{"id":16506,"date":"2019-10-04T11:00:17","date_gmt":"2019-10-04T19:00:17","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/10\/04\/news-10246\/"},"modified":"2019-10-04T11:00:17","modified_gmt":"2019-10-04T19:00:17","slug":"news-10246","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/10\/04\/news-10246\/","title":{"rendered":"Decrypting What Zero Trust Is, And What It Likely Isn\u2019t"},"content":{"rendered":"

Credit to Author: Greg Young (Vice President for Cybersecurity)| Date: Fri, 04 Oct 2019 17:33:56 +0000<\/strong><\/p>\n

\"https:\/\/blog.trendmicro.com\/answers-to-your-questions-on-our-mac-apps-store\/\"<\/p>\n

It\u2019s always an indicator of confusion when instead of hearing \u201cI want Q\u201d I\u2019m asked \u201cwhat is Q?\u201d. In this case the \u2018Q\u2019 is Zero Trust.\u00a0 I\u2019ll try and give my best take on what I understand Zero Trust to be.<\/p>\n

History Repeats<\/strong><\/p>\n

Let\u2019s start with the background. Quite a while back the Jericho Forum proposed a changed trust model to the effect that if hosts could be self-defending, then perimeter controls were not required.\u00a0 There was interest in the idea of more secure hosts but the proposal had flaws in that there weren\u2019t many organizations where all hosts were managed or controlled, and network or volumetric DDOS attacks meant even well managed hosts could be DOS\u2019d without network controls.<\/p>\n

There was a variation on the Jericho-like models where a central security controller would be used to manage all security.\u00a0 This was a pre-cursor to NAC, and the model had the flaw that the controller itself would become the target, including by DDOS.\u00a0 There was an improvement that the concept of unmanaged hosts could be an asset that was defended somehow.\u00a0 This became the precursor that we would later call NAC, although NAC\u2019s scope would be much more precise and deal better with availability.\u00a0 NAC isn\u2019t everywhere though because of other challenges, however NAC is a viable safeguard.<\/p>\n

Zero Trust seems to be a variation on Jericho and NAC, with instead of the focus being on self-defending hosts the model is based on not allowing activity to untrusted entities.\u00a0 It turns out that denying untrusted entities goes back 30 years in firewalling as \u2018Deny-All\u2019.\u00a0 It\u2019s been a best practice that the last rule in a firewall rules base is almost always Deny-All.\u00a0 Another long serving principal has been least-privilege, meaning that you don\u2019t allow entities to have more privilege than they need.<\/p>\n

Lots of Security Technologies and Markets That Get Into the Discussion<\/strong><\/p>\n

Microsegmentation has been a very cool area of security tech.\u00a0 In a nutshell, microsegmentation is about being more explicit about what privileges zones have to communicate, and having more zones, and not limiting communication to \u2018north-south\u2019.\u00a0 The most common example of north-south communication is internet-webserver-appserver-dataserver.\u00a0 I mention microsegmentation because it evolved to deal primarily with enforcing separation and segmentation for mostly east-west communication in response to increased lateral movement attacks. \u00a0One example use case is making sure the dev web server doesn\u2019t communicate with the live prod web server.\u00a0 In short, a technology to make sure that just because things were at the same tier they weren\u2019t assumed to trust one another.<\/p>\n

I include IPS and EPP as technologies here as well.\u00a0 EPP because an agented endpoint has exceptional security value, and IPS for providing virtual inline patching means that unmanaged or unagented endpoints can still be protected and not be exploited as well.\u00a0 In allowing A to talk to B, the state of A and B has great security relevance.<\/p>\n

Naughty Marketing Has Confused Things<\/strong><\/p>\n

I\u2019ve observed that conflating what the zero and trust mean has been an issue.\u00a0 One group of definitions and marketing has been that you end up not having to trust anything and thus have zero risk.\u00a0 Ugh.\u00a0 Trust isn\u2019t binary except in\u00a0 very few environments.\u00a0 Think about IoT.\u00a0 Knowing that something is unpatched, doesn\u2019t have an agent, and yet must be a member of my network is very useful.\u00a0 An MRI machine.\u00a0 Do I trust it?\u00a0 Not completely.\u00a0 The second group of definitions center on not trusting things blindly being the solution.\u00a0 That is a much more reasonable view, and is what Deny-All has always been about, and maybe those rules or exceptions above the Deny-All rule.\u00a0 And within that Deny-All variation sometimes elements of least-privilege are attached.<\/p>\n

So What Is Zero Trust?<\/strong><\/p>\n

I don’t think that Zero Trust is a market or a product type.\u00a0 Buying a product with a lot of Zero Trust labeling won\u2019t fix your security on its own.\u00a0 My thinking is that Zero Trust is more a model or guiding design principal. Deny-All, least-privilege, NAC, and microsegmentation may be some or all of the technologies or approaches.\u00a0 Never be deluded that security architecture is easy: in my opinion it is the most advanced and challenging role and task in security.\u00a0 All security architectures do need to consider though whether the network is too flat, how are unmanaged endpoints dealt with, and regulating separation, segmentation and isolation. So look to implementing the good principles of Zero Trust, but beware of overly enthusiastic marketing of it as being something it likely isn\u2019t.\u00a0 I like Chase Cunningham\u2019s blog post on \u201cZero Trust On a Beer Budget\u201d.\u00a0 (go.forrester.com\/blogs\/zero-trust-on-a-beer-budget)<\/p>\n

OK, OK, But What Products Enable Zero Trust?<\/strong><\/p>\n

Yeah, I do tend to go on, sorry.\u00a0 So here are the products within the Trend portfolio that best help implement a Zero Trust model, and what element:<\/p>\n