By now we have all seen all the marketing behind Zero Trust this and Zero Trust that. To really understand the fundamentals I want to take some time to talk about what led us to this Zero Trust reality and explore as an educated guess what will come next. 

Let’s take a brief trip down memory lane when cybersecurity was not even called cybersecurity.   In the early days it was just computer security and if you were a practitioner on the right side of the law, you attended USENIX Security the first of which I was at in 1988, you attended NANOG, even computer crime had not fully developed because the people with enough skills to pull it off were not criminals – they were interested in exploration and experimentation – I missed those days. In this pre-Zero Trust era, trust and security properties were largely seen as transitive and inherited from a base.  If your goal was to have an application on a server secured, you started with a secure server; if you needed a secure server, it needed to operate in a secure data center, etc. etc.    In this mindset, you operated within domains that when trusted, you could ‘put your guard down’.   “Oh, you don’t need to authenticate that client to the server because you are on the internal network and it is secure”   For those of you who did not experience this pre-Zero Trust era, all this must sound like crazy talk but trust me, some of this unfortunately still exists

So what happened?  Why the shift to Zero Trust and more importantly, why now? Economically, we saw a shift to being able to run your business on public networks and public compute but the real accelerator was the COVID-19 global pandemic.  Like a lot of norms, the pandemic in 2021 forced the hand of many to rethink our defensive strategy in the context of remote work, public SaaS services, everything that was ‘internal’ to the core business was being externalized and there was no longer a way to trust the runtime environment.  

The term itself – Zero Trust – is semantically awkward because it does not make explicit the subject being trusted or not trusted, so let’s think this through together.  The Zero Trust mindset just means that ‘trust’ is no longer implicit, it is always explicit and intentional.  You assume that the most well funded and talented hacker has access to your environment and you have done all the threat modeling in your design to reduce their opportunity.  Keep that term in mind – opportunity – because we will return to it at the end.  

Now is the time for security architects to use this explicit trust in their design.  When you don’t have trust, increase the friction to that session; when you do have a high degree of trust in a very ‘least privileged’ session, remove the friction.  Historically security folks earned the reputation of being the bouncer at the nightclub tossing you out if you did anything wrong ; that same bouncer in a zero trust design can also be the valet and maître d contributing to a frictionless experience.  

In my experience, the Zero Trust Mindset in its fullest sense creates a security defense strategy where trust is explicit, all authentication and authorization is intentional, and sessions are managed on a least privileged basis in both space and time (authorized to access only what you need for the shortest period of time).  This has got me thinking more and more about how we go about measuring opportunity and explicitly for whom. It should be possible to measure the opportunity of any session or any zero trust environment.  The ideal here is to grant the subject (the intended user or service) just enough opportunity to get their task done and a near zero opportunity for that which is NOT that subject.   Given a scope of a session or a service, what are the opportunities for threat actors, what are the opportunities for mistakes, making it more affordable for things to go right than for things to go wrong.  

My main discussion point in this blog is that we should be able to measure how well a Zero Trust environment is performing at any given point in time.  Absent this, we cannot stand on the shoulders of science.  In the coming months, I will be blogging more on the measurement of Zero Trust and how we may formally represent opportunity and for whom.