Q&A: What Is Zero Trust?
Zero trust is a security philosophy, not a set of specific best practices or a checklist for security teams to follow. As cyberattacks have increased and executive leadership is held responsible for data breaches, zero trust has grown in popularity among executives and other business leaders.
“You don’t need to convince people why zero trust is a good idea,” said Leonid Belkind, chief technology officer and co-founder of Torq, a security automation company.
This doesn’t necessarily mean that every organization is implementing it in practice. Though most business decision-makers agree that zero trust is a good idea, it represents an ideal state that companies will always be striving toward, rather than declaring “achieved,” and that very few companies are even close to reaching.
We spoke with Belkind about the ideas behind zero trust, why security teams have had to re-imagine cybersecurity for the cloud native world, and how zero trust works when put into practice.
The New Stack: How would you define zero trust?
Leonid Belkind: Zero trust is a theoretical state where any consumer inside a network not only doesn’t have any permissions but is not aware of what else there is in the network around them.
In a zero trust network, there are both human users and service users, that each have an identity that can be cryptographically validated. But in “peacetime,” they don’t have access to anything.
Can you tell me about how security has evolved and what role zero trust plays in the evolution?
In a traditional network security segmentation, which was the predominant way of doing this, you would have secure controls on the network topology level. For example, everything coming from this network can go to that network, everything coming from this particular device in this network could go to this network, that sort of thing. That would be the basis for a corporate access-control policy.
Even before the cloud, though, this emphasis on devices and networks became meaningless if we’re talking about users. Now it’s the user that matters, and the user could connect from home, from an internet café, from a shared office location. At that point, we need a user-aware policy, which is not zero trust yet. But the idea there is that, if I can verify that it’s a particular user, I’ll give them all these network privileges.
So these matters, beginning with introducing user identity, then thinking about restricting your permissions and general least-privileged access or just-in-time access, are all kind of brewing up towards zero trust.
How does zero trust work exactly?
Your trust network assumes an entity called the network controller, that can be accessed by all the participants in the network. The network controller can identify the accessing party, either a human or service user, in a very strong way, assess their security posture and so on.
The network controller can be asked to provide very, very limited — not only time-restricted but actually operation-restricted — permissions to do a very specific job.
So instead of, “I have network access to the data center, where I could look up customer records, where I could update the employee data,” for every operation, I would go to the controller and I would say, “Hello, this is who I am. This is my job. This is my identity. This is my device. Here’s the security posture of my device. What would I like to do? Update employee data for Jane Doe as an employee.”
“First, you have to understand that there is no lever that you could pull and say, ‘OK, bam, zero trust enabled.’ It’s re-architecting your network.”
—Leonid Belkind, chief technology officer and co-founder, Torq
And I would be given permissions to do just that, and not an iota more. I can update Jane Doe’s records — and just right now. It’s a network that bears zero implicit permissions, only what you asked for, with a very granular and strict policy. That’s the notion of zero trust as a theory.
What do things look like in the real world? Are there trade-offs? How do people put zero trust into practice?
An enterprise first and foremost needs to be pragmatic. There is no such thing as “Oh, I’m turning all of our communications off.”
First, you have to understand that there is no lever that you could pull and say, “OK, bam, zero trust enabled.” It’s re-architecting your network.
In many cases, after you handle the actual critical things, you will get at a certain point to a state where you will say, you know what, the cost of re-architecting this particular access is higher than the benefits I will get from tightening the security. You’re not running with a banner that says “Zero Trust at Any Cost,” and throwing away the business demands.