Zero Trust: The Magic Bullet or Devil’s Advocate?

Abstract

The concept of Zero trust was first introduced in mid 1990’s, and has gradually attracted increasing attention. This approach to building organizations’ information system infrastructures has been developed as response to increasing interaction and interconnection of information systems. Along with organizational boundaries have become less clear with the new business models where a business process exceeds the organizational boundaries, also the boundaries of information systems are no longer clear. In this interconnected world the purely perimeter-based security model defining zones of trusted entities inside the perimeter and the untrusted external world outside the perimeter no longer serves the needs of new business models. And the combination of complex technology and sophisticated attack methods it is no longer possible to be sure that all system components and actors inside the perimeter can be trusted. The Zero trust approach brings the sophisticated controls from the perimeter to the entire system. The core idea can be expressed with the four words “never trust, always verify”. No system component is by default trusted , and one-time verification is not sufficient – access to a resource must be verified at each connection attempt. Mutual authentication of the communicating parties is in the core of the approach. But does the zero trust approach have unwanted side-effects? The complexity of the system increases when new control layers are built, and system complexity can increase the possibility of configuration errors. Can there be other side-effects as well? The need for trust does not disappear even when the systems are built on the zero trust principles. When studying the zero trust approach the author started thinking what would happen in human interaction and organizational co-operation if they are based on or partly apply the zero trust approach. And the scenarios were quite gloomy. But is this only a nightmare or already at least partly present in our reality? This article describes the zero trust approach and its applicability to technical environments. The second part present scenarios of the impacts which application of zero trust principles could have – or maybe already has - in human communication and organizational relationships.