The Cybersecurity Industry, being a subset of the IT industry, loves their acronyms and fancy terms. For someone who is on the lookout for a solution that helps protect their business, this can be overwhelming, confusing, or frustrating and usually all three of the above. That’s why we’re introducing a new series explaining some of the more fancy terms of the cybersecurity industry. We will keep them short, to the point and with a good dose of humor.
Zero Trust is not a technology. It’s a concept. You cannot buy a “Zero Trust Solution”. The term was probably coined in some marketing committee meeting by a guy who just wanted the meeting to end so he could get lunch. Now dozens of cybersecurity companies can confirm that their solution supports Zero Trust because marketing says they do.
But that marketing dude didn’t come up with it on his own. The term was first used in a doctoral thesis prior to 2015 and eventually wormed its way into that marketing meeting. Since you can’t make a decent acronym out o two words (ZT? Nah, just keep it Zero Trust) it stuck. For the past year, leading IT platform vendors and cyber security providers, have well-documented examples of “zero trust architectures or solutions”, though “well-marketed” might be the more accurate term.
But we digress.
Zero Trust is really simple: Trust no one. Never. This concept not only helps in politics or organized crime, but also in securing your data. A widely used analogy helps to illustrate the idea.
Raiding the fridge, not the castle
Before Zero Trust became popular, the infrastructure concept basically drew a line between inside the network and outside the network. It was a digital medieval castle, to be precise. One with a high, impenetrable wall, a moat and a drawbridge. Once you were inside the castle, there was nothing that would stop you from going anywhere inside the castle walls.
Zero Trust, in this analogy, is different. It’s like you enter the castle blindfolded (another relation to organized crime) and when the blindfold is removed you find yourself in the kitchen with doors locked. The only thing you can do is to raid the fridge (which might be worse than doing damage to any other room in the castle, but let’s overlook that small flaw in the analogy). You have no opportunity to map the layout of the castle, to locate the gold and jewels, or to search for the princess bedroom. Once you’ve cleaned up after raiding the fridge and you’ve been discovered, you’re blindfolded again and thrown into the moat.
In IT terms, that is a Zero Trust infrastructure. In the real computerized world, it’s not as easy as accompanying one person to a certain room and back. It’s quite a bit more complex. You need granular authorizations (some users are only allowed in the kitchen, some in the dining hall, some in the dungeon, etc). You have to ensure they cannot sneak around to other areas in the server (blindfolding them) and as you guide them through the network you need to allow the shortest possible route.
Tailor your solutions
Many cybersecurity solutions automate all that, or at least make the task less complex and more straightforward. That means you must look at what the solution really offers tempered by your requirements. If you only have a few applications, there is no need for a solution that offers a lot of features for a solution that covers hundreds of solutions – a product which focuses on Microsoft Office 365, to take a common example, might be all you need.
In spite of the complexity and effort to implement a Zero Trust environment, it is certainly is a good idea to follow that “Zero Trust” principle when designing an IT infrastructure. After all, the mafia has essentially been around for hundreds of years and they follow the same principle.