Advancing from Zero Trust to Verified Trust

During my time here at Zscaler Public Sector I have been on several panel discussions focused on Zero Trust, and I still feel that many people get hung-up on the term Zero Trust and misunderstand the meaning. What I’d like to do in this article, is to shift the focus a little and examine the end-state goals of Zero Trust. Before I jump straight to those goals, however, I think it is useful to understand how we got here in the first place and then examine where we want to be in the not-too-distant future.

By the time I received my Computer Science degree in the mid-eighties, general-purpose digital computers had been on the scene for nearly forty years. My first programs were stored on punched cards, fed into a mainframe with the results printed on tractor fed sheets of paper. Looking back, I refer to this blissful period as the “Blind Trust'' era of computing. The ARPANET, the predecessor to the Internet, was being used to tie computers together for the purpose of research, and TCP/IP was a brand-new protocol for facilitating this communication. I refer to it as the Blind Trust era, because we just connected computers together without any serious concern paid to security. Computers were locked inside data centers with physical security at the perimeter. The assumption was, if you secured the perimeter, you didn’t have to worry too much about security inside the perimeter. 

The "Creeper" program demonstrated that self-replicating malicious programs were possible and by the mid-80s, computer viruses such as "Brain Boot Sector" and "LoveLetter" were proving that cyber security was a real threat that needed to be taken seriously.

Thus, was ushered in the era of Naïve Trust. I say naïve, because we continued to build on the false assumption that the Local Area Network could be a safe place if we could secure the perimeter and ensure that devices met our “comply to connect” policies before being connected to our “safe” networks. This network centric approach to security proliferated for decades and was ingrained into the minds of every up-and-coming network engineer. The idea that we could achieve our goals of security, if we carved up the network into virtual segments with controlled access to those segments, was fundamentally flawed. It was flawed, because it overlooked the human element and the dynamic constantly evolving security state of endpoints on the network itself.

Finally, we reached the era of Zero Trust. Perhaps the Sunk Cost fallacy was finally exposed – that putting band-aid on band-aid would never achieve the desired goal and that what was needed, was an approach that ripped the band-aids off and started with a fresh new ground-zero, treating the problem systematically and thoroughly from the ground up. The Zero Trust strategy addresses the problem by eliminating all assumptions of implicit trust out of the gate. The 5 main areas of trust, the Device, User, Network, Application, and the Data itself are all called into question. Two supporting areas, Analysis/Logging and Automation/Orchestration exist to build a continuous cycle of interrogation and validation. Zero Trust, as has been stated above, is a strategy and not a product, and it can’t be achieved overnight. The CISA Zero Trust Maturity Model captures this concept well. Unless you are starting from scratch, in a green-field environment, it is going to take work and effort to transform your existing environment incrementally to a point that it eliminates all assumptions of trust, but when you finally get there, guess what? The real journey has only just begun.

This brings me to the focus of this article – which is to say, that digital computer communication (or any productive communication for that matter) can not occur in a state of zero trust. What we need, to facilitate any level of confidential communication, is the end state of zero trust, which I will refer to as Verified Trust. Please don’t get me wrong – Verified Trust is NOT something new, I’m not trying to start a new Verified Trust movement. In fact, I believe that verified trust is already the implied goal of the work people are doing in the Zero Trust movement, I’m just trying to call it out specifically, and focus on the desired outcome of zero trust. Zero trust is the starting point you must achieve so that you can progress to verified trust. If you try to cheat the process and start with Blind or Naïve Trust – you’ll never get there.  Once trust is verified, then and only then, can you conduct business with assurance that you’ve taken the proper precautions. One aspect of advancing from zero trust to a state of verified trust, is that of continuous assessment. It is not enough to assess any of the key pillars of digital communication a single time and hope that nothing ever changes. That would be like going to the airport and passing through security without any checks simply because you passed those same checks when you took a flight last month. In modern computing milliseconds are a lifetime for a multitude of events to occur – dormant malware can wake up and begin their nefarious work, someone can click on a link in a phishing email, or someone can accidentally expose a VPN password. Because the level of risk associated with any digital conversation is dynamic in nature, the assessments across all aspects of that conversation must be dynamically re-assessed as well. Before access is granted, or data is exchanged, we need to be able to answer the question – has the needed level of trust required for this digital conversation been verified? But continuous analysis introduces a different problem, as anyone who has randomly been selected for additional screening at an airport knows – Security slows everything down. Anyone who has been working in the realm of digital cyber security for any length of time knows the tension that exists between tight security and end-user experience. So, for continuous assessment not to become an impediment to productivity (and therefore bypassed) we must work smarter. I see this as an opportunity for technologies to work together, leveraging projects like the Shared Signal Framework and Machine Learning algorithms to improve the efficiency and thoroughness of the continuous assessment process. It should also be pointed out that the verified level of trust can vary across each of the zero trust pillars, and with that variance, access to more sensitive resources should also be adjusted adaptively. Least-privilege access is a term typically used to describe this principle of access. You should start with no access, and then, based on identity/role combined with your achieved level of trust, you are granted access to those things in your needs-risk matrix. One last thought on the topic of verified trust, is that it doesn’t just apply to the usual suspects – people, client devices such as laptops, tablets, or mobile devices, it must apply to all components in a digital conversation. Open RESTful APIs can allow Machine Learning and Artificial Intelligence to assist us with quickly responding and adapting to emerging threats detected within our environments. But just imagine the damage that could be done by a compromised Security Orchestration, Automation and Response (SOAR) system if it were not scrutinized for verified trust at a level at least equivalent to a person.

In summary, the world of computing has gone through several eras of trust with regards to assumptions made about users, devices, networks, applications, and data. We have learned the hard way that we need to start with zero assumptions regarding any element of the communication path and then apply firm and continuous validations of each element so that we can verify the level of trust with which we can communicate. Zero Trust across all pillars is the required initial state of any digital computing transaction but continuously verified trust is the operating state from which useful, productive operations can occur.