I won’t bore you with explaining everything about the Zero Trust manifesto. But I believe ZT must be looked at for its successes or the apparent multitude of documented failures. It reminds me of the Harvard Balanced Score Card. Great idea; but wholly impractical. For those unfamiliar GSA has an excellent guideline on ZT Architecture (Google it). Before diving too deeply lets just define what Zero Trust was originally intended to be. Primarily it is described as a security framework that assumes an infinite non-traditional network edge, but also fails to consider the new evolutionary thinking of Singularity. It suggests that credentials and access must be fool proof, that data be protected in every round-robin transaction, and that all network security bases are covered. ZT unfortunately cannot constantly build complete trust at every possible end-point. ZT fails to consider that even incorporating ideas of Singularity and Quantum computing, that the current global Internet contains trillions and trillions of floating end points, without even considering the effects of the many unknown risks emanating from the elusive Dark Net and clandestine Blockchain networks.
I’m assuming this audience is fully aware of ZT’s existence, even as a buzzword bantered around meetings, but maybe there are many executives that are not aware of its true purpose, or intended outcome. GSA loosely describes ZT as a road map of an undefined journey without guarantees and no defined destination. It suggests that a structure of seven pillars is the core of the solution road map. Practically speaking, which I will expound on later in this blog, the ZT Mantra is also almost self-defeating and unrealizable. “Trust Nothing. Trust No-one.” In my humble view this is a misplaced roadmap to a limitless Maze of uncertainty that one never escapes, a loop that never ends. Apparently, the Zero Trust authors and implementers expectations were that it would become the irrefutable cure for all modes of technology failures that caused cybersecurity threats, breaches, ransoms, and disruption. Wrong.
As a reaction to the massive failures to protect the US internet that supports and supplies the public at large, public sector professional services, finance, healthcare, transportation, government and military, basically the entire 16 pillars of the DHS critical infrastructure, the US Congress passed S.3600 with the Strengthening American Cybersecurity Act of 2022. Zero Trust is a reactionary component of this broad legislation. What has happened is that the academics, public and private institutions and technology product vendors have flooded the US and foreign marketplace with a large variety of solutions to address the degraded state of our ability to protect privacy, and the safety and soundness out Internet world. Without being too cynical I am sure there are huge government grants out there for the taking. Cybersecurity has proven to be a cash cow and big business with every Tom, Dick and/or Harry jumping on the band-wagon to make their millions without any enforcement and government standards and extreme vigilance. How on earth does a general or a CIO know what to pick? Which ZT variant should I use? Are there any legitimate Zero Trust experts out there? What guarantees are there if I am breached or ransomed? This legislation S.3600 reminds me of the Obamacare debacle where translating 10,000 pages of legislation into a successful technology architecture proved nigh impossible. I say no more.
There are a growing variety of methodologies to implement the Zero Trust paradigm in all the different areas of architecture, design and build IT solutions as in ZT-NIST 800-207, ZTx eXtended, ZT-Forrester, ZTNA-Gartner/Lean, ZT-IT/IOT/IoMT, ZT-PAM, ZT-SecurityModel, ZTA-Architecture, ZTF-Framework, for starters. Additionally, there is a huge and maybe confusing array of vendors that offer the NIST approach to the Zero Trust landscape, each one with its product special interest to confuse and complicate the idea and essence of this somewhat arcane pillar driven methodology. The Zero Trust marketplace includes Amazon Web Services, Appgate, CISCO systems, F5 Networks, FireEye, Forescout Technologies, IBM, McAfee, Microsoft Mobileron, Okta, Palo Alto Networks, PC Matic, Radiant Logic, SailPoint Technologies, Symantic, Teneable and Zscaler. Some of these are niche vendors that glue Zero Trust to their product lines to up their dwindling sales or to appear in vogue with the cybersecurity marketplace. I question the difference in jumping on the bandwagon and market domination verses the production of a real deterrent against our cyber enemies.
Let’s say for starters that my big peeve with ZT is that the philosophy is based on five or seven pillars (still up for debate). People Please! Are we still thinking in stovepipes in 2023? This is a manner of thinking that has become so obsolete and is the reason that cybersecurity still plagues us constantly, until we realize that the conservative wisdom of applying abstraction is the only science that stops us from placing rickety concrete realizations before the vision and strategy has the chance to mature. Jumping the gun, coding before architecture is a recipe for disaster. Starting at the tactical and DevOps before evolving the vision strategy and satisfying the business capabilities is the second recipe for disaster. Does Zero Trust address this? No.
No matter how much we indemnify our technology products they fail us constantly. You should see my preventative maintenance history keeping my 2004 E500 Mercedes running. The “O” rings on the Challenger was a painful lesson. The postponement of the Artemis I launch to the Moon, another example of almost the same problem, 20 years later. We as a species put so much effort into developing advancements and we still constantly disappoint ourselves, and yet when we get it right we marvel at our achievements. If Zero Trust means assume you can trust nothing, aren’t we applying self-defeatism and thus applying band-aids too late. The cure all is that we have no alternative but to do it right in the first place, and to then test it over and over again until the widget can be trusted 110%.
Today, architects are now confronting a Quantum world of rapid adaptation, different to the world or determinism that we have become too comfortable with. We really need to stop thinking in brittle frameworks like Zero Trust and we need to be more flexible as a species. We are confronting a race against climate change. Maybe another Ice Age? We need to be nimble. Think of a framework as scaffolding. You take it down when the building walls and roof and all the external work is done. It’s a temporary state. We must start architecting in transformable ecosystems that fulfill the greater needs for fluidity and not just emulate the picture on the jigsaw box. Plus the Ancient Greeks didn’t rely on symmetrical pillars as the solution; they incorporated them in a greater architectural view to support the classic world of philosophy and the roof of cosmic astrological learning. In other words the pillars touch the heavens and it extends Pi. Gentlemen. Everything is Mathematics.
The Failures of Zero Trust
The initial failures of ZT are naturally the Users by turning Zero Trust into a Box Solution. The majority of Users struggle with cohesive device authentication, as well as a failure to be able to log and monitor events at 100%. It only takes one breach. It is almost impossible to implement a fully Zero Trust strategy.
The ZT architect is overtly challenged. It is impossible to be able to apply deep forensics that suffice for a comprehensive ZT platform analysis on the current state of any IT solution, especially with out of date or little prior documentation, going back at least 15 years. This is a GAP analysis that most organizations cannot afford to entertain. It’s costly and disrupting.
In terms of day-to-day operations the effect of ZT on core operations is that it can potentially affect productivity thus defeating its purpose to defend by creating more internal disruption than external safety. ZT, when implemented at every gate is can completely lockdown access bringing workflows to a grinding halt. Access to sensitive material can be so overwhelmed by ZT bureaucracy that communication and collaboration comes to a standstill. Any minor role change could cause a lock out that causes systems admin recovery challenges as usually they are over worked. In a general statement ZT can cause productivity to plummet. Thus productivity becomes a bigger problem than cybersecurity itself, even though a breach can create havoc. Remember the Colonial oil hack that left gas stations with no gasoline.
The GAP analysis is one of the nigh impossible functions of an Enterprise Architect even with 20 years under his belt. In my own career I am constantly challenged with this aspect. This inability to know where you are currently in your security appraisals, and the rigor to implement ZT basically ends up as ZT not being implemented, either partially or not at all. Unfortunately, it just remains as a guideline (similar to Zachman), as well as a mental note for executives to slide from their responsibilities of hyper vigilance, even though we know it exists in an organization, but no one truly knows or wants to divulge its actual level of successful deployment. In reality, failure to even implement a portion of ZT through oversight malaise, costs the IT Industry billions. Even though ZT elevates awareness it is still not the cybersecurity cure-all it is meant to be. ZT guidelines cause more confusion just like the ambiguity of when DevOps was dropped in our laps by Microsoft. The hard question is whether the effort to deploy ZT with very little evidence of success, verses its true overwhelming cost in time and money is really worth it. Google started with Zero Tolerance, then it created Zero Incident to stagger the ability to recover, then came along Google Logging and Monitoring, Zero Trust and BeyondCorp Google Cloud. Remember Google has billions of dollars to support its products and infrastructure. Not every organization can afford the expenditure so unfortunately most take the risk and hope they never get attacked.
In short Gartner warns that while Zero Trust aims to improve security its implementation isn’t immune to risks such as trust brokers are potential points of failure that can be targeted, any local physical device that can be accessed can be attacked and have data disrupted or exfiltrated from them, any user credential can still be compromised as humans are not infallible to theft themselves, and deploying Zero Trust can be an attractive target merely by its existence and lack of integrity.