Zero-Trust Architecture

Chris Harding reports from The Open Group virtual event, 20 July 2020. First published on LinkedIn.

Many years ago, I went on a negotiation skills course. I learned that trust is a beautiful thing, but it has no place in a business deal. Now I learn that it has no place in enterprise architecture either.

Image by Szilárd Szabó from PixabayFirst described by John Kindervag in 2010, zero trust is emerging as the best approach to IT security today. Forrester, who Kindervag worked for in 2010, has blown the dust off its archived reports. Gartner talks about lean trust, but has lost that buzzword battle. NIST is working with other US bodies on a Zero-Trust special publication. Vendors and consultants everywhere are talking about zero trust.

The Open Group featured Zero Trust Architecture yesterday on the first day of its July 2020 virtual event. This is familiar ground for The Open Group. Back in 2010, they were running the Jericho Forum, whose name comes from the biblical story that the walls of Jericho came tumbling down at the sound of the attackers' trumpets. Its message was that "firewall" hard boundaries don't work for the large-scale distributed computing that was then appearing on the Internet. Today, Forrester talks of the inadequacy of the "moat and castle" strategy. The message has changed about as much as the metaphor. Don't trust anyone or anything to access your assets, whether they are outside or inside your enterprise.

The Scale of the Challenge

What has changed is the scale of the challenge. Nikhil Kumar, President of Applied Technology Solutions, made this clear at the start of yesterday's session. He is a thought leader on network security and a service-oriented approach to business technology, and his company translates the theory into actionable solutions. The Internet has becomes more orderly and less like the Wild West. It supports solutions based on API-driven Cloud and the Internet of Things. These factors enable a massive increase in scale and complexity. At the same time, rapid change means that little time is available for investigation and audit. A data-centric approach with policy-driven access control can meet the challenge. This is the basis of the zero-trust security paradigm, which gives the ability to grow and operate in an unprotected network.

Steve Whitlock was Chief Strategist for Boeing IT Information Security. He has a lifetime's experience of enterprise security architecture, at the highest level and on the largest scale, and was a key contributor to the Jericho Forum. Looking back, he sees that its work had some take-up but was not a complete success. Zero-trust, which is now developing as a more broad-based approach, may take off now that the drivers have intensified. Many vendors claim to support zero-trust architecture. The products are better than they used to be but, in Steve's view, are not yet quite good enough. Identity and access management solutions are further advanced than those for data protection. Enterprises and their business partners will buy different security products, so interoperability is crucial.

Security in The Open Group

Much of The Open Group's more recent security work has been on Open Fair™, its factor analysis information risk methodology.  Chris Carlson, the author of How to Manage Cybersecurity Risk - A Security Leader’s Roadmap with Open FAIR™, presented a case study in which Open FAIR was used to demonstrate the return on investment for Zero-Trust Architecture. Security professionals always struggle to convince business decision-makers to take the measures needed to protect their companies, and ROI calculations are a powerful weapon.

The Open Group Security Forum is now developing a Zero-Trust Architecture white paper, as a starting point for standards and guidelines. Mark Simos, who is Lead Architect for the Microsoft Cybersecurity Solutions Group, described the fifteen core principles that are emerging from this work. They include (my "top two"):

  • Data-centric and application-centric must replace network-centric strategies, and address data in use, flight, and at rest, and reduce the threat surface by eliminating or reducing the data at risk and needing protection, and
  • Organizational governance frameworks must favor shifting security as close to the asset (data and/or systems) as possible.

Enterprise Architecture in the Digital Revolution

The session finished with some interesting discussion. The zero-trust approach fits well with agile architecture. It gives a framework for development of applications that are more secure in the face of uncertainty and change. It helps to address threats related to scale and complexity. It accords with the developer's perspective, and with devops. Fine-grained independent processing assets, such as microservices, with intellegent identity and access management, and distributed policy enforcement points, provide an excellent basis for a zero-trust architecture. We need identity management that works easily across different products and solutions to see the real power of zero-trust, and its ability to work at scale. Inconsistent regulatory regimes will be a drag on progress.

It is impossible to maintain a protected perimeter and trust everything inside it when information processing is truly distributed and deployed at scale. Some forward thinkers observed this back in 2003, and formed the Jericho Forum. The ideas have developed since then, with the term "zero trust" coined in 2010. Fine-grained access control applied to individual assets is the essence of Zero-Trust Architecture. Implementation has been patchy, but now we are gaining a better understanding of the problem, and seeing improved products on the market. 

Enterprise architecture is changing as the digital revolution gathers pace, in response to the need for increased business agility, technical developments such as hybrid cloud and the IoT, and organizational developments such as devops. A coherent new approach is emerging. At its core are agile methods, data-centricity, and zero trust.