Breaking Down Misconceptions About Zero Trust

What is (and isn't) zero trust? IBM Security Evangelist Westley McDuffie explores common myths and how to implement this security strategy.

By Neil Tardy

Westley McDuffie believes that zero trust, in both concept and practice, is often made out to be more complicated than it actually is. “You can make it hard or complex,” he says. “But it doesn't have to be.”

 

As an IBM security evangelist responsible for educating IBM clients in the federal government, including the U.S. Department of Defense and intelligence communities McDuffie understands that zero trust is, to put it mildly, a trendy topic. He sees the millions of Google hits and understands how all this noise can muddy the waters.

Hear Westley McDuffie discuss the path to zero trust.

“It's everywhere. There are hundreds of articles, and hundreds of companies that are begging to do zero trust with anybody they can get their hands on. They're saying, ‘Hey, if you need to start somewhere, start here,’” he says. “There are organizations out there that actually say that this is complex, and you can't do it without us. That is absolutely wrong, and anybody who pushes that is a charlatan. They don't do security.”

 

Implementing a zero trust strategy, and ultimately making your enterprise as secure as it can be, starts with an understanding of your IT environment and networks. It requires an understanding of what zero trust involves, and what it does not. This article focuses on those things that zero trust is not. So, let's examine, and break down, those misconceptions.

1. Zero trust is something new.

John Kindervag coined the term zero trust in a 
2010 white paperOpens in a new window.
 written for his then-employer, Forrester Research. For his 
insights into information security practicesOpens in a new window.
, McDuffie and others view Kindervag as the go-to on this subject.

That's merely a quick history of zero trust, the term. Even at that point, the elements or individual components of zero trust had been in place for some time. Multifactor authentication (MFA), RSA tokens and biometrics, for instance, don't assure zero trust by themselves, but these and other commonly deployed security measures provide pieces of that puzzle.

McDuffie likes to cite using a banking app as an everyday example. If you open your app to access your account, but then don't touch your screen for a period of time—2, 3, maybe 5 minutes—you're automatically logged out due to inactivity. Likewise, that's not zero trust, but it's part of it.

“Zero trust is part of everyday practices. If we're talking about the way security should have been done in the beginning, it's always been here," McDuffie says. "The difference with what we're seeing with zero trust now is we're talking about enforcing those policies.”

Zero trust is part of everyday practices. If we're talking about the way security should have been done in the beginning, it's always been here. The difference with what we're seeing with zero trust now is we're talking about enforcing those policies.

—Westley McDuffie

2. Zero trust is a product or a technology.

Put simply, zero trust is a strategy, not a tactic. The strategy is the action plan; tactics are the individual steps that help you carry out the plan. There is no single action that can assure zero trust. 

McDuffie devotes ample time to speaking at conferences and explaining to individual clients how to implement a zero trust strategy. In his view, it starts with the network.

“You need to know your network, because if you don't, it doesn't matter what model you choose,” he says. “You may have Linux appliances, but if you're not doing any kind of logging because you don't know they're there, you can't protect your network. And yes, that does happen. So, you need to know what's on your network, what is allowed and what is not to be allowed. You need to know your network inside and out.”

From there, it's critical to enable MFA. This protects end users as well as the network itself. Strategies must also be put in place to encrypt/decrypt data, whether at rest or in transit. Establishing and maintaining sound coding practices is also important.

Finally, there's logging. Logs themselves present snapshots in time, but as McDuffie explains, the most critical logging information is found elsewhere.

“Nobody really overlooks logging, but most companies fail to watch the flows,” he says. “You should collect and inspect those snippets. The difference between taking an event and taking the flow is that, as an intruder, I can manipulate the logging of an event. Flows don’t lie. I cannot do that in a flow—at least nobody's been able to do it yet.”

3. Zero trust is complicated.

McDuffie also likes to say that while there is no single, right way to achieve zero trust, there are many, many wrong ways to go about it. With this in mind, McDuffie offers additional advice. First, understand that while there are products that help in your efforts, there is no one thing you can buy, no solution that will do the job start to finish. Also recognize that zero trust is attainable for enterprises and organizations of any size and structure.

 

McDuffie’s other recommendations include:

Tap to reveal…

Assume the worst

That is, assume you've already been breached. 

Enforce least privilege

You only get the rights to do what you need to do your job. No more, no less.

Asset management

You must know what you have, including assets like data, applications, infrastructure and your users. As McDuffie puts it, "Any noun in your network."

Multifactor authentication

This should be in place if it isn't already.

Data encryption

This should also be in place if it isn't already.

McDuffie chuckles at the irony, but his final piece of advice about zero trust amounts to: have a little faith.

"It sounds so counterintuitive, but call someone you can trust," he says. "Reach out to an engineer of one of your product vendors. If there's a company that treats you well, ask them about zero trust. If that company has a partner, ask them. Because zero trust isn't free. It doesn't have to be expensive, but it isn’t zero cost. So having somebody where you have a relationship is important if you have nowhere else to turn."

1. Zero trust is something new.

John Kindervag coined the term zero trust in a 
2010 white paperOpens in a new window.
 written for his then-employer, Forrester Research. For his 
insights into information security practicesOpens in a new window.
, McDuffie and others view Kindervag as the go-to on this subject.

That's merely a quick history of zero trust, the term. Even at that point, the elements or individual components of zero trust had been in place for some time. Multifactor authentication (MFA), RSA tokens and biometrics, for instance, don't assure zero trust by themselves, but these and other commonly deployed security measures provide pieces of that puzzle.

McDuffie likes to cite using a banking app as an everyday example. If you open your app to access your account, but then don't touch your screen for a period of time—2, 3, maybe 5 minutes—you're automatically logged out due to inactivity. Likewise, that's not zero trust, but it's part of it.

“Zero trust is part of everyday practices. If we're talking about the way security should have been done in the beginning, it's always been here," McDuffie says. "The difference with what we're seeing with zero trust now is we're talking about enforcing those policies.”

Zero trust is part of everyday practices. If we're talking about the way security should have been done in the beginning, it's always been here. The difference with what we're seeing with zero trust now is we're talking about enforcing those policies.

—Westley McDuffie

2. Zero trust is a product or a technology.

Put simply, zero trust is a strategy, not a tactic. The strategy is the action plan; tactics are the individual steps that help you carry out the plan. There is no single action that can assure zero trust. 

McDuffie devotes ample time to speaking at conferences and explaining to individual clients how to implement a zero trust strategy. In his view, it starts with the network.

“You need to know your network, because if you don't, it doesn't matter what model you choose,” he says. “You may have Linux appliances, but if you're not doing any kind of logging because you don't know they're there, you can't protect your network. And yes, that does happen. So, you need to know what's on your network, what is allowed and what is not to be allowed. You need to know your network inside and out.”

From there, it's critical to enable MFA. This protects end users as well as the network itself. Strategies must also be put in place to encrypt/decrypt data, whether at rest or in transit. Establishing and maintaining sound coding practices is also important.

Finally, there's logging. Logs themselves present snapshots in time, but as McDuffie explains, the most critical logging information is found elsewhere.

“Nobody really overlooks logging, but most companies fail to watch the flows,” he says. “You should collect and inspect those snippets. The difference between taking an event and taking the flow is that, as an intruder, I can manipulate the logging of an event. Flows don’t lie. I cannot do that in a flow—at least nobody's been able to do it yet.”

3. Zero trust is complicated.

McDuffie also likes to say that while there is no single, right way to achieve zero trust, there are many, many wrong ways to go about it. With this in mind, McDuffie offers additional advice. First, understand that while there are products that help in your efforts, there is no one thing you can buy, no solution that will do the job start to finish. Also recognize that zero trust is attainable for enterprises and organizations of any size and structure.

 

McDuffie’s other recommendations include:

Tap to reveal…

Assume the worst

That is, assume you've already been breached. 

Enforce least privilege

You only get the rights to do what you need to do your job. No more, no less.

Asset management

You must know what you have, including assets like data, applications, infrastructure and your users. As McDuffie puts it, "Any noun in your network."

Multifactor authentication

This should be in place if it isn't already.

Data encryption

This should also be in place if it isn't already.

McDuffie chuckles at the irony, but his final piece of advice about zero trust amounts to: have a little faith.

"It sounds so counterintuitive, but call someone you can trust," he says. "Reach out to an engineer of one of your product vendors. If there's a company that treats you well, ask them about zero trust. If that company has a partner, ask them. Because zero trust isn't free. It doesn't have to be expensive, but it isn’t zero cost. So having somebody where you have a relationship is important if you have nowhere else to turn."

Quiz: What Is Zero Trust?

Test your zero trust security knowledge.
Answer 3 questions

1 / 3

CORRECT

Zero trust is a strategy, not a tactic. There is no single tactic or product that can ensure zero trust.

Next

INCORRECT

Zero trust is a strategy, not a tactic. There is no single tactic or product that can ensure zero trust.

Next

2 / 3

CORRECT

While the term “zero trust” was coined in 2010, the elements and individual components of zero trust, like MFA or biometrics, have been in place for some time.

Next

INCORRECT

While the term “zero trust” was coined in 2010, the elements and individual components of zero trust, like MFA or biometrics, have been in place for some time.

Next

3 / 3

CORRECT

Implementing a zero trust security strategy doesn’t have to be complex. While no single product or company can ensure zero trust, working with a trusted partner—and knowing your network—is a good place to start.

REview BACK

INCORRECT

Implementing a zero trust security strategy doesn’t have to be complex. While no single product or company can ensure zero trust, working with a trusted partner—and knowing your network—is a good place to start.

View the Infographic CTA
Share this article