For years a concept known as “zero trust” has been a go-to cybersecurity catchphrase, so much so that even the notoriously dilatory federal IT apparatus is going all in. But a crucial barrier to widespread adoption of this next-generation security model is mass confusion over what the term actually means. With cyberattacks like phishing, ransomware, and business email compromise at all time highs, though, something’s gotta change, and soon.
At its core, zero trust relates to a shift in how organizations conceive of their networks and IT infrastructure. Under the old model, all the computers, servers, and other devices physically in an office building were on the same network and trusted each other. Your work computer could connect to the printer on your floor, or find team documents on a shared server. Tools like firewalls and antivirus were set up to view anything outside the organization as bad; everything inside the network didn’t merit much scrutiny.
You can see, though, how the explosion of mobile devices, cloud services, and remote work have radically challenged those assumptions. Organizations can’t physically control every device its employees use anymore. And even if they could, the old model was never that great to begin with. Once an attacker slipped by those perimeter defenses, remotely or by physically infiltrating an organization, the network would instantly grant them a lot of trust and freedom. Security has never been as simple as “outside bad, inside good.”
“About 11 years ago at Google we did have a significant, sophisticated attack against us and our corporate network,” says Heather Adkins, Google’s senior director of information security. Hackers backed by the Chinese government rampaged through Google’s networks, exfiltrating data and code while trying to establish backdoors so they could get back in if Google tried to kick them out. “We realized that the way we were all taught to build networks just didn’t make any sense. So we went back to the drawing board. Now if you walk into a Google building it’s like walking into a Starbucks. Even if someone had access to a Google machine, nothing trusts it. It’s much more difficult for an attacker because we’ve changed the battlefield.”
Instead of trusting particular devices or connections from certain places, zero trust demands that people prove they should be granted that access. Typically that means logging into a corporate account with biometrics or a hardware security key in addition to usernames and passwords to make it harder for attackers to impersonate users. And even once someone gets through, it’s on a need-to-know or need-to-access basis. If you don’t invoice contractors as part of your job, your corporate account shouldn’t tie into the billing platform.
If you talk to enough zero-trust advocates, the whole thing starts to sound a bit like a religious experience. They consistently emphasize that zero trust isn’t a single piece of software you can install or a box you can check, but a philosophy, a set of concepts, a mantra, a mindset. They describe zero trust this way partly in an attempt to reclaim it from all the marketing doublespeak and promotional T-shirts that have attempted to paint zero trust as a magic bullet.
“Vendors hear new buzzwords, and then they try to package a product they already have into that: ‘Now with 10 percent more zero trust!’” says Ken Westin, an independent security researcher who has worked with security sales and marketing teams throughout his career. “It’s problematic, because zero trust is a concept, not an action. You still have to implement things like device and software inventory, network segmentation, access controls. As an industry we need to have more integrity with how we’re communicating, especially with all the attacks and real threats that organizations are facing—they just don’t have time for the BS.”