Zero Trust is Genius… and an Oxymoron

Zero trust is not just about identity. It’s not just about data. At its core, it is about human nature, which is why it can be so hard. The genius of zero trust relies on the fact that it’s an oxymoron.

From a technical perspective, zero trust is about how identity, data, and networks have always had inherent, multi-layered trust relationships. As technology has evolved it’s been abstracted by layers of software, creating relationships that are unknown by most users, and many technology practitioners, but are exactly what adversaries want to exploit. Like everything in today’s software driven, hybrid cloud-enabled technology world, we need a shift to new mental models that reconcile the oxymoronic genius of zero trust.

A foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. And yet, in their 800-207 docs, NIST identifies how legacy systems rely on “implicit trust” and existing infrastructures are built on implicit trust and identify that they must either be rebuilt or replaced. This is an impossible task more akin to Sisyphus and his eternal boulder…. I do not believe it can be done consistently and effectively using traditional hardware.

To even begin talking about the problem and possible alternatives, we need a common language. It is much easier to take a well-known term (with varying definitions) and use it to redefine and communicate concepts and ideas that can move the needle on how we secure technology. The genius is realized in the vision, not the reality. Zero trust today is a rebranding and re-packaging approach for incumbent vendors, but it’s also a spot on the horizon that makes us ask, “what if…”

For example, “What if the existing trust implicit in technology can be exorcised so the mechanisms adversaries use to exploit that trust are rendered irrelevant?” The genius in the oxymoron is that it gets us thinking.

That is the spot on the horizon where I want to be. In one respect, it requires the world to fundamentally transform how we do technology. Won’t happen today, but as Marcus Aurelius once said (and the movie Gladiator made famous) what we do now echoes in eternity. I believe the echo from eternity shouts that a threat informed, cloud-native approach to zero trust is achievable today. This is at the heart of NIST and OMB’s zero trust initiatives and becomes the steppingstone to reach that spot on the horizon.

Removing uncertainty is a big thing for us at RockITek, so we really get on board when NIST states that zero trust is designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions. The more we can remove uncertainly in risk management, the better off we are. For that to happen, zero trust principles need to result in zero trust architectures (ZTA) that use zero trust concepts to understand trust relationships, authentication and authorization workflows, and the policies to enable them. I believe the best way to implement and consistently operate a ZTA is using AWS native services because AWS was designed with these principles from the start. Stay tuned for a follow-up blog, where we’ll explore the anti-Sisyphus alternative that rebuilds or replaces implicit trust built into systems today.

Today’s Takeaway

You can fast track your move to ZTA by migrating your technology platforms to AWS, using cloud native services that build on top of their internal ZTA. If you’re short on resources, there are many highly skilled AWS Migration Competency Partners out there to guide you in your cloud native migration path. This should be a core part of your cloud strategy. As the Cloudflation article I posted about earlier this week identified, there are many who have gone before that planned for reduced costs, but didn’t have the required shifting of the mind to design their application in alignment with their business goals so they could realize the desired value from cloud.

About RockITek, LLC | RockITek is a progressive Technology Partner + Enterprise Distributor to manufacturers of revolutionary technologies that have the potential to impact the world. We thrive at solving problems faced by the thousands of Independent Software Vendors (ISVs) with trailblazing software capabilities being marketed across a variety of markets. Our unique approach rapidly matures and continuously maintains the security of your SaaS to US government standards; automates cloud marketplace(s) and enterprise transactions from purchase to deployment to payment; and creates an enabling ecosystem for continuous growth for all partners. We are a small business (NAICS 541519) with a GSA Federal Supply Schedule 47QTCA19D0085.