For years a concept known as “zero trust” has been a go-to cybersecurity catchphrase, so much so that even the notoriously dilatory federal IT apparatus is going all in. But a crucial barrier to widespread adoption of this next-generation security model is mass confusion over what the term actually means. With cyberattacks like phishing, ransomware, and business email compromise at all time highs, though, something's gotta change, and soon.
At its core, zero trust relates to a shift in how organizations conceive of their networks and IT infrastructure. Under the old model, all the computers, servers, and other devices physically in an office building were on the same network and trusted each other. Your work computer could connect to the printer on your floor, or find team documents on a shared server. Tools like firewalls and antivirus were set up to view anything outside the organization as bad; everything inside the network didn't merit much scrutiny.
You can see, though, how the explosion of mobile devices, cloud services, and remote work have radically challenged those assumptions. Organizations can't physically control every device its employees use anymore. And even if they could, the old model was never that great to begin with. Once an attacker slipped by those perimeter defenses, remotely or by physically infiltrating an organization, the network would instantly grant them a lot of trust and freedom. Security has never been as simple as “outside bad, inside good.”
“About 11 years ago at Google we did have a significant, sophisticated attack against us and our corporate network,” says Heather Adkins, Google's senior director of information security. Hackers backed by the Chinese government rampaged through Google's networks, exfiltrating data and code while trying to establish backdoors so they could get back in if Google tried to kick them out. “We realized that the way we were all taught to build networks just didn’t make any sense. So we went back to the drawing board. Now if you walk into a Google building it’s like walking into a Starbucks. Even if someone had access to a Google machine, nothing trusts it. It's much more difficult for an attacker because we’ve changed the battlefield.”
Instead of trusting particular devices or connections from certain places, zero trust demands that people prove they should be granted that access. Typically that means logging into a corporate account with biometrics or a hardware security key in addition to usernames and passwords to make it harder for attackers to impersonate users. And even once someone gets through, it's on a need-to-know or need-to-access basis. If you don't invoice contractors as part of your job, your corporate account shouldn't tie into the billing platform.
If you talk to enough zero-trust advocates, the whole thing starts to sound a bit like a religious experience. They consistently emphasize that zero trust isn't a single piece of software you can install or a box you can check, but a philosophy, a set of concepts, a mantra, a mindset. They describe zero trust this way partly in an attempt to reclaim it from all the marketing doublespeak and promotional T-shirts that have attempted to paint zero trust as a magic bullet.
“Vendors hear new buzzwords, and then they try to package a product they already have into that: ‘Now with 10 percent more zero trust!’” says Ken Westin, an independent security researcher who has worked with security sales and marketing teams throughout his career. “It’s problematic, because zero trust is a concept, not an action. You still have to implement things like device and software inventory, network segmentation, access controls. As an industry we need to have more integrity with how we’re communicating, especially with all the attacks and real threats that organizations are facing—they just don’t have time for the BS.”
Confusion about the real meaning and purpose of zero trust makes it harder for people to implement the ideas in practice. Proponents are largely in agreement about the overall goals and purpose behind the phrase, but busy executives or IT administrators with other things to worry about can easily be led astray and end up implementing security protections that simply reinforce old approaches rather than ushering in something new.
“What the security industry has been doing for the past 20 years is just adding more bells and whistles—like AI and machine learning—to the same methodology,” says Paul Walsh, founder and CEO of the zero-trust-based anti-phishing firm MetaCert. “If it’s not zero trust, it's just traditional security, no matter what you add.”
Cloud providers in particular, though, are in a position to bake zero-trust concepts into their platforms, helping customers adopt them in their own organizations. But Phil Venables, chief information security officer of Google Cloud, notes that he and his team spend a lot of their time talking to clients about what zero trust really is and how they can apply the tenets in their own Google Cloud use and beyond.
“There's quite a lot of confusion out there." he says. “Customers say, ‘I thought I knew what zero trust was, and now that everyone is describing everything as zero trust, I understand it less.’”
Other than agreeing on what the phrase means, the biggest obstacle to zero trust's proliferation is that most infrastructure currently in use was designed under the old moat-and-castle networking model. There's no easy way to retrofit those types of systems for zero trust, since the two approaches are so fundamentally different. As a result, implementing the ideas behind zero trust everywhere in an organization potentially involves significant investment and inconvenience to rearchitect legacy systems. And those are precisely the types of projects that are at risk of never getting done.
That makes implementing zero trust in the federal government—which uses a hodgepodge of vendors and legacy systems that will take massive investments of time and money to overhaul—particularly daunting, despite the Biden administration's plans. Jeanette Manfra, former assistant director for cybersecurity at CISA who joined Google at the end of 2019, saw the difference firsthand when moving from government IT to the tech giant's own zero-trust-focused internal infrastructure.
“I was coming from an environment where we were investing just tremendous amounts of taxpayer dollars into securing very sensitive personal data, mission data, and seeing the friction you experienced as a user, especially in the more security-oriented agencies,” she says. “That you could have more security and a better experience as a user was just mind-blowing for me."
Which is not to say that zero trust is a security panacea. Security professionals who are paid to hack organizations and discover their digital weaknesses—known as red teams—have started studying what it takes to break into zero-trust networks. And for the most part, it's still easy enough to simply target the portions of a victim's network that haven't yet been upgraded with zero-trust concepts in mind.
“A company moving its infrastructure off-premises and putting it in the cloud with a zero-trust vendor would close some traditional attack paths,” says longtime red teamer Cedric Owens. “But in all honesty, I have never worked in or red-teamed a full zero-trust environment.” Owens also emphasizes that while zero trust concepts can be used to materially strengthen an organization's defenses, they aren't bulletproof. He points to cloud misconfigurations as just one example of the weaknesses companies can unintentionally introduce when they transition to a zero-trust approach.
Manfra says that it will take time for many organizations to fully grasp the benefits of the zero-trust approach over what they've relied on for decades. She adds, though, that the abstract nature of zero trust has its benefits. Designing from concepts and principles rather than particular products lends a flexibility, and potentially a longevity, that specific software tools don't.
“Philosophically, it seems durable to me,” she says. “Wanting to know what and who are touching what and whom in your system are always things that will be useful for understanding and defense.”