Since Covd-19 started, I probably talked more about Zero Trust than ever before. Not that the concept is new, but the pressure to apply it, suddenly increased dramatically with all the users sitting at home and not within the “well-protected” network perimeter. There were different challenges companies faced these times but two came up repeatedly:
- The employees were not equipped to work from home. Normally, they were sitting in their offices at their desk with their desktops.
- The VPN infrastructure was not designed to scale to the extent needed.
That’s the reason why I decided to run a series of blog posts looking at Zero trust from different angles.
There were different approaches to address these problems. In certain cases, employees took their car to grab their PC from the office. On the flip side, this then increased the challenge on the VPN-scaling-front. Other customers allowed their employees to user their home PC for business, allowing VPN access from there. This really scared me. If you think about it: The kids run their games on these PCs (and maybe a lot more) and the risk of these machines being compromised is for sure higher than a business machine – and then you connect them directly with your business network.
When it came to the scaling of the VPN infrastructure, one immediate measure was to implement split-tunneling to reduce the load voice and video causes and route this part of the Microsoft Teams traffic directly to Office 365.
If you look at the last few weeks from the classical CIA-triad (confidentiality, integrity and availability) in the initial days and weeks, obviously availability got priority while trying to maintain C and I. But was that necessary? Would you need to prioritize if you are willing to accept today’s reality? What did really change?
For sure the extent and the speed of the challenge was more than special. But the start of the Zero Trust discussion is not Covid-19, it actually started at an event on January 9th, 2007, the announcement of the iPhone. This was one of the first times IT organizations really got confronted with BYOD and it came top-down, often from the CEO. It immediately drove data outside our physical network perimeter and was the basis of all types of initiatives, where Google’s BeyondCorp (2014) was probably the one creating most PR. Parallel to that, more organizations started to adopt the “assume breach” paradigm, which drives similar architectures.
Taking all of this into consideration, you have to come to the conclusion that the only approach to today’s challenges is not to trust anything anymore until proven otherwise. You do not trust users, devices, networks, apps etc. until they can prove to be trustworthy. If you drive this concept home, you will reach the next conclusion, which is that the network perimeter will play a different role as data is outside this perimeter and trying to channel everything through your home network is a losing battle. You need a modern perimeter, which is your identity.
Looking at this with a certain distance you see that Zero Trust is a great term and everybody is talking about it but at the end of the day, it is the reflection of reality and no revolutionary new vision. It happens and needs to happen today. Technology is ready and NIST already published a second draft (SP 800-207) for their Zero Trust Architecture. It is time to embark on this journey and start to change.