There is a great motto on the SR-71 Blackbird flight crew badges, “In God we trust, all others we verify.” John Kindervag of Forrester Research has written a paper titled ‘No More Chewy Centers: Introducing The Zero Trust Model Of Information Security’ that takes this motto into the information security realm. The premise of this paper is what if you treat everything as untrusted on your network, internal or external? This paper is a great read and is worth the cost to obtain a copy.
This concept may sound a bit extreme and, for some, may even seem an odd approach. But you have to ask yourself, can you really trust all of your users? And that is exactly the point John is making. He points to 26 data security breaches in the first half of 2010 that were the result of “trusted” personnel deliberately or accidentally releasing information. John’s advice, if you cannot trust your users, then you need to treat them and their network traffic as untrusted.
As a security professional, this approach sounds appropriate given today’s computing environment. However, as a former senior IT executive, I have to say it sends chills down my spine. For what this approach requires is that you tell your employees that they cannot be trusted. If that does not scare the daylights out of you, it will sure scare it out of your human resources executives and probably a few, if not all, of the rest of your senior managers.
Then there is the process of selling such an approach. And let us face it; it will be quite a sales job to get such an approach sold to senior management. To exacerbate this process, surveys of senior managers portray security professionals as being too technical and cannot explain why security is necessary in business terms. With that sort of disconnect, the concept of Zero Trust is going to be almost impossible for most security professionals to sell to their organizations. In my opinion, the only way such an approach will ever be implemented is if it is suggested and driven by senior management, not IT or information security.
Then there is the fact that Zero Trust is not going to totally solve the security problem. Remember my mantra, security is not perfect. Zero Trust is only going to minimize risk, but it is likely to minimize it to the absolute minimum it can be reduced. Senior managers are going to be skeptical about spending the money it will take to get to this level. However, for the financial institution and health care industries, the cost will be worth the peace of mind. Other industries will likely struggle with justifying the expense. But in the end, I think this is probably the only route to as secure an environment as one can have.
In a future post, I will discuss the technological ramifications of Zero Trust.
PCI Guru 
True. By “convenience” I was referring to the too-often practice of cranking down the controls so tight that people can’t effectively do their job in an efficient manner and when loosening them up a bit still achieves 99% of the desired result. I usually see this when the control mechanism isn’t granular enough. Or when a newbie does things by the book without understanding the impact on the business to run.
I would agree with your granularity comment. When the network is appropriately engineered and secured, most of the security issues are application related because the application cannot control access to the data at the right level or, worse yet, the vendor cannot tell you the exact ports that are required. Access is then either too loose or too strict, although too loose seems to be the more prevalent condition. Software vendors will eventually catch up, but because a lot of these security issues are architectural in nature, it will likely take a while before we see them addressed.
The key is to not tell people you don’t trust them, just implement protections against them. We started down this path when all of the news about the “advanced persistent threat” came out, where an attacker has numerous resources burrowed in your network and activates them as needed. The question we asked ourselves was “How do we operate the business with a partially compromised network?” because it’s going to happen sooner or later.
Implementing simple things like “no HTTP Intranet sites”, encrypt all login traffic, especially RDP and web-based management systems and implement strict network segmentation AND WATCH THE LOGS goes a long way.
Hmmm, does any of this sound familiar to fellow PCI’ers? 🙂
Information Security people screw up when they decide to give people just what they need to do their job even if it makes it very inconvenient. The best approach I’ve found it to give people just what they need to do their jobs, definitely nothing less and maybe a little more for convenience reasons even if it raises the risk slightly. If people can’t do their job without a lot of hassle, they will work around you and that will raise the risk. And if people cant do their jib, there is no business to run.
Agreed. However, the title ‘Zero Trust’ kind of gives it away.
The biggest problem I see these days is too much convenience. In particular, when you start to see people who serve in another role when other people are on vacation or are out sick. These people seems to almost always have the rights of the other role all of the time rather than only when they serve in that role.