Every year at RSA Conference, a pitched battle ensues for the heart and soul of the security practitioner. Or at least for the mind: there’s the word cloud of topics that show up most often in the CFP submissions, but there are more slogans, phrases and concepts that meet in the expo hall to fight for supremacy. Remember when we all argued about what “cloud” meant? That term seems to have settled down over time, and “risk” is still eluding firm definition, along with “machine learning” and “artificial intelligence,” but the newest kid on the block will probably be the one with the biggest variety of gladiators in the ring: “zero trust.”
Even though it’s still being debated and explained, it’s not a new concept. The Jericho Forum called it “de-perimeterization” at the turn of the century, although I suspect the term didn’t catch on more broadly because it’s difficult to pronounce after a couple of pints of beer. John Kindervag solved that problem by coining the term “zero trust,” which even I can say at two o’clock in the morning. Google dubbed their implementation BeyondCorp, Intel called theirs Beyond the Edge, and now we have Zero Trust eXtended (ZTX) from Forrester and CARTA from Gartner, it’s a wonder that anyone can find common ground.
Even the word “trust” can be slippery. In this context it can mean granting access without verifying (which you should never do), or it can mean granting access to something because you verified it. Either way, we can all agree on the concept that you shouldn’t trust something just because it’s on the inside of your network. That’s how attackers manage lateral movement, and how insiders of all sorts get free rein. The model of untrusted outside versus trusted inside doesn’t work well any more.
How do you verify something? How often do you check those factors, and for how long do you allow the access before you reset that trust and verify again? Most importantly, how do you keep verifying without annoying your users? These are the important questions that you should be asking if you’re interested in learning about zero trust (or, as we prefer to call it at Cisco, Trusted Access).
Whether you’re pursuing this model for your workforce, or your workloads, or both, consider where you might place today’s perimeters. If you think about a perimeter as being anyplace where you make an access control decision, it could be at more than one layer in the stack. Some decisions still belong at the network layer; others might rest with the application or even the identity. Be ready to explore the possibilities.
I’ll be presenting on this topic at our Cisco Customer Summit during RSA, and you’ll see many other discussions of zero trust throughout the conference. Paul Simmonds, one of the original Jericho Forum members and CEO of the Global Identity Foundation, will talk about “The Fallacy of the Zero-Trust Network.” Stop by our Duo booth (#1835, south expo) to see demos of how you can start your journey to zero trust with multi-factor authentication. Many members of the Duo & Cisco Security teams will be speaking in the Cisco booth (#6045, north expo) too, with such thrilling titles as “Zero Trust – A Transformational Approach” and “Zero Trust and the Flaming Sword of Justice.” No matter what you want to call it, we’ll pay tribute to it at RSA Conference, and we look forward to seeing you there.
Check out our event site to stay up-to-date on all of the Cisco happenings at RSAC 2019. We hope to connect with you soon!
Click here to subscribe to our RSAC blog series.