What is Zero Confidence? It Depends On What You Want To Hear
Confusion about the true meaning and purpose of zero trust makes it even more difficult for people to put ideas into practice. Proponents mostly agree on the overall purpose and intent behind the phrase, but busy executives or IT managers with other concerns can easily get lost and end up implementing the security protections that reinforce old methods rather than bringing in something new.
“What the security industry has done over the past 20 years is just adding a lot of bells and whistles-like AI and machine learning-in the same way,” said Paul Walsh, founder and CEO of zero trust-based anti-phishing firm MetaCert. “If it’s not trust, traditional security no matter what you add.”
Cloud providers in particular, are in a position to cook up zero trust concepts on their platforms, helping customers use them in their own organizations. Although Phil Venables, chief information security officer at Google Cloud, remembers that he and his team often spend their hours talking to clients about what zero trust really is and how they can use those. principles of their own use of Google Cloud and so on.
“There’s a lot of confusion there.” As he said. “Customers say, ‘I think I know what zero trust is and now that everyone designs everything as zero trust I don’t understand it.’
Aside from agreeing on what the phrase means, the most common obstacle to the spread of zero trust is that most of the infrastructure in use today is designed under the old moat-and- networking model. castle. There is no easy way to go back to doing those system classes for zero confidence because the two methods are fundamentally different. As a result, implementing the ideas behind zero trust anywhere in an organization is potentially costly investment and hassle in changing legacy systems. And that’s exactly the kind of project that risks never being completed.
That puts zero trust in the federal government – which uses a hodgepodge of vendors and legacy systems that spend a lot of time investing time and money to make sure – even more daunting, even with the Biden administration’s plans. Jeanette Manfra, former assistant director for cybersecurity at CISA who joined Google at the end of 2019, sees the difference being moved from government IT to the tech giant’s self -reliant internal infrastructure.
“I come from an environment where we invest large sums of taxpayer dollars to secure highly sensitive personal data, mission data, and see the difficulty you experience as a user, especially in highly specialized agencies. there is security, “he said. “That you have more certainty and a much better experience as a user is the only one that bothers me. “
That is not to say that reliance on zero is a security protection. Security professionals who are paid to hack organizations and discover their digital vulnerabilities – known as “red teams” – have began the study what it takes to break zero trust networks. And for the most part, it’s still easy enough to just target parts of a victim’s network that haven’t been upgraded with thought-provoking concepts without trust.
“A company that operates infrastructure that is out of place and puts it in the cloud with a zero trust vendor will shut down some of the usual channels of attack,” as the long-time red team said. Cedric Owens. “But in all honesty I have never worked or red teamed in a completely zero trust environment.” Owens also emphasizes that although distrust concepts can be used to strengthen an organization’s material defenses, they are not bullets. He pointed to cloud configuration errors as just one example of vulnerabilities that companies may not be able to identify if they move to a zero trust approach.
Manfra said it will take time for many organizations to fully realize the benefits of the zero-confidence approach they have relied on for decades. He added, however, that the abstract nature of zero trust has advantages. Thinking of concepts rather than specific products lends itself to a speed, and possibly a long life, that specific software and tools do not.
“Philosophically it seems like it is for me,” he said. “Wanting to know what and who touched what and who’s in your system are always things that are available for understanding and defense.”
More WIRED Stories