Confusion about the real meaning and purpose of zero trust makes it harder for people to implement the ideas in practice. Proponents are largely in agreement about the overall goals and purpose behind the phrase, but busy executives or IT administrators with other things to worry about can easily be led astray and end up implementing security protections that simply reinforce old approaches rather than ushering in something new.
“What the security industry has been doing for the past 20 years is just adding more bells and whistles—like AI and machine learning—to the same methodology,” says Paul Walsh, founder and CEO of the zero-trust-based anti-phishing firm MetaCert. “If it’s not zero trust, it’s just traditional security, no matter what you add.”
Cloud providers in particular, though, are in a position to bake zero-trust concepts into their platforms, helping customers adopt them in their own organizations. But Phil Venables, chief information security officer of Google Cloud, notes that he and his team spend a lot of their time talking to clients about what zero trust really is and how they can apply the tenets in their own Google Cloud use and beyond.
“There’s quite a lot of confusion out there.” he says. “Customers say, ‘I thought I knew what zero trust was, and now that everyone is describing everything as zero trust, I understand it less.’”
Other than agreeing on what the phrase means, the biggest obstacle to zero trust’s proliferation is that most infrastructure currently in use was designed under the old moat-and-castle networking model. There’s no easy way to retrofit those types of systems for zero trust, since the two approaches are so fundamentally different. As a result, implementing the ideas behind zero trust everywhere in an organization potentially involves significant investment and inconvenience to rearchitect legacy systems. And those are precisely the types of projects that are at risk of never getting done.
That makes implementing zero trust in the federal government—which uses a hodgepodge of vendors and legacy systems that will take massive investments of time and money to overhaul—particularly daunting, despite the Biden administration’s plans. Jeanette Manfra, former assistant director for cybersecurity at CISA who joined Google at the end of 2019, saw the difference firsthand when moving from government IT to the tech giant’s own zero-trust-focused internal infrastructure.
“I was coming from an environment where we were investing just tremendous amounts of taxpayer dollars into securing very sensitive personal data, mission data, and seeing the friction you experienced as a user, especially in the more security-oriented agencies,” she says. “That you could have more security and a better experience as a user was just mind-blowing for me.”
Which is not to say that zero trust is a security panacea. Security professionals who are paid to hack organizations and discover their digital weaknesses—known as red teams—have started studying what it takes to break into zero-trust networks. And for the most part, it’s still easy enough to simply target the portions of a victim’s network that haven’t yet been upgraded with zero-trust concepts in mind.
“A company moving its infrastructure off-premises and putting it in the cloud with a zero-trust vendor would close some traditional attack paths,” says longtime red teamer Cedric Owens. “But in all honesty, I have never worked in or red-teamed a full zero-trust environment.” Owens also emphasizes that while zero trust concepts can be used to materially strengthen an organization’s defenses, they aren’t bulletproof. He points to cloud misconfigurations as just one example of the weaknesses companies can unintentionally introduce when they transition to a zero-trust approach.
Manfra says that it will take time for many organizations to fully grasp the benefits of the zero-trust approach over what they’ve relied on for decades. She adds, though, that the abstract nature of zero trust has its benefits. Designing from concepts and principles rather than particular products lends a flexibility, and potentially a longevity, that specific software tools don’t.
“Philosophically, it seems durable to me,” she says. “Wanting to know what and who are touching what and whom in your system are always things that will be useful for understanding and defense.”
More Great WIRED Stories