What's wrong with Zero Trust?
Why terminology matters and why we need each other.
Be prepared – we might upset some people here. We’ll be taking issue with a well-used and oft-touted term in the cybersecurity world today. Please hear us out. And please remember, we’re on the same team. We all want a safer cyber world. And in order to accomplish a safer cyber world, some questions need to be asked. Is our terminology contributing to some unintended mistrust among people in the field of cybersecurity? What’s wrong with the Zero Trust security model?
Among cybersecurity professionals, it’s an unfortunate fact that we are trained, whether explicitly or implicitly, not to trust our colleagues in the field. Here is what’s wrong with Zero Trust security, why we need each other, and some ideas for how to do better.
Zero Trust Model vs. Dedicated Trust
Zero Trust Security is the model based on the concept that no user should be granted unearned or default trust. “Never trust, always verify.” This means that every user who accesses a network should be both authorized and authenticated prior to gaining access to a network, whether they are inside or outside the physical network location, and whether they have accessed the network in the past or not.
We agree with all of these concepts. Every network should start with verification first. We don’t issue trust until we validate the resource, and we trust only validated sources.
Our disagreement comes with the terminology. The Zero Trust security model is named to indicate that it is not appropriate to trust any user. Zero Trust, while helpful to explain the process prior to allowing a user into a network, is not the whole process.
Dedicated Trust Security
What we are actually practicing in these scenarios is Dedicated Trust Security. Once a user is authenticated, and as long as they continue to be authorized, we DO trust. We need to issue some trust. There are few opportunities to accomplish a business or network task without trusting some users at some levels of access.
Trust in Systems vs. People
The problem comes when we apply the Zero Trust security model to people and not just technology. Avoiding vulnerability in technology systems is a good and healthy goal, but avoiding vulnerability with people can be detrimental.
“Right from the start, the name zero trust has unwelcome implications. On the surface, it appears that management does not trust employees or that everything done on the network is suspect until proven innocent. While this line of thinking can be productive when discussing the security architecture of devices and other digital equipment, security teams need to be careful that it doesn’t spill over to informing their policy around an employer’s most valuable asset, its people,” mentioned Jason Meller, CEO and founder at Kolide” (from this TechRepublic article).
If not granted proper access, employees can start to feel that they are not trusted to do their jobs and become disgruntled, when what we really need is for teams and cross-sector organizations to create trust and share information.
Companies who use the Zero Trust security model will be wise to communicate very clearly with employees, to explain what it means and how it benefits the employee as well as the company. Otherwise, it’s easy for a culture of mistrust to fester. Manav Khanna, writing for AT&T Business, says, “This action [Zero Trust] is a step in the right direction, but it also has the potential to raise fears and generate negative responses from employees. Zero Trust security could instill demotivation and resentment if taken as a sign of poor faith and mistrust, accelerating turnover rates and bringing the Great Resignation to a peak.”
The Need for Trust
The Zero Trust security model's terminology is repeated and championed across the cyber world. It’s a loud proclamation from most cybersecurity educators and advocates. “Trust no one” has become the collective battle cry.
We understand the logical intent of this and the application to the machine systems we all work with. In addition, we need to ask about the human aspect. Could it be that, as professionals in the cybersecurity field, we are unintentionally creating a space and a culture where people do not trust each other?
If so, this will create a number of negative consequences.
Without trust, we cannot learn from the data, successes, and failures of others. Without trust, we cannot share and build on the knowledge of others. Without trust, we even start to feel alone in the challenges we face. This is where Dedicated Trust can be helpful.
WHAT IF we could share information better, avoid mistakes that have already been made, and truly collaborate among experts and organizations in the cyber world?
Trust is a common need that is discussed inside company cultures, but we don’t typically talk about it among companies in one industry or field of expertise.
Research shows that trust tends to decrease as a person’s education level increases (see this report from Bio Med Central). It makes sense that an expert may begin to trust their own knowledge and distrust information from others as they increase their knowledge base.
However, researchers also say that it is vital to our professional relationships, as well as our personal interactions, that we understand and build trust:
“Understanding trust is essential for improving performance of individuals and their organizations, as well as honing their competitive advantage by knowing whom outside the organization to trust. Much of the trust research to date, however, has not employed experimental conditions or measures that approximate those appropriate for real world conditions where an inadequate gauge of trust has meaningful, and often severe, consequences” (From a University of South Florida Digital Commons study).
We Choose Shortcuts Over Trust
Sadly, we are not predisposed to trust other people. Many of us have experienced negative outcomes after trusting people who did not deserve to be trusted. This expectation is subsequently applied to future opportunities for trust, and can also cause us to make errors in our decisions to trust or not.
“Humans have a limited capacity to process large amounts of complex social information, so they often unconsciously use mental shortcuts (heuristics) to simplify the process. These shortcuts, however, can lead to systematic biases and errors in generalized decision-making, and specifically in assessments of trustworthiness and decisions to trust” (Again, from the University of South Florida Digital Commons study).
In the field of information security, we are coached to limit our trust and to validate who and what has access to information. While important with machines and new users, this may be transmuted into hesitation to build trust among colleagues and organizations who could be beneficial partners. Refusing to trust is not the answer.
The Good News: Trust is Building
Despite the Zero Trust terminology problems discussed above, trust is being built in other ways. The new Joint Cyber Defense Collaborative was established for that specific purpose, to build trust and collaboration between the private sector and government security agencies.
Trust is a key factor. CISA Director Jen Easterly says, “Trust is built through transparency, responsiveness, humility, gratitude, and everything that says, ‘We want to add value from a government perspective and you from a private sector want to add value, let’s come together and do it collectively for the defense of the nation.'”
What Must Be Done: Building Community Trust
The way to a better world of Dedicated Trust is through community. Somehow we need to find appropriate ways to overcome individualism and cautiously learn to trust and share knowledge with others in our field.
We suggest that organizations take these actions to accomplish this:
1. No strategies or products should be named Zero Trust. We should eliminate implicit trust and continuously validate users, but the term Zero Trust needs to change. This name does not set the tone for information sharing and teamwork within the cybersecurity space. We need a new term and a new paradigm for how we view collaboration among professionals. Our term is Dedicated Trust Security -- a user is trusted after being authenticated, and as long as they continue to be authorized.
2. Join threat intelligence-sharing organizations (ISACs). An Information Sharing and Analysis Center is a nonprofit that provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between the private and public sector. These are conversational organizations and allow for discussion among professionals and among sectors. The FBI’s Infraguard is one good example of an ISAC, and the National Council of ISACs maintains a list of sector-specific ISACs.
3. Other intelligence-sharing services are also available. These are not as conversational as an ISAC, but the information is extremely helpful. This is a good start toward building more community among cyber professionals, but it is important for more organizations to join and to participate in the information-sharing process. Some of these services include:
Automated Indicator Sharing, a capability of CISA (Cybersecurity & Infrastructure Security Agency), allows real-time sharing of threat indicators and defensive measures to reduce the prevalence of cyber attacks.
The Mitre Attack framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
Let’s Build Trust
So what is wrong with Zero Trust? Technically, the principles of the Zero Trust security model are good. We dislike the term, and we want more Dedicated Trust among professionals in the field of cybersecurity.
We’re asking you to take some action. Be a part of a trust-building solution. Each organization can take some steps in this direction. This could take some humility on the part of cybersecurity and information security professionals. It might take vulnerability to report threats you have faced or ways you did not identify a network security gap. But sharing this information with colleagues or adding this knowledge to a collective database serves to aid others along the way, and hopefully they can learn from your lessons and you can learn from theirs.
Zero Trust cannot apply to all people, all the time. Interpersonally, we need trust. In the cyber community, we need it too. “When trust is embedded into a community as a cultural norm, that community is healthier and happier.”
Let’s move away from Zero Trust and build some trust. We need community. In life as well as in the cybersecurity field. The world’s cyber safety depends on it.
We at StandardUser Cybersecurity are on a mission to share cybersecurity and cyber safety education with everyone, to make our world a better place. Are you with us? How can we help? Let us know today.
Whatever your cybersecurity challenge, we can help you keep your business running. We are a defensive and offensive cybersecurity company, using over 30 years of experience with active commercial and government work and proven security methodologies. We also educate teams and professionals who want to build on their skills.
We set the standard for cybersecurity excellence.