With the cultural issues out of the way, let us discuss some technical details. Given the state of security technology and where security leadership sits these days, I question if Zero Trust can be implemented.
Essentially, with a ‘Zero Trust’ approach, we are talking about DMZs. However, instead of our usual externally facing DMZs we are also talking about DMZs that are internally facing. These are no ordinary DMZs, these are highly monitored and controlled DMZs with IDS/IPS, NAC, full logging and everything else required to ensure security. These technologies are not for the faint at heart as they require a lot of planning in order to get them right.
Where a lot of organizations get things wrong is that they believe that all of these security technologies are like a Ronco Showtime Rotisserie oven, you just “Set it and forget it.” If only security worked that way, but it does not. As a result, one of the first stumbling blocks organizations interested in Zero Trust face is staffing since Zero Trust will require a significant amount of attention both from a security perspective and from their help desk. I do not think that we are talking about a significant increase in security and help desk personnel, but the existing staffing levels are likely to be insufficient in a Zero Trust environment.
The next issue that I see is from the technology itself. Most security technology is designed for Internet facing use, not internal use. While these solutions can be used internally, they tend to create issues when used internally because of their severe responses to any perceived attacks. As a result, in order to use these solutions, security professionals have to turn off or turn down certain features or functions because they get in the way of getting business done. Then there are the applications themselves. I cannot tell you how frustrated I get with vendor and in-house developers that cannot tell you from a networking perspective how their applications work. As a result, security professionals are required to do extensive research to figure out what ports/services an application requires, if they even do such research. That then results in what we tend to see on internal networks with internal DMZs, lots of ports/services open into the DMZ because they do not want the application to break. In a Zero Trust approach, this is not acceptable.
Then there is logging and the management and maintenance of log data. It still amazes me the amount of push back I still receive on logging and the management of log data. Security professionals and managers complain and complain about the amount of data that needs to be retained and the length it needs to be retained. Hello! This is the only way you will ever know what went wrong and how it went wrong so that you can fix it. But the security information and event management (SIEM) industry has not helped things by delivering solutions that can cost as much as a large Beverly Hills mansion and are as easy to implement as an ERP system. While there are open source solutions, the usability of these solutions are questionable at best. Unfortunately, the PCI DSS is mandating that log data be reviewed at least daily. In order to get that done, merchants either cannot afford or do not have the time to invest to meet this requirement. As a result, there is a lot of frustration that what merchants are being asked to do cannot be done. Yet, log information capture and review is possibly one of the most important aspects of an organization’s security posture. Because if you do not stop an attack with your firewall and IPS, the only way you know that is from your log data. Damned if you do, damned if you do not.
So a merchant implements all of the necessary technologies and procedures to make Zero Trust a reality. Is that merchant more secure? If a merchant makes such an investment, the reward will likely be improved security. But it will take continuous effort to keep Zero Trust running and that is where all organizations run into trouble with security initiatives. It takes consistent execution to make security work and people and organizations these days lose interest in things they think are fixed and so security gets swept to the back burner. As a result, it takes strong leadership to keep security off of the back burner. Without that leadership, security will fall into a rut and an incident will occur that will make security a front burner topic again.
So while I think Zero Trust is probably the approach we should all work towards, it will take a lot of effort to make it a reality.