The world is a beautiful and inspiring place. There are cultures and cuisines, languages and laughter, music and merrymaking. And yet we tell our children not to talk to strangers because the world is also a place full of people who may not have the best of intentions. Trust has to be earned and maintained by how we interact with others.
Imagine, if you will, a utopian scenario where identity is always affirmed, and no one ever accesses data for which they don’t have permission. There are no reasons to impersonate another user or to profit from someone else’s work or intellectual property. Phishing would only be a terrible misspelling of a pastoral pastime. Everyone could speak with one another without the concept of mistrust. I’m sure there is a brane in the multiverse where this is happening right now! However, that’s not our reality here in this particular universe.
But, seriously, do take a moment to think about what that utopian scenario means to you and your environment. Are you confident that you can trust your infrastructure? Can you trust that the data going over that infrastructure is secure? Are you sure that the users traversing your infrastructure are who they say they are? Are you confident that you have all the necessary visibility within your network to know where those users are going and what data they’re accessing?
It’s a bit of a terrifying thought. It makes that utopian view seem rather naïve. Enter Zero Trust.
I’m sure you’ve heard the term Zero Trust, or Zero Trust Network Architecture, as it’s become quite a buzz phrase in the industry. Some claim to have a utopian piece of software to achieve it, and you can ignore your existing infrastructure. Some claim that if you throw out your entire network stack and buy theirs, you’ll be allowed to enter the hallowed halls of Zero Trust networking. Some even believe that as long as you name the bundle “Zero Trust”, it will be so! A vendor could splash Zero Trust across any product, but without understanding what it means and why it’s important to you, it will just be another way to redirect your spending.
My goal here is to provide you with some initial guidance so you can start to think about how Zero Trust impacts you.
Demystifying Zero Trust – What It Is and What It Isn’t
Let’s start by demystifying what Zero Trust is – and isn’t.
What It Isn’t!
I’m going to start with potentially a controversial statement:
Absolute Zero Trust doesn’t exist!
“But Tim,” I hear you cry, “isn’t that contrary to your very premise?” In fact, no, it isn’t. Absolute Zero Trust would mean that everyone and everything is untrusted, and no one could pass traffic on the network to resources which wouldn’t be permitted to receive traffic from anyone! But that’s not reasonable or logical, nor does it enable you to get your email!
Practically, there must be a fundamental trust relationship formed at some point to allow a user or device to communicate with resources. We can only *approach* Zero Trust because of the need to create an initial trust relationship between a user and a resource and to continually assess that trust. The negotiation and maintenance of identity are at the crux of Zero Trust.
Now, most notably for the buyer, Zero Trust is NOT a single product that a vendor can sell you that suddenly transforms your environment into a Zero Trust network architecture.
What it is!
Zero Trust is a concept; a set of guiding principles – as NIST defines it – for workflows, system design, and operations that can improve the security posture of your environment. More specifically, Zero Trust Network Architectures are designed to explicitly validate a user’s identity, enable that user to access specific resources securely, continually validate that identity, and to assume that anyone or anything else is untrusted.
Sounds fancy, right? In plain language, it means that once the network knows who you are, you can see and access resources to which you are granted permissions. Everything else is off-limits. If you break that trust in some way, you will be required to re-verify your identity (perhaps with multi-factor authentication or even biometrics), or you may have your access blocked or disabled. This is why we say don’t talk to strangers. Once your identity has been established, you are no longer a stranger to those resources, and they’re willing to talk to you quite merrily. Suppose you behave in such a way that invalidates your identity, such as sending nefarious traffic, attempting to access resources for which you don’t have permissions. Those resources are going to stop talking with you.
Additionally, resources should be dark (meaning: you can’t see them, even if they are there) to anyone who hasn’t been identified and, even then, only accessible by those for whom a policy is applied which permits access. A great example of this would be your wired and wireless network infrastructure. If you’re not including your network infrastructure in your Zero Trust assessment, you’re not addressing a vital element of the concept. No one needs to know about your infrastructure or the means by which you access it for management. As well, your wired and wireless infrastructure can help deliver elements of Zero Trust, from access control to secure hyper segmentation to in-flight traffic analysis. Your infrastructure can help you assess the validity of identities, isolate and secure user traffic, and give you a more in-depth view of what’s passing through the network, all while remaining hidden to potential attackers.
In the next post, we’ll look at the business value of Zero Trust and how you can start taking the first steps on the journey toward adopting Zero Trust with Extreme Networks as your partner.