How well-meaning but inexpert attempts to implement the next big thing in security can leave you worse off than you started.
You'll be forgiven for not knowing about Zero Security. I made it up to describe a client's failed attempt to implement Zero Trust networking. As I worked to fix some truly broken security I started to realize that they'd missed an important part of zero trust. I'm here to tell you about the piece they missed and how it put them in the Zero Security camp.
Zero Security as I'm defining it here, implements the first part of Zero Trust
1) Eliminating the trusted network but fails to follow through on the next part
2) Pushing the trust to the machine and user
Anyone who understands security will see where this is going and will rightly guess that it's going to a bad place. But let's not get ahead of ourselves.
Let me begin by defining Zero Trust:
Zero Trust Security was invented by some very smart people to solve a specific problem. We used to rely heavily on the idea of the "trusted network". The inventors of zero trust security decided that there were too many ways to abuse that trust so they decided to do away with it. In order to gain back the trust that we lose by doing away with the trusted network that they pushed verification to the machine, and ultimately to a trusted user. I first saw Zero Trust Security at Google maybe fifteen years ago. We went from having the trusted "eng" VLAN to a more secure mode where eng workstations had some machine level identifier that granted them access to secure resources. (in this case it was a security certificate pushed by the mdm). That second part is the key! Had we simply smashed the eng VLAN and allowed connections to secure resources from any VLAN, or anywhere in the world we'd have achieved Zero Security instead of Zero Trust.
Zero Trust gets us INCREASED security because it no longer implicitly trusts the network. Zero trust that DOES NOT get us increased security by pushing trust to the machine and ultimately the user is Zero Security.
But let's back up. Why did we trust the network to begin with? Because we trusted our physical security (doors, locks, physical security staff) as well as our IT staff. We had confidence that every machine on that network was properly configured, secured and owned by us.
Why did we decide to stop trusting the network? Not because those things are not valuable. They are, in fact, essential. We did away with the trusted network because it is too easy to overcome physical security. Imagine an attacker plugs in a malicious machine to an exposed ethernet jack. Now count your ethernet jacks. Whew. Big job securing all those. What if you want your external security cameras to have ethernet. What if an attacker simply unplugs an external security camera and uses the jack to attack the network?
There are all kinds of examples where trusted networks fail. Imagine you have a network port in a conference room. A candidate comes in to interview for your red team, plugs in to the jack to present to the display in the room and in the background scans your whole corp network. Imagine an ethernet port at an unattended workstation in the lobby. The computer is protected but the port is not. Imagine any number of vendor machines like climate control or controls for a fish tank. (there was actually an hack where the attackers broke into a casino via the fish tank)
So what did we do? We did away with the trusted network and only trusted specific machines that were configured for trusted access. Furthermore we put those machines in the hands of trusted people and we authenticated both person and machine.
To make this happen:
Every trusted machine needs to be in the hands of a trusted individual and provisioned with an MDM so it conforms to security requirements. We need to push reasonable security configs (like full disk encryption, screen lock, automatic security updates, anti-malware, intrusion detection systems etc), so that a machine can't be operated by an non-approved party, and data can't be extracted by an attacker who gains physical access through theft or deception.
Ultimately we're doing the same thing we used to do – only trusted machines and the trusted individuals behind the keyboard can get access to our secure services – With zero trust we get all the trust we used to get from a trusted network and then some.
What could possibly go wrong?
Imagine you do away with a trusted network, but forget (or fail to implement) step 2. Without the trusted network any machine in the world can auth. That means a breach of any admin's password is catastrophic. It means that malware on any admin's machine can compromise private keys and even if the compromise of the admin's machine is only temporary attackers can come back at their leisure pretending to be an admin from any computer in the world.
I call that Zero Security, the evil twin of Zero Trust.
Zero Trust is a step forward
Zero Security is two steps backward
Why would anyone want Zero Security?
You don't. The only way anyone ever gets there is by mistake.
Surely nobody makes that mistake?
I assure you, at least one company I've worked with made that mistake, and every company I've worked with could accidentally make some variation of that mistake because Zero Trust is devilishly difficult.
Things that turn an attempt at Zero Trust into Zero Security:
Failure to use ephemeral credentials. I saw a client pushing the architect's pubkeys to their nodes. Nodes which had ssh auth hanging in the breeze (and no mechanism for automatic security updates so a zero day in sshd pwns all the things). Keys hadn't been rotated in over 900 days (god help you if your architect quits or in this case was toxic and needed to be fired) and keys had been shared over non-secure channels. Had they been rotated after sharing over non-secure channels? Nope, there didn't really exist a viable method for doing that.
Bro, that's not Zero Trust. That's Zero Security.
How did they get there?
I suspect it's because the people in charge weren't entirely clear on what exactly Zero Trust is and why we're reaching for it. If we don't know precisely why we're doing what we're doing (or if you don't have time or authority to follow through) it's possible to fall in a deep dark hole.
What would have turned it into Zero Trust? Every trusted machine gets a secure network overlay and a security cert and only those boxes can even see the administrative nodes. This is hard but entirely possible. Ephemeral admin credentials get pushed once the person behind the keyboard is positively identified with an IDP. That would have moved our Zero Security scenario to one of Zero Trust.
What happens if someone owns an admin box? They get ephemeral credentials which can't be refreshed.
But Zero Trust is not a panacea. By doing away with our physical security we change our risk profile, because anyone sneaking onto the computer has broken into a trusted place, and we no-longer control the physical security of the machine.
We now need a short screen lock and biometric controls so that only the trusted individual can use the trusted machine. Imagine an admin takes your trusted machine to Starbucks and steps away from their machine (the number of unlocked machines I see at coffee shops just kills me). Oops, now a non-trusted individual can sit down and pwn the box. It literally takes seconds for a seasoned hacker to drop a reverse shell on a machine in your infrastructure and step away (I was about to say thirty seconds, but if I do someone will correct me with a shorter record). Zero Trust needs to recognize this threat vector and solve for it. We need to push the trust not to the computer but all the way to the person. Ultimately there's no replacement for training. We simply have to train our admins not to walk away from machines in public. Identity providers increasingly require 2FA, and even biometric verification as part of that 2FA but in the hands of a dedicated idiot no protection is sufficient.
Okta and other cloud identity management providers have been so successful in part because they are able to push trust to the trusted person, not just the trusted endpoint. IDP paired with MDM have become the industry standard. We are now able to verify that it is actually me behind the keyboard. With Okta 2FA on my phone I get not only a second factor on a second device but it can biometrically identify my face. Now it's on my not to walk away from my machine in public.
What are some signs of Zero Security?
If you're logging in anywhere as root you probably have Zero Security (if you went through the trouble of setting up ephemeral root credentials you'd have taken the further step and used a non-root admin account, preferably one with a user's name for forensic purposes)
Do you have security groups that allow access from all IPs?
If those machines are reachable (have public IPs) you probably have Zero Security
Have you done away with your security perimeter but NOT replaced it with some notion of trusted computers?
You have Zero Security.
Can your admins log in from any computer anywhere in the world? (jump hosts of course complicate this conversation, but the key part was "from any computer in the world")
You have Zero Security.
If an attacker can exfiltrate private keys from an admin's computer and use another computer to masquerade as him or her
You have Zero Security.
The long and short of it is that if you're pursuing Zero Trust and you screw it up, you end up worse off than you started. And if you're signing up to go down that road realize that there are some difficult tasks ahead of you.
Above all, don't half-ass your migration to Zero Trust. If you find yourself wondering if you're doing more harm than good, ask an expert for help: there is a correct answer.
The key point is that in an increasingly connected world we can achieve beneficial security from anywhere by pushing the trust verification to the endpoints. The computer itself can become trustworthy, which then removes the need for trusting the network. This INCREASES security because someone sneaking onto the network can't get anywhere. There are methods of ensuring that only trusted users can use trusted machines. When you implement zero trust you remove some physical security from the equation and you MUST replace it with strong identity verification. If you don't, you're going to have a bad time.