There’s a lot of buzz around DISA’s recent announcement heralding a shift to a “zero trust” security strategy for the DoD. There are also a lot of questions. What does it mean? Is it good? What’s actually changing? Clearly, any strategic change for an organization the size of DISA is non-trivial. But this change is a good one, in my opinion, as I’ve been a believer for a long time. You had me at hello.
What is Zero Trust?
Zero trust is a mindset. It strives to eliminate all assumptions when making security decisions. What’s wrong with assumptions in security analysis? Nothing, provided they are rational. The thing is that, whether rational or not, they almost always weaken security guarantees. Traditional security mindsets focus on risk — calculated by the product of impact and likelihood — and prudently applies resources according to the score.
The zero trust model recognizes that the underlying factors that determine the risk score are influenced greatly by the number and manner of assumptions made by the person doing the calculating. These assumptions can range from environmental conditions to attacker motivation to the effectiveness of compensating security controls. Assuming, for example, that an attacker is motivated by money alone, or that hostile network traffic is filtered out at the edge firewall, leads one to significantly lower the risk to a potential internal asset, resulting in a correspondingly lower security posture. That kind of calculus has led to the “castle and moat” strategy for defending computer networks, which has dominated for decades. Refusing to make those same assumptions, however, leads to an entirely different, more layered defense. That’s the difference, and, in a nutshell, the essence of what’s changing at DISA.
The Rise of Zero Trust
Within the modern information security community, zero trust now seems to be conquering mindshare on a scale that rivals the Enlightenment. Given DISA’s announcement, its proponents now include the world’s top experts in both the public and private sectors. It’s turning heads. It’s interesting to note, however, that it’s a concept which has taken a while to bloom in information security, even when similar practices have been in place in the physical world for some time.
Consider the way that most corporate physical office security is implemented. In larger companies and office scenarios, employees are typically required to display their access credentials openly when on premises, even though they already passed a security check on the way in. One could draw a parallel between this type of environment and the type of network security environment we are likely to see in a zero trust network. A perimeter may be important to recognize and defend, but we can’t count on it entirely and don’t believe it’s smart to put all of our security there.
Zero Trust as a Strategy
As a concerned, often cynical (and always sarcastic) citizen, my reaction to any new government program is, “Great — how much is this one going to cost us?” Thankfully, this one’s not about throwing everything out and starting over.
In many ways, we can argue that zero trust is just an Nth degree application of traditional security techniques like defense in depth and least privilege. It’s a strategy change, and strategy is everything. While there is usually more than one good strategy that can lead to success, a bad strategy is really hard to overcome. Innovation will lead to new tools in key areas, especially when they’re built on the concept of zero trust and supportive of the top-level strategy. But often, all that will be required is to use existing tools in different ways. Perimeter security tools are a perfect example. They won’t be obsolete once zero trust is applied, but they will likely be reconfigured and/or redeployed.
If I sound like I love it, it’s because I really do. I believe zero trust is the ultimate pragmatic approach to delivering security, informed by years of experience and devotion to security reality vs. security theory. We know how systems are breached, we know what we’re good at and we know where we’re doomed to fail, so we need to tilt the playing field toward success.
When we designed Wickr, we were determined to improve on the risk-based security designs of the time, which included thinking that it was okay for a messaging system to leave messages unprotected at certain points along the path of delivery from sender to receiver. The assumption that influenced that risk calculation was that the service provider and its systems could be trusted to protect our data. At Wickr, we did NOT make that assumption and that, as Frost said, has made all the difference. Now, based on their experience securing the cyber battlefield, DISA is adopting a similar mindset. So, you might say that Wickr and DISA have zero in common. Only in this case, zero is everything.