A report by Forrester Research is pushing the concept of the zero-trust security model, where packets are not trusted and the emphasis is on traffic inspection and access controls.
Between insider threats and malware attacks, the idea of trust-but-verify is
dead as a security model, according to a new report by Forrester Research.
In its place, Forrester analyst John Kindervag contends enterprises should
embrace the concept of zero trust, a model where insiders and outsiders
are equally untrustworthy, and security administrators stop trusting packets as
if they are people. The change, he said, is necessary due in part to the
"innumerable instances" of trusted
users going rogue
on enterprise networks.
To highlight the point, the report spotlights the case of Philip Cummings,
who worked on the help desk for a company called Teledata Communications (TCI)
in 1999 and 2000 and sold credit reports to a Nigerian organized crime ring.
"Security professionals misunderstood the joke inherent in the term 'trust
but verify,'" Kindervag said. "People don't do it because trusting is
easy and verification is hard. If you trust someone, why would you need to
verify them? But networks are about packets and not people. If the machine is
infected by some type of malware and sends out spam or is controlled by a
botnet, those packets are coming from a user's machine without the user's
knowledge. Should we trust those packets just because they come from the user's
For businesses, taking a zero-trust approach means all traffic is a threat
until it's been verified that the traffic is authorized, inspected and secured,
the report states. It requires the use of encrypted tunnels for accessing
data on internal and external networks, an emphasis on inspecting and
logging data, and the deployment of strong
designed with an eye toward least privilege.
In some ways, zero trust is not a completely new model, argued Dean Turner,
director of Symantec's Global Intelligence Network.
"Many Unix-based systems have utilized the 'denied unless explicitly
permitted' approach to ports, services, etc., for many years," he said. "Security
professionals have also always recommended only allowing known, trusted
applications and services onto networks. In this past, there has generally been
a higher level of trust when it comes to traffic from one's own internal
network, but with the explosion in malware over the past seven years, network
and security professionals have been looking at their internal networks much in
the same way they look at their external networks, since threats can originate
from even the safest of networks."
However, eEye Digital Security CTO Marc
Maiffret contended there will always be a level of trust
implicit in any network
because it would be "operationally
unmanageable to have an IT organization act at some cold-war style level of
"Trust models quickly turn into a conversation about white and black
listing in terms of either implicitly denying with exception or allowing with
explicit blocking," he said. "I am less concerned about which way an
organization approaches trust within their environment, as both have good and
bad associated with them. The thing that concerns me more is what technology is
used to enforce any model of trust. If it is simply more IPS
[intrusion prevention systems] and antivirus but working from a different trust
model, then nothing has really changed."
Underpinning zero-trust is deep analysis of network traffic, noted
NetWitness Chief Security Officer Eddie Schwartz, which means
organizations need to focus their efforts on getting visibility over the
"Layer 7 is particularly important, since most emerging, sophisticated
threats are coming through at the application layer, which is the layer most
organizations have the least amount of visibility into. ... By knowing
everything, security teams can confidently verify any device, request or user,"
There are ways to capture packets and other critical network data, but they
need to be designed into the network, Kindervag said.
"The new space we are working to define, NAV
[network analysis and visibility], is designed to analyze packets more
effectively," he said. "This may be a challenge, but it is imperative
that people begin to do this, as lack of visibility and inspection on trusted
traffic is a significant risk and has resulted in numerous data breaches in
In many ways, zero trust is antithetical to the idea of defense-in-depth, he
"Defense-in-depth [DiD] is key to vendor success because in a security
model based upon DiD you always need to buy something new and always need to
add another control," Kindervag said. "Zero trust is a data-centric
view of security and has a different objective and design methodology."