This is, however, an exciting time to thinking about Zero Trust. We know what we want it to be, but we haven’t figured out how to do it. If you come up with the solution, there is still time to deliver the next big thing, provided, of course, that you know the right people.
Right now, what we have are many companies offering Zero Trust solutions in the way they always do. They are taking what they already have, modifying it somewhat, and trying to get you to believe that theirs is the best road to Zero Trust.
The Rush to Zero Trust
So Microsoft talks about that years-long journey to Zero Trust through directory services and device management. Okta stresses identity. Akamai offers a combination of application-only access, network isolation, protection from application-layer attacks, identity, advanced threat protection, monitoring and SIEM. Illumio, a relative newcomer, suggests putting Zero Trust into a system separate from your network. So it goes.
Personally, I think the best idea comes from the ghost of Ma Bell. The Cloud Security Alliance is a big-time industry group with executive members like Google, Microsoft, Oracle, IBM Security, EMC and many more. They are working with a Zero Trust concept called the Software Defined Perimeter (SDP). They’re not the only people doing this. Many vendors are touting their SDP approaches, just like all those Zero Trust approaches.
Software Defined Perimeter
As I understand it, the SDP combines identity and authentication with authorization and micro-segmentation by dividing the global data communications environment into a control plane and a data plane. For a device to gain access to an enterprise resource such as an application or data, it sends a packet through a separate communications channel to a policy engine/administrator that authenticates the user/device then sets up an encrypted channel between the device and the resource, meanwhile instructing the resource to accept the connection.
To me, this looks like circuit-switching, which is how telephone networks used to communicate. They had a separate control channel (I remember one called SS7) that built the individual connection between the sender and the receiver. In the context of the Internet, which was built on the superiority of packet-switching, this is ironic.
The fact is, however, that setting up unique circuits like this is a pretty good idea. For one thing, it allows the resource – in fact, all resources to be accessed – to remain invisible from anyone else on the Internet. All ports are closed, except for the secure mutual connection to the policy engine and the encrypted connection it opens to the device only when asked. This means that the bad guys can’t even SEE the resource! There are many more cool things about this architecture, but I can feel your eyes glazing over already.
Some Practical Advice
The point is that the Zero Trust vision is on the verge of coming true, but there are still several models fighting it out to become the standard. What to do in the meantime? Pick a couple of things you like for other reasons such as multi-factor authentication and single sign-on and wait until their vendors finally bolt on enough new stuff to get to Zero Trust.