Zero Trust (ZT) was heralded as a disruptive network architecture that would finally put an end to internal threats. It was also supposed to bridge the security gap between implicitly trusted internal network zones and untrusted perimeter defences — but did it?
The common view is that there is inadequate visibility, control and protection of user and application traffic transiting high-risk network boundaries, and the assertion that everything on the inside of an organization’s network should be trusted, is rather outdated. Enter Next-Generation Firewalls (NGFW), the devices tasked with addressing these problems and implementing Zero Trust.
The Zero Trust approach, first proposed by Forrester Research, was intended to address problems by promoting “never trust, always verify” as its guiding principle. With Zero Trust there is no default trust for any entity — including users, devices, applications, and packets — regardless of what it is and its location on or relative to the corporate network.
A Zero Trust network creates micro-perimeters of control and visibility around the enterprise’s most sensitive data assets and the ways in which the enterprise uses its data to achieve its business objectives.
The Zero Trust model eliminates the need to maintain two (or more) separate security zones, a trusted network (usually the internal network) and an untrusted network (external networks). This is an oversimplification, of course, and not every network will so easily be reconfigured. In essence, Zero Trust tries to address internal and external threats by designing networks from the inside out in a modular, scalable way.
It is important to note that Zero Trust isn’t a standard, but rather a conceptual approach to security that’s woven around three main points:
These statements can be implemented in any number of ways and still be classed as Zero Trust. Google was said to have implemented Zero Trust within their internal networks by deploying a home-grown solution, the Beyond Corp initiative, which improved on the three base ideas. There is no hard, prescriptive standard to which one must adhere.
The general idea is that by establishing Zero Trust boundaries which compartmentalize different segments of the network, you can protect critical intellectual property from unauthorized applications or users, reduce the exposure of vulnerable systems, and prevent the lateral movement of malware throughout your network. So it goes.
In a study commissioned by Fortinet in May 2015, Forrester was asked to survey 150 IT security decision makers that had implemented next-generation firewalls by asking them, among others, this question: “Once you implemented your NGFW, which of the following product features were actually used?” The results, shown in Figure 1, clearly demonstrate that only a small subset of features were ever utilized.
Despite a number of hardware vendors jumping on the ZT bandwagon, there has been a somewhat lackluster response and sluggish adoption. Marketers have had a great time flaunting NGFW to anyone willing to listen. After all, anything with NG stuck to the beginning is always better than the previous generation, isn’t it?
Figure 2 shows the web search interest in “Zero Trust” as reported by Google Trends. Clearly not a lot of trending going on — the whole ZT arena looks as though it has been sleeping.
In spite of the promising technical aspects of the solutions, I think there are four main reasons why there has been such a lack of interest in Zero Trust and next-gen firewalls, at least when it comes to securing internal networks.
The truth of the matter is that neither the approach nor the technologies tasked with improving security have caught on. And while some larger organizations were successful in implementing Zero Trust, a far greater number faced various difficulties when deploying these countermeasures on their physical networks.
Next-generation firewalls that embraced and implemented the Zero Trust model have become bloated, multi-purpose dinosaurs destined for obsolescence — largely due to the universal adoption of cloud computing.
Has Zero Trust missed the boat or will a maturing cloud ecosystem re-inflate interest in the model?