Who Can You Trust? A zero trust security architecture has a few difficulties to overcome.
Trust has always been a bit of a tricky proposition. I think it’s safe to say that all of us, at some time in our lives, have been “let down” after placing our faith in someone. History is replete with examples of even the smartest individuals suffering the ill-effects of being too trusting. Certainly, Caesar saw no potential harm when Brutus invited him to meet a few of his poker buddies, and I’m sure more than a few Bernie Madoff clients felt a little sheepish after saying, “20% annual return—sign me up”. Apparently you can now add the government’s National Security Agency to the long list of those forced to deal with the ramifications of, shall we say, misplaced trust after they recently issued guidance urging owners of networks related to national security and critical infrastructure to adopt zero trust policies.
For those of you who haven’t been paying attention, in recent years a couple of our “frenemies”—and I think we all know who we’re talking about—have made some unauthorized incursions into the nation’s data “vaults”. Now we all know no one, including us, is wearing a white dress to the party when it comes to covert operations. However, when you use your role as an uninvited guest to make off with security clearance information on millions of this country’s citizens or insert malicious code into commercially available software to take a romp through nine government agencies and over 100 companies you’ve probably overstepped your boundaries. It’s kind of like when your mom used to say, “It’s all fun and games until someone loses an eye”—only on a geopolitical scale.
Since the savvy professionals who provide our national security don’t believe there’s any kind of statute of limitations on bad behavior, a consensus seems to be growing around taking our security measures regarding hacking up a few notches. Apparently, the majority of our sensitive data—you know, nuclear weapons locations and the real amount of the national debt—is protected using a “castle and moat” approach where once someone makes it through security obstacles like firewalls, proxy servers and such, they are viewed as “safe” and are free to roam at will. Unfortunately, as we’ve seen, there are more than a few folks willing to take liberties with this type of trust-based environment, so the NSA’s recommended guidance, which probably falls within the “better late than never” category, is an idea whose time has come.
A zero trust mode of operation, as the name implies, requires users to continue to pass security protocols for each area they wish to access. Security experts aren’t sure if having these measures in place could have prevented the cyberattacks from the nefarious state-sponsored hackers but likely would have limited their severity by giving us a better chance to detect their movements, so there’s that.
Like most seemingly simple solutions to complex problems, implementing a zero trust security architecture has a few difficulties to overcome. For example, in some instances ripping out existing computer equipment and replacing it may be required. With the current, and projected, rate of government spending the cost of this type of network overhaul is no object, but like the Defense Department’s efforts to consolidate data centers has demonstrated, we’re not exactly sure where all the equipment needing to be replaced is actually located. Thus, it looks like we’ll have to begin implementing some type of hybrid approach where zero trust schemes are added where possible and other cybersecurity efforts such as data encryption are used where zero trust structures are not possible.
Perhaps we might see the prospect of having the nation’s power grid sabotaged by a group of underaged foreign computer weenies as opposed to ICBM-delivered nuclear obliteration as a form of progress, but, if you’re honest, the prospect of either is less than inspiring. Etta James sang about trust back in the day:
Why don’t you, trust in me in all you do?
Have the faith that I, I have in you
Oh, and love will see us through
If only you trust in me
Maybe someday Etta’s vision will be possible. But until then we’ve got to muddle through an untrustworthy world the best we can, and zero-trust policies are a step in the right direction.
Chief Executive Officer
Chris Crosby is a recognized visionary and leader in the data center space and has served as founder and CEO of Compass Datacenters since 2011. Previously, Chris served as a senior executive and founding member of Digital Realty Trust. Prior to the initial public offering of Digital Realty, Chris was founder and managing director of Proferian, which served as an operating platform for the private equity fund, GI Partners, and was rolled into the IPO for Digital Realty Trust. Prior to Proferian, Chris served as a consultant for CRG West, now Coresite.