Zero vs. Lean Trust

9 minute read | Last updated 22-Jan-2019 |  Security

Watch the episode on YouTube

Join the discussion on LinkedIn

Share on Twitter

Bad Robot Transcript

Morning, everybody. How you doing today? There was a really interesting blog post on written last week by Barry Fisher at Cisco around the idea of zero trust Orlean trust within networks and specifically around network security and he was calling out basically that I zero trust is a misnomer is poorly named and we really should probably be calling lien Trust on that falls in line with on Neil MacDonald from Gartner his view around a continuous risk assessment out his car to strategy.

I’ve been calling it lean trust that I totally totally understand but I think there’s a really important points missing here before we dive into that. I want to talk about what zero trust actually is and why it’s important and why we should look at this concept whatever you want to call it.

I’m so it was introduced in 2010 by John Kinder Kinder bog a. Forrester research. It was a zero trust architecture in essentially. It’s had three maintenance it said that all resorts. Should be accessed securely access should be doled out on a need-to-know where requirement basis at least privilege and that all traffic.

I should be logged and recorded analyze somewhere. So this gave you the ability to do some really interesting things essentially what it’s talking about, its or flattening the network conceptually so that you can I use something like a segmentation Gateway. We’re all traffic comes in and then it’s decided based on what it’s trying to do where it should be routed as opposed to whether or not we trust this traffic.

Now that’s kind of hard for a lot of people to wrap their heads around. I’m so give you more practical example what came out on from the seam around the same time but a year later was formalized was Google started talking about this idea of Beyond corporate lease. What became Beyond Corp start off with basically coming out and say hey, we don’t have a VPN if people want to access our resources from home or remotely they do that over the same way.

They do internally in the network. And for most people this is like What are you talking about? I’m always have to struggle through this ridiculous VPN setup, you know, it’s kicked off our normal internet traffic. We’re now accessing internal resources like we were in the office, but without access to be an RN or released super slow internet access in a lot of cases and you had to authenticate on your VPN to get access to internal resources.

Will Google said wait a minute. We’ve done authentication verification such a good level high enough up the stack that we’re not going to bother with this network level of security anymore. We’ve taken other ways to mitigate the risk and not really hit home for a lot of people that’s a major pain point the VPN access and rolled in over the last few years has been almost a decade people have been talking about these architectures.

I’m into what’s now called zero trust Orlean trust in the Gardner model. I am zero trust in the force or still point for massive Barry Fisher Francisco his point in his blog was a really good one is basically saying hey, these are basically the same kind of Concepts but lean trust is more accurate name because of the reality of it.

You can’t build a zero trust network is just Not going to work and I agree but I also disagree because I think you know, what is a parallel to the naming debate we’ve seen in the circle is community in the cloud people say when there’s tons of servers involved with serverless functions with serverless architecture is and yes there are but the point is the name evokes something in trigger something in a developer’s mine saying wait a minute.

I don’t have server resources to access. I am simply building a functionality and it’s being run by somebody else. I think the exact same argument applies here. I think zero trust is a far better name because it’s aspirational you need to set the target really high for trying to change people’s minds.

So if most people are sort of here on the timeline and you want to get them to hear start talking about way down here because people will try to aim for that and then probably meet halfway and that’s really where you want them to be. So, yes, we want to lean trust model, but by calling it a zero trust architecture or zero trust Network.

I’m going to get people to where we want to be because they’re going to shoot for the moon. They’re probably going to mass and they’re going to land in a more realistic more pragmatic spot with a ton of advantages. So I really like the name zero trust because I think it’s it’s evocative.

I think it’s aspirational. I’m and I think it’s where we need to be shooting for eventually. We’ll get there in the meantime lean. Trust is the reality. What do you think? Let me know. Hit me up online at Mark and ca for those of you in the in the comments down below as always for podcast listeners and everybody else by email me at Mark end.

CA. Hope you’re set up for a fantastic day. I look forward to talking about this model above zero trust architecture living in general with you and I hope you’re upset for a fantastic day. I will see you online and I will see you on the next show. Morning, everybody.

How you doing today? There was a really interesting blog post on written last week by Barry Fisher at Cisco around the idea of zero trust Orlean trust within networks and specifically around network security and he was calling out basically that I zero trust is a misnomer is poorly named and we really should probably be calling lien Trust on that falls in line with on Neil MacDonald from Gartner his view around a continuous risk assessment out his car to strategy.

I’ve been calling it lean trust that I totally totally understand but I think there’s a really important points missing here before we dive into that. I want to talk about what zero trust actually is and why it’s important and why we should look at this concept whatever you want to call it.

I’m so it was introduced in 2010 by John Kinder Kinder bog a. Forrester research. It was a zero trust architecture in essentially. It’s had three maintenance it said that all resorts. Should be accessed securely access should be doled out on a need-to-know where requirement basis at least privilege and that all traffic.

I should be logged and recorded analyze somewhere. So this gave you the ability to do some really interesting things essentially what it’s talking about, its or flattening the network conceptually so that you can I use something like a segmentation Gateway. We’re all traffic comes in and then it’s decided based on what it’s trying to do where it should be routed as opposed to whether or not we trust this traffic.

Now that’s kind of hard for a lot of people to wrap their heads around. I’m so give you more practical example what came out on from the seam around the same time but a year later was formalized was Google started talking about this idea of Beyond corporate lease. What became Beyond Corp start off with basically coming out and say hey, we don’t have a VPN if people want to access our resources from home or remotely they do that over the same way.

They do internally in the network. And for most people this is like What are you talking about? I’m always have to struggle through this ridiculous VPN setup, you know, it’s kicked off our normal internet traffic. We’re now accessing internal resources like we were in the office, but without access to be an RN or released super slow internet access in a lot of cases and you had to authenticate on your VPN to get access to internal resources.

Will Google said wait a minute. We’ve done authentication verification such a good level high enough up the stack that we’re not going to bother with this network level of security anymore. We’ve taken other ways to mitigate the risk and not really hit home for a lot of people that’s a major pain point the VPN access and rolled in over the last few years has been almost a decade people have been talking about these architectures.

I’m into what’s now called zero trust Orlean trust in the Gardner model. I am zero trust in the force or still point for massive Barry Fisher Francisco his point in his blog was a really good one is basically saying hey, these are basically the same kind of Concepts but lean trust is more accurate name because of the reality of it.

You can’t build a zero trust network is just Not going to work and I agree but I also disagree because I think you know, what is a parallel to the naming debate we’ve seen in the circle is community in the cloud people say when there’s tons of servers involved with serverless functions with serverless architecture is and yes there are but the point is the name evokes something in trigger something in a developer’s mine saying wait a minute.

I don’t have server resources to access. I am simply building a functionality and it’s being run by somebody else. I think the exact same argument applies here. I think zero trust is a far better name because it’s aspirational you need to set the target really high for trying to change people’s minds.

So if most people are sort of here on the timeline and you want to get them to hear start talking about way down here because people will try to aim for that and then probably meet halfway and that’s really where you want them to be. So, yes, we want to lean trust model, but by calling it a zero trust architecture or zero trust Network.

I’m going to get people to where we want to be because they’re going to shoot for the moon. They’re probably going to mass and they’re going to land in a more realistic more pragmatic spot with a ton of advantages. So I really like the name zero trust because I think it’s it’s evocative.

I think it’s aspirational. I’m and I think it’s where we need to be shooting for eventually. We’ll get there in the meantime lean. Trust is the reality. What do you think? Let me know. Hit me up online at Mark and ca for those of you in the in the comments down below as always for podcast listeners and everybody else by email me at Mark end.

CA. Hope you’re set up for a fantastic day. I look forward to talking about this model above zero trust architecture living in general with you and I hope you’re upset for a fantastic day. I will see you online and I will see you on the next show.