The history of Zero Trust tells us that success is possible

John Linford at The Open Group outlines how far Zero Trust has come over the past few years and explains what companies need to focus on to ensure Zero Trust strategies remain successful

 

Zero Trust has come a long way over the last few years, and cyber-security stakeholders who have been following the evolving opinions, pitches, and debates around it might well have a sense of it as something that remains to some extent confusing, abstract, or conflicted.

 

As different users and vendors have weighed in on the methodology, we have witnessed just as many different angles on it emerge, with the result that it is not easy to know how to get started with Zero Trust – or, indeed, how to ultimately succeed.

 

Close observers, however, will have noticed how the journey that Zero Trust has followed a familiar pattern from many other technological developments. It starts with a breakthrough on the conceptual level, in which a people and teams working in research environments define a problem and offer a genuinely new route to respond to it.

 

For Zero Trust, its fundamental concepts were seeded as early as 2003 by groups like the Jericho Forum, and then launched to prominence in the cyber-security discourse by initiatives like Google’s BeyondCorp security model, which was detailed in a 2014 academic paper.

 

As often happens with conceptual breakthroughs, this signalled businesses to begin innovating on and exploiting the idea. Over the following decade, any number of tools, platforms, services, and products have been marketed on the basis of complying with, enabling, or underpinning a Zero Trust strategy.

 

In this period of diversification, there have been both valuable new offerings from vendors and, inevitably, developmental dead ends. Through it all, an intensifying environment of cyber-risk, in which both the rate of attacks and the damage they cause seem to inexorably rise, has been adding incentives to move to a more modern cybersecurity strategy.

 

All of that leaves security decision makers in a potentially difficult situation. On the one hand, the problem identified by that 2014 Google paper – that the traditional perimeter-based security model is “increasingly difficult to enforce” and allows “relatively easy access to a company’s privileged intranet” once breached – is as true as ever.

 

There is significant pressure to find a more effective approach, and Zero Trust has been clearly marked as the destination that enterprises must travel towards. On the other hand, though, there are now so many promised routes towards that destination that taking the right first step is extremely difficult.

 

The good news is that Zero Trust is now arriving at the next stage of that familiar technological journey, in which all that innovation is used to inform the creation of a true standard to guide, in unambiguous terms, the design and implementation of a technology in practical terms.

 

Today, the best place to start with Zero Trust is a standards document like The Open Group Zero Trust Commandments. As with any standardisation effort, from USB connectors to Internet Protocol, a standardised model for Zero Trust raises quality and effectiveness for all concerned parties by enabling interoperability, creating shared assumptions about how systems should work, and allowing lessons and best practices to be effectively shared between organisations. 

 

Accordingly, the Zero Trust Commandments take a holistic approach to the methodology, emphasising cultural characteristics which make it successful as much as technical aspects of implementation which make it possible. As such, they are a valuable aide to avoiding the pitfalls which early adopters of Zero Trust may have encountered.

 

By utilising experience and making deliberate decisions, we can avoid negative outcomes such as misallocating effort by attempting to secure every asset to the same degree (instead of considering value and risk), inadvertently encouraging users to take less secure routes to productivity (instead of educating on best practices and helping them succeed), and failing to account for changing working habits (instead of addressing these changes and building them into strategies). 

 

This does not, of course, mean that Zero Trust should now be seen as a bulletproof strategy which will prevent damage 100% of the time. Indeed, as the Zero Trust Commandments make clear, one must “Assume Failure and Assume Success”, designing systems on the assumption that breaches will occur and building cultures around the principle that they will be able to recover from attacks, restore systems and resume operations.

 

After years of intensifying attacks, through which few enterprises will have entirely escaped the damage that a cyber-security breach can wreak, instituting that kind of optimism in IT teams and across organisations more broadly will be highly appealing.

 

As Zero Trust reaches the stage of mature standardisation, now is the time to seek it.

 

---

 

John Linford is Security & OTTF Forum Director at The Open Group

 

Main image courtesy of iStockPhoto.com