By now, you've likely heard of the zero-trust model for cybersecurity. Popularized by Google's BeyondCorp, the zero-trust model assumes -- as its name implies -- that all assets, users and resources are untrusted. This has a number of corollary implications, such as the following:
- Inside the firewall is not assumed to be any safer than outside. This fundamentally changes the role of the firewall.
- The model requires a detailed asset inventory. If all assets are assumed to be potential threats, knowing and quantifying them is of utmost importance.
- The model's data-centric approach toward cybersecurity has a concomitant impact on all devices, applications and services.
- The model also drives the need for authentication, authorization and access control at every level.
- The need for encryption extends to everywhere -- at the application layer, in transit and at rest.
Implementing the zero-trust model is a fairly intense process, touching everything from implementing data classification to shifting to network virtualization to upgrading and automating trust policies. But does the model demonstrably improve one's risk posture? And if so, how do cybersecurity professionals express this improvement in the context of enterprise risk management?
The short answer is that yes, the zero-trust model does increase cybersecurity and decrease risk. By minimizing the number of devices, applications and services that are "trusted," the approach reduces blind reliance on trust.
How we know zero trust works
In essence, the way to demonstrate that the zero-trust model decreases risk is to highlight the following: First, unwarranted trust is a risk. Any time that someone extends trust without validation, they inject risk into the environment.
Second, existing approaches to extending trust -- such as whitelists -- are inherently flawed. Just because packets or processes come from a "trusted source" does not mean the process itself can be trusted. The source may have been hacked, or the user may be compromised. Therefore, trust of the packets themselves must be separated from trust of the source and process generating the packets.
Finally, taking a zero-trust approach involves decreasing trust to the lowest level possible, thereby wringing the risk of unwarranted trust out of the environment.
Implementing the zero-trust model
That's all well and good from a philosophical perspective, but as with most technical issues, the devil lies in the details. So here's how to put it into practice: To quantify the risk reduction due to unwarranted trust reduction, take a methodical approach to developing and documenting your trust policy. What resources should each device, application and user have access to? What is the justification for that access? And how is authorization and authentication automated and ensured?
As you go through this process, document both the current state and the desired future state and highlight the trust reduction for each. When complete, you'll be able to highlight a "reduction in trust" that corresponds to a reduction in risk, based on the logic above.
The bottom line: The zero-trust model reduces risk by reducing unwarranted trust. A methodical process of highlighting reduction in unwarranted trust demonstrates that zero trust contributes to lower risk.