Why are people here treating Zero Trust negatively / like a buzzword?

Genuinely curious why people have a negative view of Zero Trust as a concept. It’s common sense and some brilliant SANS talks go over the benefits and implementation. For example

Just really confused why I’ve been seeing people label it as some garbage buzzword, when really it’s an excellent security concept touted by some of the most experienced pros in the industry.

Edit: I’m seeing a lot of ‘Zero Trust as a product’ thinking in the comments.

Zero Trust is not a category to place products in. The vendors advertising to your C-suite executives would like it to be.

It’s a concept. It’s an assumption that the internal network is hostile; How far you take that assumption should be dependent on your organization’s needs / risk.

(And making that assumption does not mean that anyone should expose their internal network to the world, as some commenters appear to mistakenly believe.)

NIST: SP 800-207
Zero Trust Architecture

Abstract: Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource. This document contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture. - Scott Rose (NIST), Oliver Borchert (NIST), Stu Mitchell (Stu2Labs), Sean Connelly (DHS)

Nowhere does it say anything about dissolving any compartmentalization or internalization of a network. Over and over I see people claiming that ZT means getting rid of the network’s outer shell. People are somehow mistaking

“Let’s not focus / rely on a strong outer shell anymore.”

with

“Let’s expose our entire network and every service on it to the internet.”

Ok last edit. One of you just taught me something invaluable about this and it needs to be shared. Many of you (correctly) pointed out in the many discussions below that there’s no such thing as “zero trust” because there must be some trust for anything to operate.

Regarding a book on the topic (emphasis theirs):

"The book talks a lot about trust on a network and where to get it from. Instead of assigning different trust levels to network segments the book talks about getting the trust level for each and every action from an internal authority.

So yes, of course you should not trust your internal network by default when applying zero trust. But that does not mean that you eliminate trust. You just get it elsewhere."

ZT isn’t about eliminating trust. It’s about controlling it.

Frequently it is something that executives hear and want.

“Just make us zero trust”

Without understanding the backdrop of what it means, why to do it and implications. It’s a concept, something to be worked toward, not just a switch to flip.

Thats probably why you see the hate.

Because in typical manufacturer fashion, they grab a word and use it in every piece of marketing material they can for every product they sell until it becomes so confusing to people. MFA=zero trust, NAC= zero trust, SASE= zero trust, SWG= zero trust, reverse proxy= zero trust, VPN= zero trust, EPP=zero trust. Every vendor wants to use it because they know C-levels are googling “zero trust” and they want to be on that list, even if they may not typically be considered in the zero trust model.

It’s also gotten more confusing for them because of the additional acronyms around it; Zero Trust, ZTA, ZTNA. Zero Trust has been a security concept for a long time, but it’s grown significantly as technology has expanded. I think that had just become overwhelming to people that are targeted by vendor marketing that it becomes a scary concept and it’s our job to try and break that down into practical processes, procedures and technology for the executives to understand and support.

What color zero trust would you like?

I think one of the reasons it gets a bad wrap is because it’s objectively impossible to fully implement. You will never reach 100% zero trust.

That doesn’t mean you shouldn’t try… but I have a feeling people want to avoid another objective they can never truly complete.

Vendors slap “zero trust” onto anything that they sell to try to sound competent. Fortinet tried to sell me their VPN client because it was “zero trust”. I stopped talking to them at that point.

This happens with pretty much any new popular technology: machine learning, AI, “next-gen”, cloud-native, multi-cloud, whatever. They start out as legit technologies or concepts and quickly get abused in marketing materials.

It’s like finding a great new song that you love, but the radio plays it every other minute and you’re sick of it after a week.

The info-sec community railed against using the term cyber too .

The biggest problem in my mind is how poorly defined ZT is, in large part due to the vendors trying to say their product is ZT.

ZT is much larger than just network access, it’s not just the network that May be hostile, but are you sure all processes on your device can be trusted, how sure are you off the identity of a given user, etc.

My main issue with “zero trust” is speakers at conferences and coworkers who say it means we should expose all our services to the public Internet and allow people to use any device to process data. Since we shouldn’t trust the network, their logical conclusion is to eliminate VPNs and peal off that first layer of defense. Having recently patched authentication bypass vulnerabilities in multiple systems, I know exposing services to the public Internet that don’t need to be is reckless. The VPN stops hundreds of attacks a day.

My second issue is zero trust has been the policy everywhere I’ve worked for 20 years. I guess there’s some companies somewhere that might trust the network, but I’ve never seen it. Sys admins and security professionals have known not to trust networks for decades. So why is “zero trust” such a big issue? Have you ever bought a product that didn’t come with authentication and just trusted the network it was on? Have you ever just not monitored the internal network because you thought it was perfectly safe?

They say the best way to ruin an idea is to name it, and “Zero Trust” has come to that now, as many commenters mention. Vendors slap the label on their existing products, and don’t relate back tot he definitions of zero trust that are available from NIST and other sources. The other problem is that a lot of technical folks hear zero trust, and without looking at the actual definitions, scream that there is no way to have absolutely zero trust, so the whole thing is a sham to start with. Both ends are childish and ridiculous. Zero trust is a mindset, and a goal, with a lot of paths. In the end, it is a combination of layered defense, least privilege, and continuous authentication, with a few more items sprinkled in. The reality is that one should add layers of trust to the most important assets, information, industrial controls, etc. and as the risks justify the expense, continue to move those processes lower in the risk category, and improve your posture. Claiming it has to be a 100% rearchitecting of the system is as lazy as slapping the moniker on a VPN that has been breached a dozen times by standard vulnerabilities.

“Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system”

1975. This is basically the principal of zero trust, from 47 years ago. Somehow we end up coming along and reinventing new buzzwords for the same old shit, which we were never able to implement right in the first place.

Defense in depth is another basic principal that we always had, which also seems to mean the same as zero trust.

Don’t get me wrong, I agree with zero trust. But it IS the same old shit.

A lot of people don’t understand that you need to completely re-architect how your AD and network work.

There are a lot of solid points already posted, but I think it can be summaries more clearly.

1. Vendors have co-opted the term

Magically, many products that have been on the market for years are now Zero Trust.

​

2. Level of effort is not understood by leadership

If people want to follow NIST 800-207 and the guidance in the google white papers, the level of effort is tremendous.

​

3. Datacenter network segmentation

This is especially true with segmenting the network behind the applications, from a standards perspective all connections between applications should be limited to only the ports and protocols that are required. This means that you need to have complete application dependency mappings which no one has for their environments. There are some solid platforms out there that can help build application dependency mappings and micro-seg like Guardicore (no I do not work for them or sell them)

​

4. RBAC for applications and application access reviews

Again if you look at Zero Trust specifications from NIST and the white papers from google. Access to environments is conceptually broken down into 2 phases, access to the network, and access to the application. Many organizations do not have good identity governance with solid RBAC programs in place to manage application access.

​

Summary:

• Zero Trust is not something you can buy
• It’s not something that any one department within an organization can accomplish on their own
• It’s a deeply collaborative organization wide initiative which the information security industry (in general) does a horrible job on.

Just my 2 cents…

The rest of the comments have made great points and I would like to highlight how vendors have co-opted the term for products that are not actually ZT.

This does mean that the human reaction is to immediately disregard anything that markets itself as ZT because of the effort required to confirm that a product fits within ZT. And unless the product is open-source, how do you really confirm it?

(The irony here is that it’s good to have zero trust for vendors because “Is what you’re saying about your product true? Can we continuously confirm that this is true?” is a fundamental aspect of ZT, so you’re technically putting ZT into practice already.)

It doesn’t help that decision-makers may think ZT is a purchasable product, voila, buy X have ZT. There’s a significant amount of organization-wide shift for a ZT-oriented posture that makes cybersecurity professionals groan because they’re going to be responsible for driving the cart except the cart does not want to move, saying “We bought you the new wheels!”

The good news is that not only has the [White House come out to say ZT is the future] (The Far Reach of the White House’s Zero Trust Memo | Pomerium), they’ve broadcasted CISA’s ZT model as the de facto guide. Cybersecurity experts that understand the value of ZT and do want to evaluate vendor products/tools for ZT-capabilities should use CISA’s guide as a standard to cut through marketing fluff.

In our Q&A interview with Scott and Oliver, the writers of that NIST 800-207 publication, they also admit that there’s a lot of confusion surrounding the term. But they seem hopeful:

Oliver: The thing is, if one looks very close towards zero trust, one notices that we are actually on the road to zero trust for many years. Zero trust is not one solution, not one product where I flip a switch and now I have zero trust.
…
Some vendors might over-claim that their product is fully zero trust and [yet] others under-claim or don’t claim at all [yet] to be zero trust but are in fact already a nice fit for a zero trust solution.

Zero trust became an industry buzzword and that is why some many, myself included, do not like the term.

While we have adopted it in my organization, when describing it I have to preface any introduction to it with what zero-trust is and isn’t, specifically that it is not a product or series of products, but rather a set of principals and guidelines with the goal of enforcing least privilege and limited lateral movement among other things.

I would say because it is over used by people who have no actual idea what it means. Also too many things are being labeled as zero trust when it isn’t actually zero trust. True zero trust implementation is good, but far too many people don’t actually understand it while saying to implement it, thus not understanding the complexity and cost.

I agree it’s just a concept and a really good one engineers should try and implement. I think the problem is a lot of vendors use the phrase incorrectly in their marketing material. I’ve had too many vendors approach me marketing zero trust and their tool has nothing to do with it or does nothing to contribute to its implementation. It’s quite funny actually.

Because the industry as a whole is treating it like one, similar to devsecops, or machine learning. All of them, in theory, are good things to use and implement, but the majority of implementations are going to be half-baked.

It’s treated like a buzzword because big organizations are using it like a buzzword.

This only seems to help in a very small way, once you nitpick.

Zero trust assumes your internal network is hostile. I love this. It really help me frame what we’re working on. Nothing cloud, nothing internal to the endpoint. Good scope.

So we don’t trust the internal network as a source of authentication.

It doesn’t address tokens at all. If a real user authenticates and I manage to acquire their auth token, I’ve defeated zero trust.

It basically means all my apps, files, and services need to have an authentication system in front?

Do looking at your edit, you are right, the concept of Zero Trust is good and not new at all even if the term is. The issue is vendors have turned it into buzzword bingo so badly many roll their eyes when the words “Zero Trust” are uttered.