A commentary by Dr Kai Martius, Chief Technical Officer, secunet Security Networks AG
For a start, when it means to reduce the inflationary use of the T-word to zero, I’m totally in. When it further means to shift the focus to trustworthiness, instead: yes, please! We really need to look for ways how to provide reasons to trust our IT systems.
Looking at some ZTA related concepts like “data centric security”, it feels like sitting in a super-secure war room on the roof top of my ZTA skyscraper and hope, that everything underneath will be safe enough to not let the skyscraper collapse. Because I don’t trust, sometimes I look into a random floor downstairs, and see a lot of people running around repairing crumbling plaster and stuffing holes in the wall. Seems, I hit another "Patch Day". Don’t get me wrong: Of course we need to patch vulnerabilities, and we are very good in bringing the patch to the hole in the wall quickly today. But do you feel comfortable when every day someone rings the bell and fixes a hole in your structure you even weren’t aware of?
Ok, let’s be a bit more positive: Good ZT architects make me feel much better in my war room on the rooftop, when they build strong supporting pillars into all floors. If something breaks, some second line of defense is there. It is common knowledge of security engineering to build systems based on the concept of “defense-in-depth“. Whenever possible, you should make use of this principle, as it’s really hard to gain enough trustworthiness (here it is again) in one single pillar. Whether the whole architecture is called ZTA today or something else tomorrow - the concept is good. Two-factor-authentication (2FA) is a very good concept too. Using virtual machines as a second separation layer around container workload is also very helpful in case someone attacks your service.
Another take of ZT is a distributed or layered fashion of check points. Because there are so many different housemates with so many different notions of “trust“ in my skyscraper, the single guard at the ground floor would simply had to admit access to too many people. Of course, it would not be wise to just check access at my war room on the rooftop, which is pointless when someone blows away the second floor.
So, a very first “entry check“ could be to validate a base identity. However, a bag or parcel check at the ground floor is impossible, as there is encryption everywhere today. Now trustworthiness comes into play again: If the parcel comes from a trustworthy delivery service, it can be sent to the second floor. Ultimately you should only open the parcel when you know who sent it. You see: a good layered approach could be rights management on the application data layer, transport encryption and client certificate validation with TLS and a rather coarse-grained access control on network layer with VPNs.
Sometimes you have to accept parcels from somewhere you don’t know. Then it would be a good idea to have a bunker room, that is strong enough to not make our skyscraper collapse if something explodes. We have such building blocks with virtual machines for isolated environments today.
So, if we don’t have the super-trusted single guard at the ground floor anymore, how do I tell all the check points (also called "policy enforcement points") all over, what is allowed to let in and what not. I admit, this layered approach is more complicated to manage than a single perimeter firewall. If ZTA products help you to easily manage these different layers: that’s really an improvement!
Btw., the multitude of trust relationships we are faced with in today’s architectures and operator models was well researched in the concepts of multilateral security back in the 1990s. The idea behind was to start at zero trust - and to build trust relationships between all involved parties until a participant was willing to share data with others, certainly only under negotiated protection mechanisms.
Building trust until a relationship is trustworthy to share data is something we do all the time as humans. It starts with ZT, but ends up with trustworthiness.
Here we are again: trustworthiness. But the question is, how to get there. We have to consider a huge technology stack, but finally it ends up in people, companies, countries that are building and operating this technology stack in a (hopefully) secure manner. So when you make yourself aware of this huge networked tech stack, you can imagine what size of a skyscraper we talk about.
There is a lot of work underway to improve the situation in my skyscraper systematically. For instance, there are new rock-solid bricks like ”Rust“ (a more secure programming language) or magic doors (well-researched cryptography). A lot of opaque walls are replaced by glass bricks (Open Source) giving much more transparency how good a wall could hold. And we start to learn the laws of physics and how to calculate the statics of the building (mathematical proofs of correctness, automated test methods for software). Nothing about this is really new, but the multitude of interlocking approaches and technologies is making IT security more and more practical. Also, the issue is becoming more and more pressing. Just as new machines and knowledge have enabled us to build skyscrapers only in the 20th century, we are now in a position to implement truly secure IT infrastructures.
When we started to build our today’s “world computer“ many years ago, did we do it as we would have built a skyscraper in the middle ages? Sometimes it looks like that. But surely we can renovate it with these great technology bricks and knowledge we have had for some time now. We should constantly check and measure, and challenge our level of trust. If Zero Trust is considered to make us work like this: great!
PS: Anyway, maybe my super-secure war room will be for rent soon - I’m sure there will be someone who enjoys the view, and still feels good there. But we have started to build a new bunker on a solid foundation, rock-solid glass bricks from bottom up. Anyone who wants to rent a room there? Not so great view as on top of the skyscraper, but feels much safer!
Contact:
Dr. Kai Martius
secunet Security Networks AG
Do you have any questions or comments about this article? Then contact us via the contact form on the right!
secuview is the online magazine of secunet, Germany's leading cybersecurity company. Here you will find news, trends, viewpoints and background information from the world of cybersecurity for public authorities and companies. Whether cloud, IIoT, home office, eGovernment or autonomous driving - there can be no digitisation without security.
In addition to the online magazine, secuview is published twice a year as a journal, which you can subscribe to free of charge in printed form or download as a PDF.
secuview is the online magazine of secunet, Germany's leading cybersecurity company. Whether cloud, IIoT, home office, eGovernment or autonomous driving - there can be no digitisation without security.