastic overstatement.
The Risk of Compliance Regimes
Why does this matter? Demanding that IT organizations do something that is by definition impossible poses a number of risks.
One area of likely fallout, Zero Trust will further confuse an already confusing cybersecurity landscape. The thousands upon thousands of pages of cybersecurity frameworks and recommendations have left CISOs and other leaders running in too many directions. As true Zero Trust is unachievable, organizations tasked with implementing the model can only redefine Zero Trust architectures as something less than Zero Trust—call it a “trust but verify” program deemed acceptably rigorous. But by whom?
Throughout the history of cybersecurity, the answer to that question has been some sort of certification program or audit regime. Such an organization puts forth a checklist of best practices and IT organizations strive to meet the requirements to obtain a seal of approval to satisfy customers, insurance companies, and the Board of Directors.
We’ve seen how well this works out. Data breaches continue to rise year over year over year. If Zero Trust becomes nothing more than the latest PCI standard or NIST framework, we will have added to our security-related vocabulary but done little to actually protect users’ data.
The Takeaway: Acknowledge the Threat
There is another way. We can take advantage of this opportunity to interrogate “trust” as a cybersecurity concept. A guiding question, how can we better establish and verify the trust extended on our networks and to our applications and data?
Most importantly, we can implement measures that protect data from being used in unintended and unauthorized ways, regardless of who accesses them or how they do so. Whether a rogue health plan employee wants to peek at my medical history (a privacy invasion) or a state-sanctioned hacker compromises credentials in order to steal trade secrets from a defense contractor (a data and IP breach), we can recognize that both threats appear to “come from inside the house” and take steps to minimize the negative impacts. Against this backdrop, application-level data security is the closest approximation of Zero Trust we have available and should be central to the current conversation.