zero trust paradox

6. RE: zero trust paradox

Like

Posted Sep 11, 2022 10:20:00 AM
Edited by boris taratine Sep 29, 2022 12:51:15 AM

[empty, deleted double-post]

7. RE: zero trust paradox

Like

Posted Sep 11, 2022 10:20:00 AM

>>There is a 3rd option. Verify it and then trust it for the purpose it was verified. If the verification was successful for an activity and a limited time then trust it only for that activity and only for that time.

yes, as this is still a subset of 1st option, i.e., *declared* to be trusted based on "compliance" to a "pre-defined set of requirements".

nothing wrong with this - we should have been doing it for 40 years, apart it is still *declared* violating the defined principle.

and that is exactly my point: we do not need this "never trust always verify" principle to build resilient reliable dependable systems as this principle leads to unreconcilable flaws.

in the latest 800-160v2rev1 "trustworthiness" was defined as "to fulfill whatever critical requirements may be needed". that is, as per requirements engineering discipline, a predefined set of statements that are complete, consistent, correct, modifiable, ranked, traceable, unambiguous, verifiable (as defined back 1985 in dod mil-std-490a, specification practices, june 4, 1985), and "never trust always verify" principle does not satisfy these desirable characteristics for requirements specifications.

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

8. RE: zero trust paradox

Like

Jun Yu

Posted Sep 14, 2022 09:44:00 AM

I like this discussion as it hits the head of the nail: what a "Zero Trust" system, or architect, looks or functions like that it can fend off the attacks as we know. The answer so far seems to be: no one knows. In another words, none of existing system or architect provides the protection that "Zero Trust" is supposed to provide.

We, however, take a different approach to "Zero Trust", and cyber defense in general. Instead of relying on "verification", aka authentication, which we know is not reliable when under attack, we reduce the resources a user can obtain through each "verification". Here is excerpt from our white paper in a very simplified way.

"For companies and government agencies that are on the path to Zero Trust, data-centric management is the key to preventing data breaches that are profitable for intruders. How can data-centric management protect data in a way that network-centric approaches cannot? First of all, data are encrypted persistently and seamlessly in a data-centric management model. Secondly, every time a user needs to access data, s/he must be authenticated using dynamic data access policies and only then will the data be decrypted for the user to access.

Let's assume that the network has already been breached and a valid user credential is stolen by the attacker. The attacker wants to exfiltrate the files; in a network-centric Zero Trust environment, the attacker could use the stolen credential to make one request to access a device or cloud container and steal the 1000 files stored on it. The cloud data encryption would not stop the breach because the files were retrieved by an authenticated user.

On the other hand, with a data-centric solution in place, the attacker would have to use the stolen credential to make 1000 requests to access the encrypted data, one for each file. The access control process would detect the excessive number of requests from the user that would be a departure from the usual pattern, and an alert would simultaneously be issued while the user's access request is denied. In this case, only a tiny number of files could potentially be breached. Since the attacker doesn't know the content of each encrypted file before the request to access is granted, s/he cannot select the files to exfiltrate first, minimizing the chances of losing critical data. Implementing more advanced measures including classified data access control can further reduce or eliminate the chance of a data breach."

------------------------------
Jun Yu
CEO
APF Technologies LLC
------------------------------

9. RE: zero trust paradox

Like

Posted Sep 15, 2022 08:49:00 AM
Edited by boris taratine Sep 15, 2022 08:50:34 AM

how do you define "zerotrust"? unless you specify it upfront we can not validate what you say it "does" actually delivers the claimed properties.

i was more explicit there:
Zero-Trust (paradox) - part ii: reductio ad absurdum

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

10. RE: zero trust paradox

Like

Posted Sep 15, 2022 04:55:00 PM

Thanks for that concise account of why a data centric approach to cybersecurity is so effective.

I completely agree. I have noticed that some players have classified their data, not many have understood the need for field level encryption of data to boost security profile.

I would add that from a Zero Trust perspective, it is useful to risk evaluate network segments and connections so that encryption requirements match the data journey from store to user, be that an application, a device or a person.

This is good material for the Zero Trust Data Stream to which I presume you would be a contributor.

Best Regards

Nya

Nya Alison Murray

Trac-Car Technology

https://www.trac-car.com

UK +44 208133 9249

Australia +61 73040 1637

Switzerland +41 22548 1747

----------------------------------------

11. RE: zero trust paradox

Like

Posted Sep 16, 2022 01:02:00 AM

@Nya Murray
one statement in your reply caugh my attention:
>> I completely agree. I have noticed that some players have classified their data, not many have understood the need for field level encryption of data to boost security profile.

unless we are very specific about the attack this will protect against this statement is unverifiable. indeed, should i spoof your identity, the api you have access to will conveniently decrypt all fields of my interest.

also, saying "boost" implies we can measure relative strength of security that we cant.

looking forward to your detailed explanation.

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

12. RE: zero trust paradox

Like

Posted Sep 16, 2022 01:18:00 AM

I agree with this @Nya Murray

I would add that from a Zero Trust perspective, it is useful to risk evaluate network segments and connections so that encryption requirements match the data journey from store to user, be that an application, a device or a person.

Utilising a software-defined perimeter as part of zero trust networking is a fantastic way to immediately increase the security of a system. Specifically, if we are using authenticate and authorise-before-connect using a strong identity with outbound only tunnels at source and destination, we can ensure that external network (L3/4) cannot be done by untrusted participants (i.e., anyone on the internet). Internet/network scanning is either the #1 or #2 attack vector, and removing it is a big improvement.

------------------------------
Philip Griffiths
Head of Business Development
NetFoundry
------------------------------

13. RE: zero trust paradox

Like

Posted Sep 16, 2022 01:25:00 AM

Yes, interesting point-of-view, Boris. My professional opinion is that multifactor authentication with encrypted authn data, automated daily rotating identity token with log checks to prevent token interception is the way to go. I do not think behavioral profiling e.g. country and device is effective when spoofing both is relatively easy. And if very high security is required, then rotate tokens on demand, as often as required, e.g. every 10 minutes for critical situations. At least that is what my company's identity management has implemented as a standard capability. This is not perfect, but with additional network security from a VPN or other network security I think it is very hard to crack. Best Nya.

14. RE: zero trust paradox

Like

Posted Sep 16, 2022 02:39:00 AM

Hi all,

I normally keep very quiet in the background - as my organisation has a totally different view on ZT and the whole security topic in general. We are much more engaged in the "preventive-world" rather than wasting time in the "network detect response-world".

@Nya Murray - been a while since we've chatted - and I don't think it's a problem building a "defense model" like the one you describe - the problem is complexity, layered defense, high resource consumption, maintaining the ecosystem and it is neither cost nor security efficient.

The 'clue word' for me getting to the keyboard was "network security" with VPN - WHICH is NOT designed and NOT very practical for the IT world we have today and will see in the future. You are right in stating it is very hard to crack ... but it depends doesn't it, as you have so many other holes in the network security model - and all the investments made are pointless. You end up in a prioritization game rather than a risk game.

BUT ... you are on the right track with token rotation btw. - but why the 'log checks'?? ... if a solution is using never-reused encryption keys per session? then why the 10 minutes ... keys should expire immediately, you should have ephemeral connectivity (and a lot more) built-in transparently. The only job you should have is to define the security policy and enforcement points based on what is going on assessing user, environment, apps. resource, action attributes etc. But that's our way of thinking horizontal ZT if you like - even though @Zafehouze we are much more into "SDP w/ deperimeiterization security" :-) ... and created to match the business needs of today :-)

I've added a small snip by John K.
https://www.youtube.com/watch?v=5LuYQMKIzCc&t=15s

If you want to understand what approach we have - its this:

Cheers,
@Niels E. Anqvist / Team Zafeahouze

------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
------------------------------

15. RE: zero trust paradox

Like

Posted Sep 16, 2022 05:40:00 AM

@Nya Murray >> is the way to go
this sounds as necessary requirement and for that i like to refer you to this paper: https://www.pnas.org/doi/epdf/10.1073/pnas.1517797113

@Philip Griffiths >>Utilising a software-defined perimeter as part of zero trust networking is a fantastic way to immediately increase the security
for that we ought to have an understanding how to compare different levels and we do not - please, see the same paper above

@Niels E. Anqvist >> the quote from Fuller
exactly, and the problem with #ZeroTrust is that we do not analyse it sufficiently enough but blindly follow throwing technical terms and gadgets to the mix where we can not even consistently define what #ZeroTrust actually is...

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

16. RE: zero trust paradox

Like

Jun Yu

Posted Sep 19, 2022 01:34:00 PM

@Nya Murray

Thanks for understanding the significance of the data-centric model. I can see it is still not "main stream," even though it is the center point of the DoD Zero Trust Reference Architecture - probably because no one has ever seen a product, yet! It is coming, I promise. You will be interested to know how classification is being used to enforce real-time access policies.

@Niels E. Anqvist

Thanks for the quote from Fuller. We build a new model that works with existing models because we see how each one plays a different role that altogether improves the result. How? For an attacker to break current defense, it requires investment. The data-centric model makes sure that attacks will not get the return they expect. Higher investment and lower return is a proven economic model to drive anyone out of business. You see, the data-centric solution is quite far from the "network detect response-world," even though I believe they contributes equally to security as whole.

@boris taratine

Thanks for starting the conversation and insisting that Zero Trust is muddy concept which I couldn't agree with more. I am sure when folks at Forrest Research used the term in cybersecurity more than a decade ago, being catchy was more of a reason than being precise. However, as technologists, we interrupted it to the closest practical point as we possibly can. So we turn ZT into a mathematic function:

In essence, ZT is not literally "zero" trust, but the trust that approaches as close to zero as operationally possible. How close to 0 is implementation dependent, which separates the data-centric model from the rest.

That function is the foundation of our data-centric model: reduce the data accessed by each verification to as small of a piece as possible, so when the system reaches the decision that a breach is probably happening and stops the access, the data lost is to be kept at the smallest amount possible, so attackers are not able to get this investment back. We are now down to a single file for every authentication request, and we can detect and stop data loss with less than 100 files being breached. No one can stay in business by stealing less than 100 files with the investment of tens of thousands of dollars.

The data-centric model is independent and so is its decision-making process, user usage pattern creation included. It cannot be "tainted" when any other devices or processes are breached.

I am very interested to see if any known attacks could break this model. False positives are possible, but a remedy to that is as easy as unlocking accounts after too many failed password attempts.

------------------------------
Jun Yu
APF Technologies LLC
------------------------------

17. RE: zero trust paradox

Like

Posted Sep 19, 2022 04:14:00 PM

@Jun Yu I really like your mathematical limits equation :) The psychology of change is to dare to dream. Yes ZT is unattainable, however it is about the economics of crime and national security. And an important principle is to diminish the incentive for cyber criminals, identity fraud, data theft, insecure devices, suspicious application behaviors and network breaches.

I like the look of your technology. The first 11 years of my career were as a data scientist. My company, engaged in climate change software, developed an identity management capability, Verviam, to enable secure carbon trading.

I think its time for a hackathon. I would like to suggest a ZT proof-of-concept. Your technology AFP could test the data pillar of the ZT Foundation. I believe that @Philip Griffiths NetFoundry technology provides a new ZT network security approach. I can offer Verviam as a new ZT approach to Identity Management. I think that @Jason A. Garbis Appgate could provide application risk profiling, We could reach out for an innovator in secure device technology, I remember there were people who joined us in SDP Working Group with an excellent ZT approach to mobile security. The POC could be conducted as a practical example of the applied science of Zero Trust architecture, in parallel with the CSA development of the Zero Trust technology model.

I know that there will probably be lots of detractors, but I am risking peer group derision and censure because I think that a practical demo of one Zero Trust service deployed to the cloud, and an invitation to ethical hackers to access, decrypt and steal a data graph, would be a great learning experience for everyone.

There is a major cybersecurity problem , therefore I am proposing a creative innovative experiment to demonstrate that Zero Trust Architecture is a significant advance with many business benefits, not least of which would be making identity fraud and data theft harder, and audit trail analysis to expose successful attacks, evidence of where devices are being breached, and last but not least, expose network incursion and lateral movement.

------------------------------
Nya Murray
Director
Trac-Car
------------------------------

18. RE: zero trust paradox

Like

Posted Sep 20, 2022 02:09:00 AM

Neat idea @Nya Murray, I am game to discuss a ZT proof-of-concept. Its super easy as our tech is both opensource and we have freemium for the SaaS version.

------------------------------
Philip Griffiths
Head of Business Development
NetFoundry
------------------------------

19. RE: zero trust paradox

Like

Posted Sep 19, 2022 10:10:00 PM

| view attached

@Jun Yu ... we already have a data-centric solution called Zafepass ... and have had that for several years. It is the third generation of a patent we took out on the technology back in 2005. The first gen. was live in 2003, long before John K labeled the concept Zero-Trust.

@Zafehouze we have both partners and clients ... and anyone are welcome to purchase a Zafepass license of course.

@Nya Murray .. anyone are welcome to try compromize Zafepass ... some ICs tried, Zafepass is tried compromized hundred of times daily ... we actually have "license to hack Zafepass in our partner and reseller agreements" .... dare I say - none has succeeded yet, but as always we assume compromize at some point, so Zafepass has of course taken that into account as well. Sometimes obfuscation is the best defense.

Btw. both John K and Chase C have already seen Zafepass demonstrated ...

Cheers,

/Niels

------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
------------------------------

20. RE: zero trust paradox

Like

Posted Sep 20, 2022 02:20:00 AM
Edited by boris taratine Sep 20, 2022 02:47:01 AM

@Jun Yu

>>In essence [of the formula ], ZT is not literally "zero" trust, but the trust that approaches as close to zero as operationally possible. How close to 0 is implementation dependent, which separates the data-centric model from the rest.

it seems this model assumes the system would not have a "trusted" element, and as such, how would you "trust" the validation?

on contrary, there was nist sp800-27 "engineering principles for it security" that defined amazingly consistent set of security engineering principles. among them were three i like to bring attention to:

minimize the system elements to be trusted (i.e., minimize the amount of software and hardware expected to provide the most secure functions for the system),
do not implement unnecessary security mechanisms, and
assume that external systems are insecure (i.e., do not trust systems that are not under your control)

and this is a "better" set only because it is "consistent" - inconsistent set of requirements is unattainable.

>> I am very interested to see if any known attacks could break this model. False positives are possible, but a remedy to that is as easy as unlocking accounts after too many failed password attempts.

this is easy: spoofing. the problem of "How to remotely tell apart the legit user of a remote system and an adversary who remotely controls the system when this system is compromised?" is not yet solved. the very problem zerotrust claims to address...

@Nya Murray

>>There is a major cybersecurity problem , therefore I am proposing a creative innovative experiment to demonstrate that Zero Trust Architecture is a significant advance with many business benefits, not least of which would be making identity fraud and data theft harder, and audit trail analysis to expose successful attacks, evidence of where devices are being breached, and last but not least, expose network incursion and lateral movement.

the fundamental problem with this approach is that "we can not prove security positive" and as such, any relative measure, e.g., "significant" and "harder", are undefined - hence unmeasurable.

the audit trails are good, but this has nothing to do with zerotrust - those are 40yo requirements. however!!!, focusing on data analysis that we were not able to do in the past due to lack of computation power does seem to be a "better" approach only because it is offering something based on "evidence of observation" (as opposed to speculations and fallacies) and we have/could not done this before on the scale we can do it now.

@Niels E. Anqvist
@Philip Griffiths

to validate the strength of a solution or to do a proof-of-concept we need to understand the "concept" first to "validate", i.e., the problem it tries to solve and principles it was build upon to validate its claimed properties. and that should be first done at conceptual level - can you share some snippets?

also,
1, what tests do you keep in mind to conduct for validation, what results do you expect, and what wold constitute a failure?
2. most importantly, as "we can not prove security positive" we need to agree what conclusion we would make if the system will remain "unbroken"?

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

21. RE: zero trust paradox

Like

Jun Yu

Posted Sep 20, 2022 02:02:00 PM

@Nya Murray

I solute you for devoting your career to keep our planet green! A hackathon is a fine idea. Please feel free to drop me an email (jun [dot] yu at apftechnology[dot]com) so we can make it happen.

Identity management and the concept of "least privilege" is the first line of defense in the ZT architecture after the breach, and data-centric solution should be the next, with the assumption that a privileged identity has been stolen and is used to access the data. Our approach to the test is exactly what we have always said about data –centric solution: under the assumption that credentials have been stolen by the attacker, therefore in our demo

The credentials to access anything on the device, root and our service included, are provided, and we want to find out how many files one can access. How about that as a criteria to assess ZT?

Thanks to all of you for a lively discussion. I will open another thread to discuss data-centric solution in detail and how it will be used to build the data pillar in CISA's ZT maturity model to reach the optimal level: "encrypt all agency data" on any devices at any time.

------------------------------
Jun Yu
APF Technologies LLC
------------------------------

22. RE: zero trust paradox

Like

Posted Sep 21, 2022 06:34:00 AM
Edited by boris taratine Sep 21, 2022 06:38:58 AM

@Jun Yu >> I like this discussion as it hits the head of the nail: what a "Zero Trust" system, or architect, looks or functions like that it can fend off the attacks as we know. The answer so far seems to be: no one knows. In another words, none of existing system or architect provides the protection that "Zero Trust" is supposed to provide.

thank you, yet you continue:

>> We, however, take a different approach to "Zero Trust", and cyber defense in general. Instead of relying on "verification", aka authentication, which we know is not reliable when under attack, we reduce the resources a user can obtain through each "verification". Here is excerpt from our white paper in a very simplified way.

so my question is how is it possible to agree that "Zero Trust" is unattainable principle and at the same time to offer something calling this "Zero Trust"?

what about this: if we agreed Zero Trust" is unattainable principle we ought to abandon it, full stop.
and then we ought to find the way out of this paradox to progress formulating principles that are consistent, verifiable, and attainable - those that made it possible to put "man on the moon".

[added] so, instead of "zerotrust", whatever that is not, we will use "man on the moon" approach, that is rooted not in a paradox but formal verifiable methods.

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

28. RE: zero trust paradox

Like

Spencer Stephens

Posted Sep 21, 2022 10:16:00 AM

We must first have a common understanding of what trust means.

Mayer, Davis, and Schoorman (Mayer, R.C., Davis, J.H., Schoorman, F.D., 1995. An integrative model of organizational trust. Academy of Management Review 20 (3), 709–734) define trust as "the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other party will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party". This is an excellent definition for our purposes because it hints at the consequences of trusting something that is not trustworthy.

There are two factors in creating a trust relationship.

Determining whether an entity can be trusted and you can therefore regard it as a trusted entity.
Determining where something claiming to be a trusted entity is indeed that entity and not an impostor.

The first one is outside of the scope of zero-trust. Everyone has their own criteria. The second one is core to zero-trust.

I don't see that "never trust, always verify" is a paradox. I see it as a (probably too) pithy way of stating a fundamental principle: never trust anything until you have verified it is the trusted entity it claims to be. Reducing that to four words is all well and good for getting attention drawn to ZT, but it's not part of the definition in that form..

------------------------------
Spencer Stephens
SVP
MovieLabs
------------------------------

29. RE: zero trust paradox

Like

Posted Sep 21, 2022 03:10:00 PM

@Spencer Stephens
>> 2. Determining where something claiming to be a trusted entity is indeed that entity and not an impostor.
The second one is core to zero-trust. I don't see that "never trust, always verify" is a paradox. I see it as a (probably too) pithy way of stating a fundamental principle: never trust anything until you have verified it is the trusted entity it claims to be. Reducing that to four words is all well and good for getting attention drawn to ZT, but it's not part of the definition in that form..

let's focus and examine your cited claim "Determining where something claiming to be a trusted entity is indeed that entity and not an impostor" in the frame of your elaborated principle "never trust anything until you have verified it is the trusted entity it claims to be"?

for that i will follow the same "reductio ad absurdum" methodology i used before and assume you are right. and then i ask "how exactly will you verify the last element of your system?", i.e., how will you will "verify" whether "entity is indeed that entity and not an impostor"?

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

30. RE: zero trust paradox

Like

Posted Sep 21, 2022 03:16:00 PM

@Jun Yu >>We do NOT trust! What we do is to take the risk by letting users onto the system and access the data so they can do their job. All the security measures are here to reduce that risk.

and this is at odds with ZT principle requirement. and this is what i continue wonder about: if a system does not satisfy ZT principle, can we continue call it this way?

>> In that sense, the measurement of "security" is the risk reduction which is something that can be assessed over the time.

can you elaborate how exactly do you measure it? in other words, assuming there is a scale from 1 to 10, how do you know where is 5 in one system and where is 6 in another?

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

31. RE: zero trust paradox

Like

Posted Sep 21, 2022 08:37:00 PM

So as not to go down too many worm holes :) Juanita Koilpillai, myself and other contributors spent a lot of time getting a contextual definition of Zero Trust as it applies to a Software Defined Perimeter security at layers 1-7 of the OSI network model. Probably worth quoting here, as that is the context we are all addressing. We felt this was a definition that we could collectively support, and that the wider community would endorse, and I quote

"Originally, Zero Trust Network (ZTN) concepts were developed by the US Department of Defense (DoD) in the early 2000s while defining Global Information Grid (GIG) Network Operations (NetOps) Black Core routing and addressing architecture, part of the DoD's Netcentric Service Strategy. Over time, this concept evolved within the DoD intelligence and security communities into the current ZTN/SDP framework and test lab. Around the same time, Forrester, a market research company that provides advice on technology began promoting ZTN as a worthwhile consideration for enterprise security teams. Today, Zero Trust has grown widely in adoption, as well as scope.

In the report entitled "Zero-Trust-eXtended-ZTX-Ecosystem," Forrester analysts observe that the changing nature of the network perimeter means that the historical context of Zero Trust architecture is transforming rapidly from "segmenting and securing the network across locations and hosting models." Forrester asserts that the current model, which supports the need to challenge and eliminate the inherent trust assumptions in current security strategies, suggests that a variety of new adaptive software-based approaches should also be considered. However, it does not identify a new direction for the "extended ecosystem framework."

Essentially, Zero Trust is a network security concept centered on the belief that organizations should not automatically trust anything inside or outside traditional perimeters and aims to defend enterprise assets. Implementing Zero Trust requires the verification of anything and everything that tries to connect to assets before granting access and the continued evaluation of sessions during the entire duration of the connection. This is illustrated in Figure 1 where the National Institute of Standards and Technology (NIST) describes using 'trust boundaries.'" CSA Report SDP and Zero Trust May 2020

------------------------------
Nya Murray
Director
Trac-Car
------------------------------

32. RE: zero trust paradox

Like

Posted Sep 22, 2022 01:36:00 AM

I can personally only speak from the perspective of Zero Trust Networking and how the open source technology I work for delivers it which ties up nicely to a software-defined perimeter.

We can implement zero trust network principles by utilising strong identity (e.g., x509) together with a process of bootstrapping trust to endpoints - e.g. 5 part blog - https://ziti.dev/blog/bootstrapping-trust-part-1-encryption-everywhere/. This allows us to create an overlay which explicitly requires authentication and authorisation of endpoints based on the bootstrapped strong identity before an endpoint can even participate in the overlay. Still, it has access to nothing as we use micro-segmentation and least privilege. Now we have an option as to how we implement this:

ZTNA: Zero Trust Network Access - We create outbound only connections at source and destination, meaning all inbound traffic can be denied. Based on this authentication and authorisation before connectivity, we have a strong software-defined perimeter against external network attacks (L3/4).
ZTHA: Zero Trust Host Access - We extend the private overlay into the hosts/OS which are running applications and workloads so that SDP and ZT move into the hosts of the resources, and we do not trust the local area network.
ZTAA: Zero Trust Application Access - We embed our apps with SDKs which means we also do not trust the host OS. The app does not even need to know the port / IP of the server it is going to run on.

These models ensure we reduce/remove trust in the underlying network, which runs on IP/TCP etc. While I will not put a number on each, you can see its a sliding scale of risk reduction as we trust less of the underlying network in its various components. To be clear, its not that we have zero trust in anything, clearly you have to trust the overlay network controller and its process for creating, managing and bootstrapping trust, but we can implement zero trust in the underlying network.

------------------------------
Philip Griffiths
Head of Business Development
NetFoundry
------------------------------

33. RE: zero trust paradox

Like

Posted Sep 22, 2022 09:24:00 AM

@Nya Murray
>>Zero Trust is a network security concept centered on the belief that organizations should not automatically trust anything inside or outside traditional perimeters and aims to defend enterprise assets. Implementing Zero Trust requires the verification of anything and everything that tries to connect to assets before granting access and the continued evaluation of sessions during the entire duration of the connection. This is illustrated in Figure 1 where the National Institute of Standards and Technology (NIST) describes using 'trust boundaries.

>>So as not to go down too many worm holes :)

agree, let's get strait to the point! :)
as i have shown already the highlighted *beleive* is an *unattainable* requirement - we are back to square one.

@Philip Griffiths
>>We can implement zero trust network principles by utilising...

this is what you say it does and once implemented it is in violation of the zerotrust principle.

once again, my dear colleagues, regardless how much we want to beleive in it we will always have this:

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

34. RE: zero trust paradox

Like

Posted Sep 22, 2022 09:31:00 AM

Of course, there will always be a component that has to be trusted. Trust is everywhere, just like in a society where I trust electricity will be delivered to my house so that I can write this message. Our approach with OpenZiti is that the system is open source; therefore, anyone can inspect/change the points of trust to their satisfaction.

I feel like the bigger point is that you do not like the term zero trust @boris taratine, but, let's be honest, we all know it's not achievable to have 'zero trust'. Zero trust is a name for a set of principles and architecture. It does not mean we have zero trust. In the same way, when I use the 'Cloud', I do not you my applications in the sky with little particles of water. Words have nuance and meaning, this is the wonder of language.

------------------------------
Philip Griffiths
Head of Business Development
NetFoundry
------------------------------

35. RE: zero trust paradox

Like

Mike Bronger

Posted Sep 22, 2022 02:11:00 PM

Referencing NIST SP 800-207 & NIST SP 1800-35 Preliminary Draft

As @Philip Griffiths mentions, Zero Trust is a set of architectural principles intended to remove trust from the "network" of an organization where implied trust is granted across or in segments of the corporate owned network after an authentication event usually by an individual user (human) or an application credential (non-human).

Zero trust dictates the "network" is considered not trusted as if it were like unto the open www internet, and the applications, services and data stores should never "inherently trust" a request merely because the user, device or application has been authenticated or has access to the primary network used to connect to the resource.

Zero trust is primarily intended to be focused on the Business to Enterprise (B2E) context to help organizations understand what needs to be done differently as they move their internal facing applications services to the public cloud. i.e. moving from an on-prem network composed of network zones of trust to a Public Cloud network where there are no network zones of trust. However zero trust principles can (and should) be leveraged within the other domains as well.

In a zero trust architecture All resources are required to use a combination of factors to authenticate any and all access requests "as close to the requested resource as feasible". Authentication becomes much more than just a basic user credential and leverages policy enforcement points which are required to authenticate requests using more modern technologies or methods such as multi-factor authentication and additionally, policy based enforcement to evaluate other parameters such as client device ID, device type, device posture and potentially other device and user attributes such as location, time of day and even behavioral bench marking meta data in the more advanced stages.

Zero trust is a journey not a destination. You can never get to 100% zero trust unless you turn the lights off and go home. But you can move the needle forward to make things more secure by assuming that all users, devices, and networks accessing your assets are not trustworthy and thus implementing security controls accordingly.

I hope you find this helpful.

-Mike

------------------------------
Mike Bronger
------------------------------

36. RE: zero trust paradox

Like

Posted Sep 23, 2022 02:10:00 AM
Edited by boris taratine Sep 23, 2022 03:50:02 AM

@Philip Griffiths many people interpret what i say saying something along your lines: "I feel like the bigger point is that you do not like the term zero trust, but, let's be honest, we all know it's not achievable to have 'zero trust'. Zero trust is a name for a set of principles and architecture. It does not mean we have zero trust...."

and my response is: "no, my concern is not about the "term" but what it "means". if zerotrust, according to you, is "a name for a set of principles and architecture" and the root principle is provably logically inconsistent (i.e., a paradox, an unattainable requirement), then no architecture can be build on such principle, and anything we were able to build will violate that principle. and therefore - i continue to wonder of a plausible reason for colling those system "zerotrust" if they do not satisfy zerotrust principle, in principle."

>>Of course, there will always be a component that has to be trusted.

and this is at odds with the "never trust always verify" zerotrust principle. more to it, this trust can not be verified by another trusted system, but only declared.

>>Our approach with OpenZiti is that the system is open source; therefore, anyone can inspect/change the points of trust to their satisfaction.

so, again, we "declare".
why this is important? because we claim a piece in $160B industry that we can not achieve - we use the hype to make money. and that is my concern - not the "term" we use. we can call it a "pancake" once we understand what that *is* and how to *demonstrate* our claims are *true*.

not that inspection of the code is bad - it may reveal some weaknesses, but let's not call it zerotust because it does not satisfy the principle (nothing can).

@Mike Bronger please, see my response just above.

also, just because we start solutioning right away - we only mud the water. if you strongly beleive i am wrong the best way to demonstrate it is to offer a method to verify that the system you just described satisfies the architectural principles you mentioned, among them is "never trust always verify".

would, please, following the requirements of the architecture (system development) discipline describe such method?

>> Zero trust is a journey not a destination.

if "zerotrust is a journey not a destination" it must be an activity between two points by definition https://dictionary.cambridge.org/dictionary/english/journey. claiming it is not a "destination" is a contradiction of terms. you see, natural language let us create all kind of statements but it does not mean all those make sense.

even moses wandering for 40 years in the desert had a destination - how long will we wander in the cyberdesert lead by self-proclaim moseses? :)

>>You can never get to 100% zero trust unless you turn the lights off and go home. But you can move the needle forward to make things more secure by assuming that all users, devices, and networks accessing your assets are not trustworthy and thus implementing security controls accordingly.

1. i never talk about 100% of anything - let's not be distracted. i talk about fundamental unattainability of the principle the industry claims is possible to build a physical system upon, indeed

2. i already demonstrated, that requirement "assuming that all users, devices, and networks accessing your assets are not trustworthy" is unattainable in principle because it is logically inconsistent - here, once again https://www.linkedin.com/pulse/zero-trust-paradox-reductio-ad-absurdum-boris-taratine/ (i touched there on nist definition of zerotrust and how that is inconsistent as well)

3. "more secure"? this implies you know how to measure security. would you share how do you do that? e.g., how do you know system A is more/less secure than system B?

to conclude, we need to describe:
1. a verification method (as so system engineering discipline demands) an arbitrary system/architecture being called "zerotrust" actually satisfies to "zerotrust principle" - so, the industry spends billions for gadgets built as claimed and to the specs
2. a method to compare security of two arbitrary system/architecture

so, let's focus?

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

37. RE: zero trust paradox

Like

Posted Sep 23, 2022 04:50:00 AM

Hi all .. great debate - great angles and viewpoints ... but of course seen through the glasses each wear :-)

I can't add much to the the current debate - as I generally see the security-paradigm through a non-industry pair of glasses. Back in the early 2K-days a few cyber-guardians patented and created a solution called EMCADS (Encrypted Multipurpose Content Application Distribution Service) - at least one of the worlds largest and extremely cash rich US organisation, use elements of this patent, even refers to it. Our US PTO approval came through around 2004 or so, and we weren't smart enough to label it with catchy words like 'SDP' / 'Zero-Trust' etc. :-)

Approximately around the same time as @Nya Murray describes DoD had some thoughts around this topic .. and NSA, NIST, CIS, ISO etc. etc. made what @Jun Yu describe as (quote) "a set of guiding principles for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level" ... some organisations in the UK formed the Jericho Forum. Some of these guys we speak with on a regular basis, and share some thoughts around ... maybe because Zero-Trust is a snappy and catchy phrase it is misunderstood - even "experts" within the Cyber-sec industry has different versions. This is a problem we've raised with John K and Chase C - and "the demo forum" is not providing clarity in this matter (IMHO). Vendors are 'dumped' into 'recognizable' buckets - and not benefiting when their solution ISN'T using for instance x.509 - we don't trust any 3rd party provider of ANYTHING - so we ended up in the wrong categories ... WHICH doesn't help anyone. We suggested a classification - something like - if a vendor embrace Single Sign On as a ZT feature => Cat. 1 - and if a ZT vendors is implementing a 3rd security dependency => Cat. 2 ... and then there are extremely few that can meet the criteria for Cat. 5 (and maybe we don't either) - but a scale anyone can relate to - not all the fuzz and smoke'n'mirrors - the maturity of "who" as @boris taratine also points out many times.

A CSA member from the UK chapter - Mr. Paul Simmons was part of the Jericho Forum - who to my understanding, around the same time we created the first generation of Zafepass (then EMCADS) defined "deperimeterization security". Sorry to travel down this lane ... but it refers to perimeterless or borderless security, as the boundaries of an organization's information systems are removed, thereby connecting them directly to the outside world. This was our "guideline" back in 2004 ... today we assume everything is compromized / breached (a ZT fundamental element).

This is not the place nor time to get into how we do what we do and why ... but I'm normally stating this:

I agree with @Philip Griffiths - at some point something has to be trusted - thus agree with @boris taratine that zero-trust as a word is not ideal.

BUT ... we can argue from here to eternity. When the marketing team takes over they will tell us (and the world) that no one gets or grasp what we discuss here - except us. If we want to explain SDP or deperimeterization or ZT or even other security tech .... and introduce CEOs, CFOs, CISOs, Chairmans etc. to the reality and the variety of business benefits (cost slashed, higher security posture, easier management etc.) each vendor present ... and then adopt these concepts to an already complex security model - we are failing big time and don't understand that model HAS to become obsolete. We can't paint a better version of Mona-Lisa to a business-person - it ends up in the IT-cellar anyway (sorry for being a bit black'n'white) - and the IT.infrastructure dinosaurs who only knows about 'petrol-engines' (layer 3/4 security) - is looking at the 'electrified vehicle' operating on Layer 7 - and the response can be anything from "sure, lets take a look", to 'I don't get it" to "I really don't have time - I'm busy being busy fixing stuff that doesn't work in out network infrastructure security" ... to "I'm only speaking with large blue-chip IT organisations" to ...

What I'm getting ... is that once agree I fully agree with @boris taratine ... we end up at 'Sq1'.

... and it doesn't help with definitions like ZTNA, ZTHA, ZTX, ZTA or Authentic Zero-Trust or 'Zero-Trust that!!! ... it's NOT making it easier - and adding US gov orgs - NIST, DoD, NSA, CISA, OMB etc that also have their flavor of ZT and maturity models and what ever - DOESN'T make easier any easier.

Its a $200billion industry - derailing organisations slowly but securely, providing a security-eco-system that doesn't provide anything else than what I call "the Security-Frankenstack" - a bunch of solutions stitched together NOT under any control. A survey done by Check-Point - reveals that 82% of the Global CIOs don't think the current security solutions and efforts work.

So what's my point ... we have to change our way of thinking and discussing these things. I don't personally think the 'detection and response methodology' is the optimal way to go ... I'm much more in favor of preventing - preventing a cyber-criminal for being able to do any harm - and if (s)he is lucky or a genius - the system should have been designed to mitigate that as well.

Just take a SME with 25-250 employees - they don't have the resources, skills, experience, interest, motivation, manpower to handle security - so it is neglected. In Africa ... not even the larger organisations can afford the current security-model ... they avoid - but can we live with that, when there is tech out there that has capabilities and which is inexpensive - that offer many times more security at a much lower cost.

The current model is NOT sustainable - NO organisation should be forced to prioritize their security level - they should be secure by default. NO organisation should be forced to evaluate risk - and even if they spend $100,000 or $100 billion on security-points-solutions - they will still get compromised. Okay the more they spend the harder it most likely gets - but now we introduce another complex layer - how it is configured, what solutions to use etc.

THEY CAN'T AFFORD IT.

From my limited insight to what @Jun Yu is up to - at least he share some of the same thoughts we had back in 2002/2003. We have come a long way since then - and even discussing the definitions of ZT is a big push in the right direction. This discussion couldn't have taken place in 2010. The world is gradually adopting a now method ... and thats why we despite all the pros and cons - stand along side John K and Chase C and crusade for ZT.

It is better than what we had and a step in the right direction - call it ZT or deperimeterization or SDP or whatever.

Any organisation is welcome to reach out - just drop a mail at [email protected] - and we will provide the NDAs we always have in place before bluntly discussing the various aspects.

Many thanks for a great debate - I really find it interesting and insightful .. it both takes me back in time :-) as well as inspire new viewpoints.

It will be interesting to see where we are (the industry, the ZT or whatever) in 3-5 years time :-)

Cheers,
/NEA

------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
------------------------------

38. RE: zero trust paradox

Like

Posted Sep 23, 2022 05:21:00 AM

@Niels E. Anqvist the Security-Frankenstack!! Made my day!! It does appear that cybersecurity is so complex that sales people can sell any booga booga ware. Yes all, it is a great discussion, and excellent to hear all these different POVs. Just like the old days when everyone argued about everything with contrarian alacrity! So much more fun that following the correct line, and never deviating from the standard message.

OK, I am proposing a free and frank exchange of views, and I still think it is time for a practical approach. Why? Because financial systems are under great strain, Ethereum made a shift from proof-of-work (mining for producing blocks) to proof-of-stake (validating), meaning less stringency, another large password manager application has been breached, global pressures are ratcheting up as widespread famine takes hold in Africa, Indonesian coastal areas, with millions of residents, are going under water, and a global energy crisis is further stretching our reponse to climate change. Time to dust of the NDAs and talk to some lead thinkers. I'll include you in a meeting set up next week where we nominate our availability to discuss, Neils, if that is OK. Har det godt! Nya.

------------------------------
Nya Murray
Director
Trac-Car
------------------------------

39. RE: zero trust paradox

Like

Posted Sep 25, 2022 06:27:00 AM
Edited by boris taratine Sep 26, 2022 02:44:12 AM

this is the comment on the topic from founder member of the jericho forum and the institute for information security professionals (iisp) hinself: here

@Niels E. Anqvist >>agree with @boris taratine that zero-trust as a word is not ideal.

colleagues, i am not against the term, but against zerotrust current definition (regardless which one you currently use) and its principles (namely, the root principle "never trust always verify") that are unattainable (due to their logical inconsistencies) regardless how you *call* it.

in other words and repeating myself over and again,

whatever you built will *violate* given zerotrust definitions and principles, in principle. no matter how hard you try you can *not* build a system that would satisfy given zerotrust definitions and principles, in principle.

and this, to reconcile with the paradox, not only introduces complexity and false sense of security, but is waste of time, effort, and money being justified by the narrative fallacies instead of formal system engineering methods.

as an example: take your own definition @Niels E. Anqvist : "It's about enforcing holistic risk-based decisions/policies providing access to any resource, data and/or system(s) based on integrity and attributes of all the users, entities and components in a transaction chain" Niels E. Anqvist, CEO @ Zafehouze

*you* require enforcing things on "any resource" and "all components" and that implies no exceptions hence shall be applicable to your own system as well. so, please, demonstrate your system indeed satisfies your own claim?

we can talk forever about technical details to demonstrate our erudition - but what we need to focus is to demonstrate that all those clever things we talk about satisfy requirements we claim they should.

and they do not!
they never will because they cant, in principle. at least in the form we cherish them to be.

the only way out of this world of inconsistency (the "alice in wonderland" world) is to abandon the crusade (i.e., faith, beleive) based on unattainable requirements and redefine the term to ensure the set of requirements/principles is complete, consistent, correct, modifiable, ranked, traceable, unambiguous, verifiable (as defined back 1985 in dod mil-std-490a, specification practices, june 4, 1985)

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

40. RE: zero trust paradox

Like

Posted Sep 26, 2022 06:19:00 AM

... @boris taratine ... to be honest we hear daily "you can always poke a hole, find weak spots, social engineer, compromise - I can wave millions of dollars in front of a Zafehouze developer (sure if you know him/her) ... we also hear "what has been created by man can be compromised by man" ... yeah, yeah, yeah sure ... ANYONE please have a go - PLEASE - ANYONE are welcome, seriously.

We encourage our partners to try breach Zafepass ... after the obligatory NDA, it is in fact embedded into our partner contracts - they are urged to do WHATEVER IT TAKES! As Zafepass function differently than most other solutions you've seen - our rationals is:

A) It helps our partners understand the strength (and weaknesses) of Zafepass - and
B) provide us with good intel - and
C) despite us deep-diving into this area for +20 years, gone through 3 major / full rewrites of code - have 'acid-testet" Zafepass hundreds of times from more than a dozen organisations - and although Zafepass until now has holded up, WE KNOW someone someday will succeed - and then we're ready with an update in a blink of an eye.

The program is called "License to Breach Zafepass" and is operated by the Founder and Chief Technology & Platform Officer @Zafehouze..

@boris taratine >> you wrote >> you* require enforcing things on "any resource" and "all components" and that means it shall be applicable to your own system as well. so, please, demonstrate your system satisfies your own claim?

Here you assume you know how Zafepass is working ... you assumption is incorrect for the first part - the second I tough upon below.

What I can tell you - is that the last 12-14 months - around 30 organisations have fired missiles against Zafepass. A middle east secret service / security organisation - holds the current record. After 5 consecutive days with everything they needed (binary, installation guide, user documentation etc.) they stopped (gave up) - beginning to realize the effort.

I'm not saying you're wrong (you aren't in fact) - but the likelihood is theoretical and not practically possible - and we believe Zafepass is 'okay' for a while. Theoretically you and I can visit the nearest galaxy (as I normally say) - but it isn't really practically possible. Some day though it will be ... and then Zafepass is adjusted to meet new specifications in a new reality.

Anyone want a go on Zafepass - just reach out - send me an e-mail on [email protected] and I'll make sure we provide everything needed.

Kr,

------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
------------------------------

41. RE: zero trust paradox

Like

Posted Sep 26, 2022 06:28:00 AM

Agreed @Niels E. Anqvist!

You can do the same thing with OpenZiti as it's open source. No need for an NDA. We would love to get feedback if anyone finds issues so that we can fix and remove them.

Likewise, "@boris taratine >> you wrote >> you* require enforcing things on "any resource" and "all components" and that means it shall be applicable to your own system as well. so, please, demonstrate your system satisfies your own claim?"

We put the NetFoundry production systems behind OpenZiti so that we do not have inbound ports exposed to the internet. Here are some examples
- https://netfoundry.io/transparent-bastions/
- https://netfoundry.io/saltstack-meets-openziti/
- https://netfoundry.io/devops-meets-secops/
- https://netfoundry.io/this-is-the-way-invisible-jenkins/

------------------------------
Philip Griffiths
Head of Business Development
NetFoundry
------------------------------

42. RE: zero trust paradox

Like

Posted Sep 26, 2022 07:14:00 AM

Hi Philip ... many thanks for your insight and response.

I can't go into detail - and I certainly think NetFoundry is one of the players up there ... and you're presenting a great case. There are several proxy based solutions with or without rerouting of traffic, hosted routers etc. - and that we don't do. It could be you don't need NDA - and that's probably one of several elements we're different :-)

Just for the fun of it ... if we take @boris taratine viewpoint on ZT (and I fully agree with him on this), no one can be true to the suggested Zero-Trust manifest - then lets grade it for a second (again just for the fun of it) ... 100% ZT is not possible, then lets also set apart the definition of ZT fo ra second ... then lets set the ZT max to 90% - from there less ZT functionality is 80%, less is 70% etc. (not sure it's providing any value to the end-users at this point of time - but that's for another day) ... these series of defined steps help customers understand (maybe) - that if you reroute traffic like Zscaler and others .. if you offer SSO between the proxy and the user ... it has nothing to do with the "concept" of ZT) ... if you have SSO between the proxy and the resource - its another discussion .... etc. etc. - then it all make sense. Until then it is just a long range of vendors claiming ZT.

Zafehouze included ... and we need to figure out how we differentiate from this - because, I have to say - we do it a bit different from NetFoundry - but we share the same goal - we want to change the world.

Cheers,

------------------------------
Niels E. Anqvist
CEO/President
ZAFEHOUZE USA / ZAFEHOUZE EMEA
------------------------------

43. RE: zero trust paradox

Like

Posted Oct 02, 2022 04:47:00 AM

@Philip Griffiths >>We put the NetFoundry production systems behind OpenZiti so that we do not have inbound ports exposed to the internet.

no matter what you do and how - *any* physical system violates root zerotrust principle "never trust always verify", in principle. this is the same as no amount of efforts will let you exceed speed of light - it is *impossible*.

@Niels E. Anqvist >>then lets grade it for a second (again just for the fun of it) ... 100% ZT is not possible, then lets also set apart the definition of ZT for a second ... then lets set the ZT max to 90% - from there less ZT functionality is 80%,

to ad to the previous statement, if we can not achieve ZT in principle (as you agreed) && can not define what 100% is --> it is *impossible* to claim any proportion of it by any set of clever permutations.

gentlemen, it seem to me that what you as many others are trying to do here is to "sell" your respective gadgets and get the piece of https://journalofcyberpolicy.com/zero-trust-security-market-drivers-shaping-future-growth-revenue-usd-126-02-billion-by-2031-cagr-18-5/

what i am trying to do here is to make sure we are not being destructed by any specific self-proclaimed zerotrust solutions but re-define the way that is currently impossible to achieve in principle.

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

44. RE: zero trust paradox

Like

Posted Oct 02, 2022 05:32:00 AM

There is plenty of evidence that the speed of light is not a constant, has slight variability, and a major new theory of gravity has some convincing evidence for a variable speed of light, much faster at t=0 (starf of Universe, not a big bang) - John Moffat et al University of Toronto and Perimeter Institute of Theoretical Physics.

Zero Trust is only paradoxical within a limited frame of reference :)

Nya Alison Murray

Trac-Car Technology

https://www.trac-car.com

UK +44 208133 9249

Australia +61 73040 1637

Switzerland +41 22548 1747

----------------------------------------

45. RE: zero trust paradox

Like

Posted Oct 02, 2022 05:51:00 AM
Edited by boris taratine Oct 02, 2022 05:51:55 AM

@Nya Murray

>>There is plenty of evidence that the speed of light is not a constant, has slight variability, and a major new theory of gravity has some convincing evidence for a variable speed of light, much faster at t=0 (starf of Universe, not a big bang) - John Moffat et al University of Toronto and Perimeter Institute of Theoretical Physics.

we have scientists who also advocate for a flat earth or claim perpetuum mobile exitance.

>>Zero Trust is only paradoxical within a limited frame of reference :)

yes, you are right!
in the frame of logic - the same frame system engineering as a discipline is based on that requires the claimants to demonstrate the claimed requirements and principles are satisfied. in the frame of narrative fallacies - the alice's wonderland - everything is possible, including "the speed of light is not a constant".

==

once and over and over again - if you beleive i am wrong, you should be able to demonstrate that any system that is claimed to be #ZeroTrust satisfies its root principle "never trust always verify". to make the task easier, please, chose the system that you think would be easier for you to do so.

so far, we have two treads that consumed so much time and energy heating up the air (what would gretta say?), but noone, even you, was able to describe such methods.

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

46. RE: zero trust paradox

Like

Posted Oct 12, 2022 04:32:00 AM

friend and colleagues,

we have spent quite substantial amount time discussing all aspects of our believes in #ZeroTrust - this thread is all time record long!

there were tons of clever ideas and comments.

however, we, as engineers, have not yet produced a single method to describe how to demonstrate that the root #ZeroTrust principle "never trust always verify" can be satisfied or whether any chosen system we beleive and call as being #ZeroTrust is in compliance with it.

to me this state of affairs is very troublesome and concerning from several aspects:
1. some kind of denial to face the challenge and address the root of the problem;
2. inability to evidence improvement apart of having faith in it; that leads to
3. false sense of security at tremendous cost

it is sad to see this is the best conclusion we can achieve.

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

47. RE: zero trust paradox

Like

Posted Oct 12, 2022 05:05:00 AM

#1... amazing! Personally, I have a different conclusion Boris. You do not like the term 'zero trust' as you do not believe the principle "never trust, always verify" can be satisfied. That is fine, and it is your opinion. No one on this thread is saying that a system can be implemented that has absolute zero trust can be implemented, as there is always some trust, somewhere.

Personally, I am going to focus my time on working with the CSA Zero Trust and SDP groupings including creating a POV demonstrator which can help us to reduce our physical/digital attack surfaces.

I personally accept that 'Zero Trust' is a poorly constructed term but I do not have a time machine to go back 15 years and have a different phrase be used. Nor do I personally have enough power to influence the whole industry, including CSA, NIST and others, who are taking the poorly chosen term of zero trust and building principles around it which can be implemented and verified which helps us to decrease our attack surface.

------------------------------
Philip Griffiths
Head of Business Development
NetFoundry
------------------------------

48. RE: zero trust paradox

Like

Posted Oct 12, 2022 05:32:00 AM
Edited by boris taratine Oct 12, 2022 05:37:43 AM

@Philip Griffiths
>>#1... amazing! Personally, I have a different conclusion Boris. You do not like the term 'zero trust' as you do not believe the principle "never trust, always verify" can be satisfied.

i already explained at length previously on "liking", hence, strait to the point: let's indeed assume i am wrong and you are right?

in system engineering this is not the matter of "opinion" but the matter of verification that claimed requirements/principles have been satisfied.

therefore, describe a method to demonstrate NetFoundry #ZeroTrust solution satisfies "never trust, always verify" root principle of #ZeroTrust as proposed by its inventor John Kindervag.

this will clearly break the tie to the whole world.

speak soon!

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

49. RE: zero trust paradox

Like

Posted Oct 12, 2022 05:51:00 AM

Hey Boris,

We go in circles, but I will state it one last time. OpenZiti provides the ability to embed private networking inside application user space. This ensures all communication happens over a private overlay based on a strong identity and authenticate/authorise before connect. The application does not need to know IP addresses, ports, DNS, or have VPNs/firewalls etc set up. When communicating over the internet, you only need a few outbound ports. This means that their is no implicit trust in any network, internet/WAN, LAN or even host OS network. This helps us to massively shrink the implicit trust zone. All trust is between the application and the overlay via strong identity and processes for establishing trust - https://ziti.dev/blog/bootstrapping-trust-part-1-encryption-everywhere/. Ergo, we never trust the underlay network.

Regards

Philip

------------------------------
Philip Griffiths
Head of Business Development
NetFoundry
------------------------------

50. RE: zero trust paradox

Like

Posted Oct 12, 2022 07:00:00 AM

@Philip Griffiths

>>>We go in circles,

indeed, but it worth it to demonstrate that your solution (or any other to that matter) does not satisfy the root principle of #ZeroTrust as it is required.

>>> but I will state it one last time. OpenZiti provides the ability [...] we never trust the underlay network.

it is only part of the story and we have been doing this for 40 years already (least privilege, segregation of duty, etc.).

"never trust, always verify" root principle of #ZeroTrust requires the solution itself to be "verified" before being "trusted".

indeed, we, as consumers of your solution, shall not trust it either until we verify it on satisfaction to #ZeroTrust principle.

as such, the question remains: "how do you demonstrate NetFoundry #ZeroTrust solution satisfies "never trust, always verify" root principle of #ZeroTrust as proposed by its inventor John Kindervag?".

here are several examples what i am looking for and how it is being done by people skilled in the art:
- to verify a pencil is 140+/-2mm long a calibrated ruler will be used to measure the length, or
- to verify a piece of butter is 100+/-3g a calibrated scales will be used to measure the weight, or
- to verify a bulletproof vest will protect a human body and not be penetrated by a 7.62mm bullet from ak-47 from a distance not closer than 100m several shots at randomly chosen from the same batch samples put on a mannequin in such conditions will be made and the vests will be inspected whether the bullet passed through and the mannequin will be inspected on the presence of life incompatible damages.

as you can see all three verification methods took less than 5 lines of description, one line per method on average.

speak soon.

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

51. RE: zero trust paradox

Like

Posted Oct 12, 2022 07:19:00 AM

We may have been doing least privilege, segregation of duty, etc. for 40 years already but it is hard and there is an implicit trust in the network. Anyone can verify OpenZiti for themselves, please do not take my word for it, its open source - https://github.com/openziti.

- to verify OpenZiti does not trust the network, embed required SDKs into the application on client and server side and you can thus determine that while the applications can communicate, nothing else on the network underlay can communicate with them.

------------------------------
Philip Griffiths
Head of Business Development
NetFoundry
------------------------------

52. RE: zero trust paradox

Like

Posted Oct 12, 2022 12:44:00 PM

@Philip Griffiths

let's not deviate from the main question:

"how do you demonstrate NetFoundry #ZeroTrust solution itself satisfies "never trust, always verify" root principle of #ZeroTrust as proposed by its inventor John Kindervag?",

i.e., it is irrelevant whether your solution trusts the network or not, it matters whether we can trust your solution as so is required by the #ZeroTrust principle so we need a method to verify it.

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

53. RE: zero trust paradox

Like

Zied TURKI

Posted Oct 12, 2022 01:17:00 PM
Edited by Zied TURKI Oct 12, 2022 01:20:57 PM

Hi,

Thank you all for this interesting discussion.

I won’t re-explain what Zero Trust (ZT) is and what ZT is not. All our colleagues here have reminded it well.

On the other hand and in my opinion

ZT is not Black or White. It is not about 100% ZT or no ZT. There is a gray in between.
ZT is not about untrusting everything, but it is about building trust in an ever more complex and untrustworthy world.
"Never Trust, always verify" is a design principle that must considered by every security engineer / Architect in solutions architectures design. But this is not ZT definition and ZT cannot be reduced to this design principle.

Back to the paradox.

I understand your point of view and the paradox you've identified regarding the root principle "Never Trust, always verify". Otherwise, I believe that the principle is still valid but not wrong or paradoxical.

I agree that there is always a trusted element (as an example, the control plane of an SDP like architecture which is the policy decision making component) which is designed to verify every access.

Applying root principle here, trust must be established with this decision-making component which oversees verification; But you would ask me how?

1- Policy enforcement point should authenticate first this component using "strong" authentication protocol (but we need to trust the authentication protocol. Remember, it is not black or white)

2- Decision making component activity must be logged for further analysis (can be human or computer assisted analysis with AI or whatever…)

3 - + any other measure to establish trust

Long story short, in our frame reference, there is no paradox in this root principle ( 😉 Nya Murray)

54. RE: zero trust paradox

Like

Posted Oct 12, 2022 03:48:00 PM

It is really clear that we are talking about two different contexts.

Information technology is based on binary data, presently electronic devices based on integrated circuits. Electromagnetic energy operates in the context of relativistic gravity (holds true for the galaxy gravity and the theory of relativity).

Boris's examples are about physical material systems, with a simple solar system gravity context (operates within the context of Newton's Laws of Gravity) and do NOT hold true for relativistic electromagnetic fields.

Ergo Boris has not proved that Zero Trust is a paradox. I suggest we remain within the bounds of computer chip capability for relevance.

Best Regards

Nya Alison Murray

Trac-Car Technology

https://www.trac-car.com

UK +44 208133 9249

Australia +61 73040 1637

Switzerland +41 22548 1747

----------------------------------------

55. RE: zero trust paradox

Like

Posted Oct 14, 2022 05:36:00 AM
Edited by boris taratine Oct 14, 2022 06:14:14 AM

@Nya Murray

>>Information technology is based on binary data, presently electronic devices based on integrated circuits. Electromagnetic energy operates in the context of relativistic gravity (holds true for the galaxy gravity and the theory of relativity).

exactly!
and that is why the laws of logic apply but the logic is broken in the "never trust, always verify"

>>Ergo Boris has not proved that Zero Trust is a paradox. I suggest we remain within the bounds of computer chip capability for relevance.

exactly!
but you seems to contradict yourself: we shall remain in the domain of logic and for that to make the conclusion you shared one need to point at the logical flaws in the proof https://www.linkedin.com/pulse/zero-trust-paradox-reductio-ad-absurdum-boris-taratine/ - until then your statement is an opinion that is at odds with your own call.

@Zied TURKI

>> ZT is not about untrusting everything, but it is about building trust in an ever more complex and untrustworthy world.

exactly!
but your statement is at odds with "never trust, always verify" as define by John Kindervag. kindly, tell me what do i miss here?

>> "Never Trust, always verify" is a design principle that must considered by every security engineer / Architect in solutions architectures design. But this is not ZT definition and ZT cannot be reduced to this design principle.

exactly!
and first and utmost that means, as per System Engineering discipline, we are required to verify the solution we designed and built actually satisfies requirements and principles we declared being used, and was designed and built upon.

indeed, let's take your "proof" point 1: >>1- Policy enforcement point should authenticate first this component using "strong" authentication protocol (but we need to trust the authentication protocol. Remember, it is not black or white)

not only! according to zerotrust principle, we shall not trust the "Policy enforcement point" itself in the first place and must verify it as per principle we use to design and build the system. do not you see that this require circular logic and that is a fallacy? as you can see, your proof can not even go beyond its first step IF you consistently follow the principle you so cherish.

@Nya Murray - btw, this is the logic you call for. so, back to square 1:

describe a method to demonstrate a randomly chosen #ZeroTrustsolution itself satisfies the "never trust, always verify" root#ZeroTrust principle as defined by its inventor John Kindervag?

this will prove me wrong and will invalidate my proof that zerotust principle as currently defined is a paradox, i.e., unattainable requirement in principle.

or, better, accept that "never trust, always verify" principle is unattainable, abandon it, and get back to the formal methods that spot these fallacies as a bi-product.

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

56. RE: zero trust paradox

Like

Posted Oct 15, 2022 03:35:00 PM
Edited by boris taratine Oct 15, 2022 03:36:47 PM

here, to enhance our understanding what a paradox is:
https://www.youtube.com/watch?v=0x9AgZASQ4k
https://www.youtube.com/watch?v=qd-tKr0LJTM

even after we watch this we tend to continue beleive what our intuition tells us, but whatever it tells us - it can not break the laws of science: physics and mathematics reign over narrative fallacies

------------------------------
boris taratine
partner / chief architect
ecsa
------------------------------

57. RE: zero trust paradox

Like

Posted Oct 17, 2022 08:06:00 AM

This conversation reminds me of Don Quixote and windmills.

You are taking this too literally, Boris. When Jon coined the term "Never trust, always verify", he recognised (as you do) that trust is a vulnerability, and security must be designed with this strategy in mind. This all needs to be taken into context, that we want to increase security and reduce risk - not have absolute security and 0 risk. All systems have points of trust within the control plane, this is and always will be mandatory. By using them, we can explicitly increase security and reduce risk. This is a big improvement from the approaches which were common before Jon's coining (and sometimes still used), where certain zones were implicitly trusted (i.e., the old chewy centre of on-prem networks).

To term this another way (when using OpenZiti at least), "Never trust (the underlying network), always verify (using strong cryptography and authenticate/authorise before connect).

This is well surmised in the NIST key tenents 800-207 Zero Trust Architecture.

Enhanced identity governance.
Policy-based access controls.
All connectivity is micro-segmented.
Implementing software-defined perimeters and supporting hardware root of trust.

Once again, your desire to take things literally is forcing you to throw the baby out with the bath water. I will use the analogy again, we are moving things to the 'cloud' but this does not mean we are sending them into the sky as little tiny water droplets. We shouldn't take everything literally.

And if the term 'Zero Trust' still annoys you, just roll your eyes like Liz Lemon.

------------------------------
Philip Griffiths
Head of Business Development
NetFoundry
------------------------------

58. RE: zero trust paradox

Like

Posted Oct 22, 2022 05:07:00 AM
Edited by boris taratine Oct 25, 2022 02:18:40 AM

| view attached

@Philip Griffiths

>> To term this another way (when using OpenZiti at least), "Never trust (the underlying network), always verify (using strong cryptography and authenticate/authorise before connect).

and this is at odds with what john coined in the term "never trust, always verify" and this is the problem! you claim your solution is #ZeroTrust based on something you made up on fly and that is at odds with the gospel.

>> This is well surmised in the NIST key tenents 800-207 Zero Trust Architecture.

Enhanced identity governance.
Policy-based access controls.
All connectivity is micro-segmented.
Implementing software-defined perimeters and supporting hardware root of trust.

i have no problems with this tenets other than pointing out they are at odds with the root principle of #ZeroTrust "never trust, always verify" and that they offer nothing fundamentally new eventually leading to the same results once adversary adapts.

>>Once again, your desire to take things literally is forcing you to throw the baby out with the bath water.

no, categorically no.

this is a trick used to conveniently divert the audience from describing a method to demonstrate the promoted by the speaker #ZeroTrust solution itself satisfies the "never trust, always verify" root #ZeroTrust principle as defined by its inventor John Kindervag and as required by system engineering discipline.

>> I will use the analogy again, we are moving things to the 'cloud' but this does not mean we are sending them into the sky as little tiny water droplets. We shouldn't take everything literally.

as #cloud is well defined term and there is no need for analogy - better unambiguously define #ZeroTrust and describe the method to demonstrate your solution satisfied the root #ZeroTrust principle or admit your solution violates it and therefore can not be called #ZeroTrust.

for example, if boeing sells an aircraft claiming certain characteristics on paper and flashy booklets, they then demonstrate those at airshows so everyone can see and measure. same here - we claim what we offer is "zerotrust", hence shall satisfy its rood principle - show us your claims are true. cant understand the reason it took almost 60 posts over many weeks in this thread and we are still far from the results.

>>And if the term 'Zero Trust' still annoys you, just roll your eyes like Liz Lemon.

not #ZeroTrustannoys me but the inability of industry to face the reality and go back to the whiteboard in the perspectives of cutting $160B #ZeroTrust pie.

>>This conversation reminds me of Don Quixote and windmills.

i think he can be embraced for doing what he believed in. i am prepared to be misunderstood for long time.

ps: i attached a presentation where we highlighted fundamental problems yet to be resolved - whatever you call #ZeroTrust does not solve a single one

------------------------------
boris taratine
helping the internet become the safest digital place in the world
------------------------------

Attachment(s)

12 Fundamental Cybersecurity Problems - NCSC - ACE CSR Wi...pdf 9.50 MB 1 version

59. RE: zero trust paradox

Like

Posted Nov 18, 2022 09:36:00 AM

zero mention of #ZeroTrust - what an achievement!!

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v1r1.pdf

------------------------------
boris taratine
helping the internet become the safest digital place in the world
------------------------------

60. RE: zero trust paradox

Like

Posted Nov 24, 2022 07:34:00 AM
Edited by boris taratine Nov 24, 2022 07:34:58 AM

https://www.thesasig.com/calendar/event/22-12-02-risk/

come and challenge me!

Friday 2 December 2022, 11am-12noon (GMT)

Everyone talks about the Zero Trust principle: 'never trust, always verify'. But have you ever analysed what it means? Not what it does or is supposed to do, but the actual meaning of it.

As a root principle, everything you build should satisfy it – that is what the engineering discipline requires us to do.

How would you demonstrate that the system you spent several million on actually satisfies the critical requirements of Zero Trust?

In this webinar, join the discussion (whichever side you are on) as our speaker, Boris, proposes:

The Zero Trust principle is a provable paradox.
It is impossible to build a physical system that would satisfy the Zero Trust principle.
Any physical system violates the Zero Trust principle.
Zero Trust does not address the fundamental problem of spoofing anyway.

Do you agree with the statements above? Share your thoughts and join what will doubtless be a lively discussion on the efficacy and achievability of Zero Trust.

If you are a member of ISACA, ICA or The Security Institute, you can earn CPE/CPD points for attending our webinars live. Remember to log your attendance with your provider to be credited.

Guest chaired by

Glen Hymers (info), Head of Data Privacy and Compliance, Cabinet Office

Presented by

Boris Taratine (info), Head of Competencies and Skills, UK Cyber 9/12 Strategy Challenge

------------------------------
boris taratine
helping the internet become the safest digital place in the world
------------------------------

61. RE: zero trust paradox

Like

Posted Dec 07, 2022 06:44:00 AM

webinar recordings for the audience https://www.thesasig.com/calendar/event/22-12-02-risk/
nb: also available on vimeo

------------------------------
boris taratine
helping the internet become the safest digital place in the world
------------------------------

62. RE: zero trust paradox

Like

Posted Mar 23, 2023 11:41:00 AM
Edited by Jeremy Rennicks Mar 24, 2023 04:13:11 AM

63. RE: zero trust paradox

Like

Posted Mar 23, 2023 11:43:00 AM
Edited by Jeremy Rennicks Mar 24, 2023 04:12:47 AM

64. RE: zero trust paradox

Like

Posted Mar 23, 2023 11:48:00 AM

I believe this paradox is based on a flawed understanding of the Zero-Trust Model; the actual model as proposed by Forrester can be defined like this:

Zero Trust is a cybersecurity model that assumes that all users, devices, and network traffic are untrusted and must be verified before being granted access to resources. This model requires strict access controls, continuous monitoring and logging, and the use of multifactor authentication, encryption, and other security measures to ensure that only authorized users and devices are allowed to access resources. Zero Trust moves away from the traditional perimeter-based security model and instead focuses on securing data and resources wherever they are located, whether on-premises or in the cloud.

This is articulated well in Forrester's 2010 paper cited by you in your original post; there Forrester discusses the three pillars Zero Trust is built on:

1. Ensure that all resources are accessed securely regardless of location.

2. Adopt a least privilege strategy and strictly enforce access control.

3. Inspect and log all traffic.

The Russian proverb "Dovorey no provorey" (Trust, but verify) was mentioned in the 2010 paper to articulate that we Cybersecurity practitioners often assert that we do that but often times do not.

As a practical implementation, a specific system may not support the ability to enforce strong RBAC but a network based solution could be put in front of it to enforce access policy. Microsoft has a lot of documentation on how Zero Trust can be achieved in their environment (Link here). Through their model, you validate the user and their device before applying policies and assessing risk. As the user attempts to access a resource logging and additional security controls are applied.

Wayback machine links for the original material:

Original Post: The Zero-Trust Paradox (archive.org)

2010 Gartner Paper: Wayback Machine (archive.org)

------------------------------
Regards,
Jeremy
------------------------------

65. RE: zero trust paradox

Like

Posted Mar 24, 2023 03:15:00 AM
Edited by boris taratine Mar 24, 2023 03:16:41 AM

>> I believe this paradox is based on a flawed understanding of the Zero-Trust Model

actually not. it seems as if, the same as many others, you confuse several things in your response:

"principle" vs "solution"
"trust by verify" vs "never trust always verify"

to resolve the first i would recommend to review what system architecture is, and to resolve the second i provided detailed explanation here: https://www.thesasig.com/calendar/event/22-12-02-risk/

speak soon!

------------------------------
boris taratine
helping the internet become the safest digital place in the world
------------------------------