With ISACA espousing digital trust, what about zero trust? At first glance, that sentence might seem contradictory, but, in fact, the two concepts go together quite well. Zero trust is quite supportive of digital trust; they overlap to a great extent.
Defining Zero Trust
A great deal of the seeming contradiction is definitional, and the definitions are a bit slippery. ISACA defines digital trust as “the confidence in the integrity of the relationship, interactions and transactions among providers and consumers within an associated digital ecosystem.”1 ISACA is the authoritative source for that definition, although there are others.2
Likewise, there are a number of definitions of zero trust. ISO has not yet weighed in on zero trust, but the US National Institute for Standards and Technology (NIST), usually a reliable standard (pun intended), says zero trust is “[a] collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”3
However, the companies that make the various products that are intended to enable this standard offer rather different definitions. IBM says that zero trust is “[a] framework that assumes a complex network’s security is always at risk to external and internal threats.”4 Palo Alto Networks, a leading manufacturer of firewalls, calls zero trust, “[a] strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction.”5 Personally, I go for Microsoft’s definition of zero trust, “Never trust, always verify.”6 If brevity is the soul of wit, that’s it.
Just in case I have not sufficiently confused the matter, there is the associated concept of zero trust architecture (ZTA), which NIST distinguishes from that of zero trust and which much of the world, so I have found, uses interchangeably. Suffice for now7 to state that the architecture is a framework for implementing the technologies that underlie the concept.
Conceptually, zero trust is quite simple. Historically, information security has relied on perimeter security. That is, a user must authenticate himself at the point of entry to a system and thereafter has access to all the resources within that system. The shortcomings of this approach should be obvious; not everyone has, or should have, authorization to use all the infrastructure, data and applications within a system. Zero trust dictates that a user, once authenticated, will have access only to the set of resources for which he is authorized. If he attempts to access other resources he must be re-authenticated. The intent is to limit and control (not eliminate) what is known as lateral movement.
Marketing Difficulties
I have a problem with the term zero trust. It is terrible for marketing purposes and is not really accurate.
It is easy to communicate the benefits of digital trust. In both our business and personal lives, we are all standing under a Niagara of information. Hopefully we have gotten past “I saw it on the Internet so it must be true.” Still, we want to know as we use information that it is secure, controlled and available; has integrity; and is kept private if it is personal in nature. In other words, we want to trust it. Thus, on its own terms zero trust seems to be inimical to digital trust. In fact, zero trust implies that we can trust the information because we do not implicitly trust the user. But if someone has to tie himself into rhetorical knots to explain the coherence between the concepts, trying to convince people that zero trust is advantageous starts at a disadvantage.
Worse still, once it is made clear that it is the users who are not trusted, there is another marketing difficulty. Business managers may not understand the technology behind zero trust, but they do trust the people under their supervision. They employ people to perform jobs, some (many?) of which require the use of information, a portion of which is sensitive, critical, secret or private. With some pre-employment screening, these people are trusted to use that information. So when the security professional tries to promote zero trust, it is quite a tough sell.
And indeed, zero trust is not zero at all. Once authorized to use information resources, users are fully trusted to use those within their so-called “trust zone.”8 Any further access and usage controls must come from the data and applications within the zone.
Identity and Credentials
Zero trust is based on the association of individuals with resources. In turn, each individual has an identity, which is verified by a number of means. Most commonly, individuals are issued identifiers (user IDs), known to the system, which are authenticated by passwords. In many cases, additional authenticators, such as secret codes or personal characteristics (which we call multifactor authentication), are used.
But how does anyone know who that person is in the first place? We require individuals to present credentials to establish their identity.
An excellent, concise publication from the US government distinguishes between the two terms:
Identity refers to the set of characteristics that describe an individual within a certain context. For example, name, social security number, address, and education are attributes associated with your unique job identity. Identity Management includes issuing, validating (proofing), maintaining, and terminating identities.
Credentials are pieces of evidence that confirm an individual’s claimed identity. For example, a driver’s license or an online ID and password tie the credential owner to his or her identity. Credential Management includes issuing, tracking, updating, and terminating credentials.9
Credentials can be falsified or stolen. It seems that teenagers are particularly adept at obtaining false IDs to gain entrance to certain otherwise prohibited, er, establishments. And what would a spy novel be without fake passports? More seriously, a considerable number of cyberattacks–recently reported as 15%–are carried out via the use of stolen credentials.10 Perhaps zero trust is a misnomer. Maybe we should call it 85% trust.
Business managers may not understand the technology behind zero trust, but they do trust the people under their supervision.
All the foregoing might lead one to believe that I am not a proponent of zero trust or ZTA. That is far from the truth. I have been talking them up, as far as I recall, since 2014.11 I do think they are excellent medicine, just not a panacea.
Endnotes
1 ISACA, Digital Trust Ecosystem Framework: Introduction and Approach, USA, 2022, http://4crt.rf518.com/dtef-ebook
2 Viz. World Economic Forum, “Digital Trust Initiative,” http://initiatives.weforum.org/digital-trust/about; DigiCert, “Digital Trust for the Real World,” http://www.digicert.com/insights/digital-trust
3 Rose, S.; O. Borchert; S. Mitchell; S. Connelly; National Institute of Standards and Technology (NIST) Special Publication 800-207 Zero Trust Architecture, NIST, USA, August 2020, http://doi.org/10.6028/NIST.SP.800-207
4 IBM, “What Is Zero Trust?” http://www.ibm.com/topics/zero-trust
5 Palo Alto Networks, “What Is a Zero Trust Architecture,” http://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
6 Microsoft, “Embrace Proactive Security With Zero Trust,” http://www.microsoft.com/en-us/security/business/zero-trust
7 Though I reserve the right to revisit this distinction in the future.
8 A term used interchangeably with “security zone.”
9 SAFECOM and National Council of Statewide Interoperability Coordinators’ (NCSWIC), “Identity, Credential, and Access Management: Public Safety Value Proposition Overview,” www.cisa.gov/sites/default/files/2023-02/20_0729_ICAM_value_proposition_overview_508c.pdf
10 I have seen all sorts of statistics thrown around as the percentage of such attacks. I am relying on IBM Security (Ponemon Institute), Cost of a Data Breach Report 2023, USA, 2023, p.6, http://www.ibm.com/downloads/cas/E3G5JMBP
11 Ross, S. J.; “Bear Acceptance,” ISACA® Journal, vol. 4, 2014, 4crt.rf518.com/archives
STEVEN J. ROSS | CISA, CDPSE, AFBCI, MBCP
Is executive principal of Risk Masters International LLC. He has been writing one of the Journal’s most popular columns since 1998. Ross was inducted into the ISACA® Hall of Fame in 2022. He can be reached at stross@riskmastersintl.com.