Last month, the Computer Security Resource Center at NIST (National Institute of Standards and Technology) released general guidance and recommendations for implementing a Zero Trust architecture through their special publication, SP 800-207. This latest document is, of course, a reflection of how NIST views Zero Trust security, but it is important to point out two insights on how this view has been formed:
1) The concept of Zero Trust security is not new. The term itself was coined in 2010 by then Forrester analyst John Kindervag, who suggested that all network traffic should be considered untrusted [1]. This was the digital security embodiment of an even older Soviet pro-verb, “trust, but verify”. Later in 2014, Google published BeyondCorp [2], an academic research project that described how Google implemented Zero Trust security concepts internally by abandoning the then contemporary reliance on VPN and network perimeter security. In 2017, Gartner joined the Zero Trust bandwagon by suggesting similar security concepts in the CARTA (Continuous Adaptive Risk and Trust Assessment) framework. Finally, to close the loop, Forrester released the Zero Trust eXtended (ZTX) ecosystem report [3] that explained Zero Trust in light of new cybersecurity challenges and work habits. Over the years as digital security embodiment has been made even more restrictive, “never trust, always verify” has become the new proverb.
2) NIST did not unilaterally build its view of Zero Trust through this historical lens. Instead, they released the Zero Trust Architecture in multiple iterations. With each iteration, NIST invited feedback from the industry, and this feedback helped build the next version. Thales was actively involved in providing feedback through the IDSA (Identity Defined Security Alliance), a non-profit alliance of major players in the identity and security space. As Chair of the Technical Working Group at IDSA, Thales helped coordinate the response from the industry during the last public review period of the NIST Zero Trust Architecture document. More than 50 specific recommendations were provided, with an overarching theme to focus on an identity-based approach to Zero Trust, instead of a network-based approach. We are glad to see that this shift towards an identity-centric view of zero trust is reflected in NIST’s latest architecture document.
Trust No One
As one of the few players in digital security with a diverse product portfolio ranging from hardened edge devices to secure backend servers (and everything in between), Thales is in a unique position to define and implement Zero Trust security principles. Our Zero Trust security solutions leverage key concepts such as separation of duty, making security decisions as close as possible to resources being accessed, and offering strong MFA as a root of access.
For reference, Thales designed the industry’s first network-aware secure element using mainstream protocols [4]: TCP/IP for data transfer and SSL/TLS for security. This created an end-to-end secure tunnel between secure elements (e.g. a smart card) and remote servers on the internet, allowing the development of secure web applications that enforced the “trust no one” model.
Furthermore, the architecture of communication between a computer and its peripheral security devices is highly critical. To address this need, Thales built secure web applications using mass storage and HID drivers to talk to secure elements [5]. Today, similar principles are used by FIDO U2F tokens. It should also be noted that it is essential to embrace separation of duty so that owners of data can manage trust independently of storage providers.
A French philosopher once said, “In life it is much easier to love someone, than to trust someone”. As we look at the preponderance of digital gadgets and devices in our professional as well as personal lives, it is apparent we love them, and what they accomplish. But do we trust them? Thales is in business to make sure we do.
For more information, I invite you to watch a recent webinar where my colleague Sol Cates and the creator of Zero Trust, John Kindervag, discuss How to Achieve Zero Trust in Your Access Management Strategy.
References:
1. Kindervag, Forrester Research: Build Security into Your Network’s DNA: The Zero Trust Network Architecture, 2010.
2. Ward, Byers, Google, BeyondCorp: A New Approach to Enterprise Security, 2014.
3. Cunningham, Forrester, The Forrester Wave™: Zero Trust eXtended (ZTX) Ecosystem, 2018.
4. Montgomery, Lu, Ali (Thales); Secure Network Card - Implementation of a standard network stack in a smart card; CARDIS, The 6th Smart Card Research & Advanced Application Conference - Toulouse, France. August 23-26, 2004. Paper available from Springer here.
5. Lu, Ali (Thales); Making smart cards truly portable; IEEE Security & Privacy, vol. 8, no. 2, pp. 28-34 - Mobile Device Security issue, March/April 2010. Paper available from IEEE digital library here.