The Zero-Trust Paradox

Updated: Jan 2, 2021

by Boris Taratine

"Paradoxes are very interesting. In fact, it's generally

the way forward when you simply do not have

anything else, ... but you have a set of concepts

and the set of concepts clash. And when the set

of concepts clash, then you may have something to learn."

Leonard Susskind, Inside Black Holes

Image Source: Taratine, B. (2019) Zero Trust Paradox, LinkedIn article (originally found on Google)

In 2019, I was challenged by my distinguished industry colleague to “take time to understand the Zero Trust principles first”. So I did and it has suddenly confused me even more! Am I the only one who is puzzled? Can we examine it together before we spend even more billions on a hype?

In 2010 Forester brought up an idea of Zero-Trust. It set out that “There is a simple philosophy at the core of Zero Trust [...] all network traffic is untrusted”. In 2011 it further clarified that zero-trust “takes the old model — ‘trust but verify’ — and inverts it”. And finally in 2018 Palo-Alto further reinforced that "Zero Trust, rooted in the principle of ‘never trust, always verify".

Image Source: Taratine, B. (2019) Zero Trust Paradox, LinkedIn article

The latter definition is what is used widely in the industry as the Zero-Trust principle. So did I to examine it. In the Zero-Trust model we, by definition, don’t trust anything until verified (or “never trust, always verify” to be precise). However, to verify we must accept as “trusted” an output (i.e. a claim) from the initially “untrusted” system/user that in the Zero-Trust model by definition shall not be trusted in the first place. But if we don’t trust the output - we can not determine the trustworthiness, and if we do - we break the root concept of the Zero-Trust per se.

Seems to me it is a paradox - an apparently plausible scenario that is logically impossible - i.e. something is deeply and fundamentally wrong with the Zero-Trust principle definition. Indeed, the only thing that is opposite to itself is nothing (i.e. zero: such thing can’t exist!).

Image Source: Taratine, B. (2019) Zero Trust Paradox, LinkedIn article (originally found on Google)

In practical terms for you, it means it is impossible in principle to build a security defense system based on the defined Zero-Trust principle, and if you built a defense system you can be absolutely certain it violated the Zero-Trust principle as defined. For your convenience here is a flow chart to evaluate security solutions against Zero-Trust principle (added on October 13, 2019 - that spawned a good discussion):

Image Source: Taratine, B. (2019) Zero Trust Paradox, LinkedIn article

Furthermore, despite all this, there still another fundamental problem to be solved first is waiting here to fulfill the hope: how remotely tell apart the legit user of a remote system and an adversary who remotely controls that system once compromised. In all Zero-Trust architectures, the system boundaries are assumed to lie with the user and its system at the edge (see picture above as a simplified representation or just Google for more examples). It is also assumed once those untrusted entities are verified to become trusted (unavoidably using some predefined model of trust - the fundamental difference between a tangible architecture vs the principle-paradox) all kinds of things then happen (micro-segmentation, logging, least privilege, you name it) that supposed to deliver the promise. However, I wonder, are those assumptions correct?

Psst... Where is the most common threat actor here? Here it is!

Image Source: Taratine, B. (2019) Zero Trust Paradox, LinkedIn article

So, how exactly do the so-called Zero-Trust architectures solve this real-life problem? - the question, that I asked my distinguished colleague before I was challenged to learn more about Zero-Trust principle - remains unanswered...

What does it do above and beyond the need to know, segregation of duties, least privilege, and AAA? Nothing!

Now, with hopefully shattered faith and definitely improved knowledge and understanding of the Zero-Trust principle and architecture and their flaws and limitations, we have quickly arrived at Square One - mind the gap when debarking the rollercoaster...

Before you go I would like to leave you with two questions:

  1. How has it become possible to declare as necessary (and spend money on) something that is impossible to achieve?

  2. What shall we do to start to examine and define the security problems and assumptions carefully and precisely so we do not need to spend billions before we realize it does not work (again)?

This article was originally published on LinkedIn on January 12, 2019

PS: On March 20, 2020, before re-publish it here in our blog, I read the article again and still see its relevance without introducing any changes. If anything, then I would like to reiterate to the reader: please, be curious and question more! There are so many problems that remain unsolved.

#zerotrust #zero_trust #cybersecurity #nist #cybercrime #cyberrisk #cyberthreats #datasecurity #cyberattack #hacking #risk #infosec #security #ransomware #phishing #dataprotection #informationsecurity