Security Experts:

The History and Evolution of Zero Trust

A History of Zero Trust

“The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning”

Zero trust network access (ZTNA) is an evolution of John Kindervag’s original work on a zero trust model.

Zero trust is the term coined by Forrester’s Kindervag in 2010. Around 2017, Gartner analysts were toying with a related but different idea: continuous adaptive risk and trust assessment (CARTA). CARTA was designed for the same purpose of Kindervag’s zero trust – to replace the implicit acceptance of trust built into the origins of the internet with a requirement for explicit proven trust. 

Steve Riley was one of the Gartner analysts working on this. It was around the time of the emergence of the ‘software defined perimeter’ from the Cloud Security Alliance (CSA) and Google’s BeyondCorp (originally created even earlier in 2009 in response to Operation Aurora). These had similarities with Gartner’s work on ‘continuous adaptive trust’ – with ‘zero’ just being the starting point.

By 2019, Riley was ready to write a Gartner market report on CARTA, but persuaded his colleagues that Zero Trust Network Access (ZTNA) would be a more easily recognized subject title. His market report of 2019 is the origin of what is now one of cybersecurity’s most widely used applications of Kindervag’s original concept of zero trust.

What is zero trust?

“The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning,” Riley told SecurityWeek

In 2017, Gartner had talked about a concept it called ‘continuous adaptive risk and trust assessment’. Riley adapted this concept to zero trust and coined the phrase zero trust network access (ZTNA) in 2019. In fairness and retrospect, Riley wishes he had used the term zero trust application access (ZTAA), but now thinks it is too late to change. The underlying network is almost incidental to the requirement for zero trust applied to accessing the individual applications running on the network – which is the real purpose of ZTNA.

The term zero trust is now a collective adjective. On its own it is meaningless without an accompanying noun or nominal phrase. The world has moved on from Kindervag’s admittedly revolutionary and valuable concept of trust nothing (perhaps itself born out of the security principle of least privilege): now it is ‘trust nothing in this arena without adequate and continuous authorization’.

Although zero trust could be applied to other areas – such as zero trust email access (ZTEA) or zero trust data access (ZTDA), that is perhaps something for the future. Here we are concentrating on ZTNA/ZTAA. In Riley’s definition it includes the idea of continuous adaptive risk and trust assessment as a usable compromise to provide the maximum possible security without impacting usability.

More specifically, we are looking at Netskope’s implementation of ZTNA, where Riley is now the field CTO.

The role of the trust broker

A key concept within ZTNA is the role of a trust broker. The trust broker, resident outside of the network, provides the right level of trust to an authenticated user to access a particular application. This approach has numerous purposes. 

First, it prevents all and any incoming communications from anyone other than an authenticated trustworthy user. The application tells the broker who can be authenticated for access to which applications. Without this external broker, says Riley, “Attackers could connect and never bother submitting an authentication sequence. They could just throw whatever they want at the service and see if they can make it misbehave in ways that are unpredictable, but advantageous to the attacker.” The broker changes the paradigm from ‘connect (to the network), then authenticate’ to ‘authenticate, then connect (to a single specified application)’.

The broker can check the health of the device, its geolocation, and other behavioral biometrics of the user. It generates a trust score. If the trust score is adequate for the specified application, the user is granted access via the broker.

This bit is critical – the user is allowed access only to the specified application. Any user who wants to access a different application needs to re-authenticate for that application, and the authentication requirements may be different. This prevents lateral movement within the network, whether by an employee or an attacker.

Can you even have true zero trust?

One of the difficulties in understanding the concept of zero trust is that everybody knows zero trust and usability are mutually exclusive. The only way to guarantee zero trust is the proverbial method of unplugging the computer, encasing it in six feet of lead lined concrete, and dropping it into a deep ocean. But this hinders usability.

Zero trust is the application of the least possible trust that still ensures a practical degree of usability. Increasing one side of that equation must be at a cost to the other.

In our current methodology, access is granted based on a trust score. Scores can in theory be manipulated – and all that would be required is sufficient manipulation to raise the result from just below ‘allow’ to just above ‘deny’.

A second potential weakness is the broker. If the broker is compromised, then attackers will be able to gain access to the applications of choice. This is a concern that Riley considered from the beginning of his work on the ZTNA concept while still at Gartner. His conclusion was that the broker remains the best option for external access. The alternatives would be to rely on a firewall between the network and the internet (and we know that doesn’t work), or to use a VPN. 

“A VPN is a thing that sits with one foot in the internet, and another foot in the corporate network,” said Riley. “Most VPN Concentrators lurk in a corner of the basement and never get updated. You can’t update it because everybody is continuously using it.”

The advantage of the trust broker route is that it is operated by a full-time professional security company with far greater cybersecurity skills than the average commercial customer. “But since you are relying on a third-party service to implement this, it’s really important to make sure that the service itself is one that demonstrates that it can be trusted,” he added.

Where is zero trust going?

Remember that zero trust is merely an adjective. Without the noun it describes it is meaningless. In this article we have looked at zero trust for application access, or ZTNA based on its application by the Gartner analyst who defined the subject in 2019. This is possibly the most important and urgent area for the zero trust concept.

But it is not the only potential area. Zero trust should potentially be applied to any area that currently suffers from access abuse.

Now, one of the current directions in cybersecurity is to increase granularity. A good example is the current movement towards ‘data centric security’. A primary purpose of all security is to protect corporate data – so the question is whether we should expect a future drive toward zero trust data access (ZTDA)?

The bare bones already exist. “Let’s use a database table in the sky as an example,” said Riley. “Instead of standing up a virtual machine in, say, Microsoft Azure, and running a database server there, you just use SQL Azure and provision that table in the sky as an URL. There are mechanisms where you could put access controls on individual fields, or rows or columns for the whole table.” 

Whatever granularity is required, the access controls could be part of a strategy intentionally devised to eliminate implicit trust everywhere and always require authentication and authorization for any form of access to any entity. 

“I like to keep this stuff abstract,” said Riley. “I want to eliminate implicit trust from every layer: from the network, from applications, from virtual machines and from the data objects. Instead, I want the situation where every interaction is mediated by something, and the level of confidence in that interaction is measured by the context and the signal surrounding.”

In short, he added, “I think, ultimately, zero trust is going to include zero trust data access.”

Related: White House Publishes Federal Zero Trust Strategy

Related: Koverse Launches Zero Trust Data Platform

Related: Zero Trust Firm Xage Security Adds $6 Million 'Top-up' to $30M Series B Funding

Related: A Deeper Dive Into Zero-Trust and Biden's Cybersecurity Executive Order

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.