It’s always an indicator of confusion when instead of hearing “I want Q” I’m asked “what is Q?”. In this case the ‘Q’ is Zero Trust. I’ll try and give my best take on what I understand Zero Trust to be.
Let’s start with the background. Quite a while back the Jericho Forum proposed a changed trust model to the effect that if hosts could be self-defending, then perimeter controls were not required. There was interest in the idea of more secure hosts but the proposal had flaws in that there weren’t many organizations where all hosts were managed or controlled, and network or volumetric DDOS attacks meant even well managed hosts could be DOS’d without network controls.
There was a variation on the Jericho-like models where a central security controller would be used to manage all security. This was a pre-cursor to NAC, and the model had the flaw that the controller itself would become the target, including by DDOS. There was an improvement that the concept of unmanaged hosts could be an asset that was defended somehow. This became the precursor that we would later call NAC, although NAC’s scope would be much more precise and deal better with availability. NAC isn’t everywhere though because of other challenges, however NAC is a viable safeguard.
Zero Trust seems to be a variation on Jericho and NAC, with instead of the focus being on self-defending hosts the model is based on not allowing activity to untrusted entities. It turns out that denying untrusted entities goes back 30 years in firewalling as ‘Deny-All’. It’s been a best practice that the last rule in a firewall rules base is almost always Deny-All. Another long serving principal has been least-privilege, meaning that you don’t allow entities to have more privilege than they need.
Lots of Security Technologies and Markets That Get Into the Discussion
Microsegmentation has been a very cool area of security tech. In a nutshell, microsegmentation is about being more explicit about what privileges zones have to communicate, and having more zones, and not limiting communication to ‘north-south’. The most common example of north-south communication is internet-webserver-appserver-dataserver. I mention microsegmentation because it evolved to deal primarily with enforcing separation and segmentation for mostly east-west communication in response to increased lateral movement attacks. One example use case is making sure the dev web server doesn’t communicate with the live prod web server. In short, a technology to make sure that just because things were at the same tier they weren’t assumed to trust one another.
I include IPS and EPP as technologies here as well. EPP because an agented endpoint has exceptional security value, and IPS for providing virtual inline patching means that unmanaged or unagented endpoints can still be protected and not be exploited as well. In allowing A to talk to B, the state of A and B has great security relevance.
Naughty Marketing Has Confused Things
I’ve observed that conflating what the zero and trust mean has been an issue. One group of definitions and marketing has been that you end up not having to trust anything and thus have zero risk. Ugh. Trust isn’t binary except in very few environments. Think about IoT. Knowing that something is unpatched, doesn’t have an agent, and yet must be a member of my network is very useful. An MRI machine. Do I trust it? Not completely. The second group of definitions center on not trusting things blindly being the solution. That is a much more reasonable view, and is what Deny-All has always been about, and maybe those rules or exceptions above the Deny-All rule. And within that Deny-All variation sometimes elements of least-privilege are attached.
So What Is Zero Trust?
I don’t think that Zero Trust is a market or a product type. Buying a product with a lot of Zero Trust labeling won’t fix your security on its own. My thinking is that Zero Trust is more a model or guiding design principal. Deny-All, least-privilege, NAC, and microsegmentation may be some or all of the technologies or approaches. Never be deluded that security architecture is easy: in my opinion it is the most advanced and challenging role and task in security. All security architectures do need to consider though whether the network is too flat, how are unmanaged endpoints dealt with, and regulating separation, segmentation and isolation. So look to implementing the good principles of Zero Trust, but beware of overly enthusiastic marketing of it as being something it likely isn’t. I like Chase Cunningham’s blog post on “Zero Trust On a Beer Budget”. (go.forrester.com/blogs/zero-trust-on-a-beer-budget)
OK, OK, But What Products Enable Zero Trust?
Yeah, I do tend to go on, sorry. So here are the products within the Trend portfolio that best help implement a Zero Trust model, and what element:
- EPP (Endpoint Protection Platform): an agented endpoint minimizes losing control, and maximizing identification. 2FA, whitelisting, app control, and encryption on endpoints. Apex One
- CWPP (Cloud workload Protection Platform): provides whitelisting apps and resources, control of servers and containers in multi-cloud. Deep Security
- Network IPS: Shielding resources that can’t be otherwise managed. TippingPoint
- Network Analytics: mapping out afterwards where you have holes in your architecture, especially for ‘surprise’ lateral movements. Deep Discovery