Wherever you turn, experts and thought leaders are singing its praises. An online search can easily find thousands of articles, speeches and presentations on why zero trust is the must-have paradigm for all things cybersecurity moving forward.
So how do we actually define zero trust? A NIST blog says stick to the principle “never trust, always verify.”
According to Palo Alto Networks, “zero trust is not about making a system trusted, but instead about eliminating trust.”
Still others give a longer definition: “Zero trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access,” Mary K. Pratt wrote for CSO Online.
I went on the record several years ago as a big supporter of zero trust. Nevertheless, as in other areas of technology, I began to worry as perceptions changed and its power grew.
CHECK ZERO-TRUST SCOPE
I now fear that some are taking zero trust way too far, even expanding what was originally intended by those who started the trend to cover all areas of life. For some people it is even the model for all human interactions, which is where I pull the emergency cord and get off the bus.
While I suspected this might be happening after sitting in on several public- and private-sector webinars on zero trust over the past year, I became downright alarmed when a LinkedIn thread on whether organizations should hire hackers with a criminal record yielded this comment from a respected colleague: “I operate in a zero-trust environment. I wouldn’t trust my noncriminal employees any more. They are as likely to cause a cyber attack through negligence. And a convicted hacker probably has more understanding of real-world tactics than what you can learn in a three-part online course.”
Putting the criminal hackers aside, my response was: Wow! Are we really now throwing away trusted relationships at home and work under the banner of zero trust?
And what about Stephen M. R. Covey’s best-selling book The Speed of Trust: The One Thing That Changes Everything? The author shows how trust — and the speed at which it is established with clients, employees and all stakeholders — is the single most critical component of a successful leader and organization.
Now I was on a mission. I went out and found articles, podcasts and blogs featuring John Kindervag, who is credited with creating the zero-trust trend more than a decade ago while at Forrester.
ShadowTalk Threat Intelligence Podcastinterviewed Kindervag and provided some great insights on zero trust, including what it does not include. In a nutshell, the “never trust, always verify” definition is for digital communications, and we err greatly if we apply that to offline human interactions. People can be trustworthy, but the packets of information claiming to be from that person may not be.
Consider these important points Kindervag outlines in the podcast:
1. (Online) Trust is a vulnerability.
2. People are not packets. “People aren’t the issue, packets are the issue.”
3. Trust is a big problem in the digital world — that’s the primary thesis.
As I was starting to write this column to present my “findings,” I decided to reach out to John Kindervag, just to double check my work. He responded quickly:
“Digital trust and human trust are two separate things. Zero trust only applies to digital systems. People are not necessarily untrustworthy, but at the same time they are not packets. Zero trust only applies to the zeros and ones that traverse our various digital systems.
“[Malcolm] Gladwell calls human beings trust engines. Morton Deutsch talks about how trust is the willingness of one individual to be vulnerable to another individual, and applies this to business management.
“The fatal flaw was anthropomorphizing the network and moving over concepts like trust that had no business belonging in digital environments.”