During the past few years, zero trust has evolved from being little more than a marketing message into a functional framework that can deliver big security benefits, writes Richard Bird, chief customer information officer at Ping Identity.
Organisations of all shapes and sizes are embracing the concept and taking the steps necessary to put a structure in place. They’re motivated by the ongoing need for secure remote working and the ever-increasing digitisation of daily life.
However there remains some confusion around exactly what zero trust is, and this stems from the fact there are actually two different versions being discussed.
The first, initially outlined by US-based security expert John Kindervag, is framed around the principle that no network user, data packet, interface, or device should be trusted. Kindervag maintains that ‘trust’ is a human emotion but represents a vulnerability and an exploit in a digital system.
The second, first described as part of Google’s BeyondCorp implementation, is based on the notion that security and usability can be increased through a zero-trust access model that has dynamic tiers of trust for devices.
Zero trust and security
It’s also interesting to consider zero trust in relation to the widely recognised NIST security framework. NIST comprises five elements: identify, protect, detect, respond and recover. At the moment, zero trust sits within the ‘detect’ and ‘protect’ components, while the three others still have to be addressed.
For zero trust to work, identification can’t be treated as a secondary or tertiary component of a security framework, yet this is what zero trust currently does. It doesn’t mean that it can’t work, but the concept needs to evolve.
At its heart, zero trust needs to be identity centric because it has to focus on the interaction between people and the digital assets they are allowed to access. Unfortunately, at the moment,
Zero trust is instead a data-centric framework with identity relegated to a lower level.
The current situation
This raises interesting questions when it comes to implementing a zero-trust strategy. An identity framework is needed to ensure an organisation can determine that someone is who they say they are before granting them access to digital assets.
It also raises questions around data and personal privacy. Under privacy regulations now in place around the world, personal data remains the property of the individual and can only be used by data ‘holders’ with that individual’s consent.
This poses the question of whether, if data belongs to a person, zero trust should be extended to them as an individual human being. This could be problematic as people’s threshold for dealing with technical complexities tends to be very low. As a result, extending zero trust in its current form to everyone is all but impossible.
Clearly, zero trust as it currently stands is not the end game and, just as other technologies have done, needs to continue to evolve. Just like the concept of cloud has morphed since first appearing on the scene, so too must zero trust.
Part of this evolution will involve the task of digital identity management being pushed out to the edge of networks rather than being handled at the core. Individuals will leverage the power and data held on their personal device, such as a smartphone, to securely identify themselves and confirm this identity with which ever system or service they are trying to use.
In this scenario, zero trust needs to rely on a ‘trust engine’, and that engine needs to have inputs and data feeds from multiple sources in order to be effective. An organisation needs to be able to trust identity, but also other factors such as the device being used, the network it is running on, and the context of the transaction or interaction.
It will also be increasingly important to be able to make risk assessments constantly during a given interaction. This will replace the current system used in many cases where a person’s identity is checked once at the start and then their access remains open. Once a session or transaction is complete, that access must be terminated.
This means there will no longer be persistent access to digital resources. Under a policy dubbed ‘adaptive authentication’, people are trusted ‘in the moment’ but no more.
It’s clear that zero trust is the first legitimate framework that can truly help to achieve the level of security that is needed in today’s increasingly online and digital world. However, it’s also clear that it must continue to adapt to meet the world’s changing digital requirements.
Richard Bird is the chief customer information officer at Ping Identity