Archive · · 4 min read

Zero vs. Lean Trust

Network security is struggling to keep up with the reality of how organizations are build and connect today. From hybrid network (on-premises and in the cloud) to large mobile user bases, traditional network security—push everything through a choke point—is well past it's best before date. Wh

Zero vs. Lean Trust

Watch this episode on YouTube.

Reasonably Accurate 🤖🧠 Transcript

Morning everybody. How are you doing today? There was a really interesting blog post um written last week by Barry Fisher at um Cisco around the idea of zero trust or Lean trust within networks and specifically around network security. Um And he was calling out based that uh zero trust is a misnomer.

It's poorly named and we really should probably be calling it Lean Trust um that falls in line with uh Neil mcdonald from Gartner, his view around uh continuous risk assessment, um his Carter strategy um and calling it Lean Trust that I totally, totally understand, but I think there's a really important point missing here.

But before we dive into that, I want to talk about what zero trust actually is and why it's important and why we should look at this concept, whatever you want to call it. Um So it was introduced in 2010 by John Kinder Kinder WG at Forrester Research. And it was the Zero Trust architecture.

And essentially, it's had three main tenants that said that all um resources should be accessed uh securely. Um Access should be doled out on a need to no or requirement basis or at least privilege and that all traffic uh should be uh logged and recorded uh or um analyzed somewhere.

Um So this gave you the ability to do some really interesting things. Essentially what it's talking about is sort of flattening the network conceptually so that you can uh use something like a segmentation gateway where all traffic comes in. And then it's decided based on what it's trying to do, um where it should be routed as opposed to whether or not we trust this traffic.

Now, that's kind of hard for a lot of people to wrap their heads around. Um So I'll give you a more practical example what came out um from the same, around the same time, about a year later, it was formalized was Google started talking about this idea of beyond corporate, at least what became beyond Corp.

Um And they started off with basically coming out and saying, hey, we don't have a VPN. If people want to access our resources um from home or remotely, they do that over the same way they do internally in the network. And for most people, this is like, what are you talking about?

Um All of us have to struggle through this ridiculous VPN set up. Um You know, it's kicks off our normal internet traffic. We're now accessing internal resources like we were in the office, but without access to the internet or at least super slow internet access in a lot of cases.

Um And you had to authenticate on your VPN to get access to internal resources. Well, Google said, wait a minute, we've done authentication and verification um at a such a good level, high enough up the stack that we're not going to bother with this network level of security anymore.

We've taken other ways to mitigate the risk and that really hit home for a lot of people because that's a major pain point. The VPN access is a major pain point and that rolled in over the last few years. So this has been almost a decade. People have been talking about architectures and into what's now called zero trust or Lean trust in the Gartner model.

Um zero trust in the Forester still. Um Now Barry's Point from uh so Barry Fisher from Cisco, his point in his blog was a really good one is basically saying, hey, these are basically the same kind of concepts, but lean trust is a more accurate name because in the reality of it, you can't build a zero trust network, it's just not going to work.

And I agree but I also disagree because I think, you know, this is a parallel to the naming debate we've seen in the serverless community in the cloud where people say, well, there's tons of servers involved with serverless uh functions with serverless architectures. And yes, there are, but the point is the name evokes something, it triggers something in a developer's mind saying, wait a minute, I don't have server resources to access.

I am simply building um functionality and it's being run by somebody else. And I think the exact same argument applies here. I think zero trust is a far better name because it's aspirational. You need to set the target really high if you're trying to change people's minds. So if most people are sort of here on the timeline and you want to get them to here, start talking about way down here because people will strive to aim for that and they'll probably meet halfway and that's really where you want them to be.

So, yes, we will a lean trust model. But by calling it a zero trust architecture or zero trust network, we're gonna get people to where we want to be because they're going to shoot for the moon, they're probably gonna miss and they're going to land in a more realistic, more pragmatic spot with a ton of advantages.

So I really like the name Zero Trust because I think it's, it's evocative, I think it's aspirational. Um And I think it's where we need to be shooting for and eventually we'll get there in the meantime, lean Trust is the reality. What do you think? Let me know, hit me up online at Mark NC A for those of you in the vlogs in the comments down below as always for podcast listeners and everybody else by email me at Mark N dot ca.

I hope you're set up for a fantastic day. I look forward to talking about this uh model about Zero Trust architecture, but naming in general with you. Um And uh I, like I said, hope you're upset for a fantastic day. I will see you uh online and I will see you on the next show.

Read next