Demystifying Zero Trust

(originally written by Daniel Ficca)

Update: We have written a follow-up update post to this one — Demystifying Zero Trust With the U.S. Government.

Pomerium aims to deliver zero trust technology that lives up to the hype. But where did the excitement around this emerging technology come from? And what actually is zero trust anyways? In this article I hope to lift the veil off zero trust and its many promises by exploring what it really is, where it came from, where it is going, and what it can do for you…

How we got here

Zero trust is not a single product and it cannot be bought off-the-shelf.

A quick Google search reveals there are a host of companies competing for attention in the zero trust arena. Whether traditional hardware security companies, CDN providers, new startups, or even VPN businesses, everyone is trying to sell a “zero trust solution.” Many of these companies, however, have missed the mark on what zero trust actually means. For starters, zero trust is not a single product and it cannot be bought off-the-shelf (even though some companies may try to convince otherwise).

Rather, zero trust is an architectural philosophy enabled by a variety of tools. Paul Simmonds, co-founder of the Jericho Forum and advocate of zero trust architecture, gives a remarkably clear outline of what zero trust is and is not in his presentation “The Fallacy of the ‘Zero-Trust Network,’” which is worth watching in its own right. Here are the key points:

Zero trust is NOT…

1. About asserting any trust at all

Once a user or device is authenticated (i.e. confirming who they are) and authorized (i.e. making sure that person has the right permissions), there can be trust established between the user and the thing they are trying to gain access to. The term “zero trust,” then, comes from the core principle that no user or device should be trusted simply because they previously gained access to a system, got past a firewall, or entered a network via a VPN.

2. A one-off project

Zero trust implementation must be anchored to real business objectives and will look different for every company based on their unique market requirements and current IT infrastructure.

3. About getting rid of the intranet

Although the end result of adopting zero trust could be ditching your corporate intranet entirely, it may be kept around to support legacy apps.

Zero trust IS…

Zero trust enables businesses to be more effective and efficient.

1. A business enabler

Whether it is contractors being able to securely access internal apps from their personal laptops or employees working from their smartphones, zero trust enables businesses to be more effective and efficient.

2. An architectural state of mind

Zero trust will not look the same for a startup running their entire business on AWS versus a large enterprise running legacy applications on a heterogeneous mix of infrastructure environments (such as bare-metal, hybrid, private, and public clouds).

3. Application and user-centric

Zero trust focuses on the user by providing a unified experience whether in the office or in a coffee shop halfway around the world. It also moves the front-line of security to the application, enabling granular policy control over every app in your company’s ecosystem.

Where zero trust came from

Before attempting to further distill zero trust down into three fundamental truths, let’s take a step back and look at where the idea for de-perimeterization came from, and where it is going. We’ll begin in 750 BC. According to legend, when the city of Rome was founded Romulus dug a trench around its foundations to establish city limits. This trench was called a pomerium, and served to differentiate between “dangerous” outsiders and “safe” insiders. As Rome expanded, it became increasingly difficult to maintain a clear-cut pomerium, so Romans eventually chose an arbitrary location for the pomerium and pretended like there was a hidden wall. In many ways, this story reflects what has taken place in network security over the last few decades. It used to be that companies could dig a clean trench around their office and say everyone trying to access the network on the inside was safe, and everyone on the outside was not. However, as countless security catastrophes have proven, such as the Target HVAC hack and Operation Aurora, relying solely on a perimeter security model can be a costly mistake. No longer can companies’ security walls be trusted to differentiate between good and bad actors.

The concept of zero trust is often traced back to Google’s BeyondCorp research papers, which record Google’s journey of transitioning to a perimeter-less security model. However, the call for de-perimeterization was sounded a decade before the first BeyondCorp paper was published. Initiated by the British Royal Mail in 2004, the Jericho Forum was formed by CISO’s (Chief Information Security Officers) from a group of large enterprises in order to accomplish two objectives: 1) articulate the problem of traditional network security solutions and 2) provide a framework for discussing the impending perimeter-less world. The Jericho Forum’s efforts resulted in 11 commandments that “serve as a benchmark by which [de-perimeterization] concepts, solutions, standards, and systems can be assessed and measured.” The most critical of these commandments are six and seven because they outline the need for trust. In traditional networks, trust was determined by location: a user was either outside the network and thus untrusted, or they were inside the network and trusted. This model started to break down in the modern business ecosystem for three major reasons:

1. The frequency of insider threats is increasing (34% of all attacks in 2019 were a result of insider threat actors) (source).
2. Employees are no longer the only ones who need access to corporate networks — now contractors, suppliers, vendors, and eventually IoT devices need access.
3. Flexible work from home policies are both favored by employees, as well as cost-saving and potentially productivity-boosting for businesses (source).

Where zero trust is going

Several techniques have been developed to address the evolving security needs of companies with insider threats, extensive contractor networks, and mobile workforces. Let’s unpack three of them to see why zero trust stands out for its ability to increase security, improve user experience, and reduce costs (an almost unheard of combination for security products).

Micro-segmentation

Network segmentation is used for limiting attack surfaces and preventing lateral movement of infiltrators. Micro-segmentation in particular has garnered a lot of attention in recent years, yet it has proven to be mostly impractical in today’s environment. Servers, databases, and apps typically don’t talk with only one other entity, which makes splitting the network into tiny logical chunks a headache for security operators. That being said, network segmentation is still a viable option for legacy applications that may require significant custom work to integrate into a zero trust model.

Software-defined perimeters (SDPs)

SDPs (sometimes called “Black Clouds”) also, theoretically, have the potential to create secure connections between specific sets of applications. However, trusted virtual networks have proven to be very difficult to deploy, operate, and debug. While this technology may play a minor role in the next few years, we see it as only a stepping stone to the next technique.

Context-aware proxies (CAPs)

Finally, there are CAPs – the category Pomerium falls under. CAPs are an evolution of the Identity-Aware Proxy (IAP), an identity-based access proxy imposed at the edge of a network. Pomerium, however, does not stop at identity. As the product develops it will take into account not only identity information and authorization policy, but also the context of the request such as device health. The use of CAPs is expected to increase rapidly in the near future, as companies realize the shortcomings of their existing perimeter security models.

Zero Trust at its core

Now that we have looked at where zero trust came from and what lies ahead, it’s time to outline three fundamental truths that define zero trust. In future articles, I will unpack more in-depth how Pomerium fulfills each of these three pillars. In a true zero trust architecture:

1. Nothing should be implicitly trusted

Not users, devices, applications, servers, or networks. With security threats increasingly coming from the inside, companies must always evaluate the authenticity of a request before granting access.

2. Access should be continuously authorized

Trust must be continuously re-evaluated because device posture and context can change rapidly.

3. Least-privileged access should always be enforced

Only allowing users to access the applications they need for their specific role greatly reduces the blast-radius of attacks.

Benefits of zero trust

While it is critical to have an understanding of what zero trust is, what matters most is what it can do for your business, so here are three of the biggest benefits of adopting a zero trust framework:

Reduce average cost of cybersecurity breaches

According to IBM Security and Ponemon Institute, in 2019, security-breaches cost an average of $8.19 million per cyberattack, and $388 million per attack where over 50 million records were compromised (source). If even a fraction of the current costs were reduced, that would mean millions of dollars of savings every year.

Keep up with tightening data compliance mandates

The EU’s GDPR (General Data Protection Regulation) has forced both European businesses and any company that does business there to take a close look at their security practices and likely invest in expensive audits and security products. California’s Consumer Privacy Act (CCPA), which went into effect January 1st, 2020, follows suit from the EU’s GDPR and serves as an example of what many US states are expected to pass in the future. Zero trust tools like Pomerium can help your organization meet data security requirements and compliance laws by storing audit logs and enforcing least user privilege.

Reduce infrastructure complexity

Implementing zero trust will make managing your network simpler and free up time for your security team. No longer do you have to worry about complicated public key infrastructure or continually adjusting your internal firewall rules to perfectly segment your network. Finally, you can sleep soundly at night knowing every request on your network is being properly authenticated and authorized.

Closing thoughts

Zero trust has the potential to not only displace traditional VPNs, but also initiate a new era of device connectivity, employee flexibility, and adaptive security.

As with most promising technology and “next-gen” security solutions, there is a lot of buzz around zero trust. To an extent, the hype is warranted. Zero trust has the potential to not only displace traditional VPNs, but also initiate a new era of device connectivity, employee flexibility, and adaptive security. Yet, there is a reason why Gartner, in their 2019 Hype Cycle for Cloud Security report, chose to place Zero Trust Network Access (ZTNA) in the “Trough of Disillusionment.” Unfortunately, zero trust has been misunderstood by many and is often used as a marketing buzzword. But the trough is followed by the “Slope of Enlightenment,” and that is where I think we’re heading now. As we start to recapture the original meaning of zero trust, its potential to be a catalyst for security transformation and true source of business value will start to be realized. While this roadmap will look different for everyone, we hope Pomerium can be a valuable resource and partner for you along the way.