IC Colloquium: Zero Trust in Zero Trust?
By: Virgil D. Gligor - Carnegie Mellon University
Abstract
We review the basic notions of trust, trust minimization, zero trust, and trust establishment. We also review the key characteristics of zero-trust architectures as presented by the National Institute of Standards and Technology (NIST) in the clearest technical explanation of this concept. We show that the modest goal of limiting the effects of security breaches to single implicit trust zones is often unachieved by these architectures. We argue that they can never serve as security models as they are unsound even for their modest goal, and inadequate for pervasive use. Evidence shows that zero-trust architectures
have low security value as they cannot address many common attacks, much less advanced ones. Nevertheless, mature zero-trust architectures can reduce recovery costs after security breaches, but the reduction is lower than provided by some alternate techniques. Finally, we show that zero trust impossible in any enterprise network and has meaning only as an unreachable limit of trust establishment. Hence, trust establishment -- not the zero trust “buzzword” -- can be a foundation of network security.
In view of these observations, mandating adoption of zero-trust architectures in all government networks seems surprising. A 2021 Presidential Executive Order incorrectly calls NIST's zero-trust architecture a ``security model," mandates its adoption, and frequently requires trust-establishment measures, which exclude zero trust. This recognizes some basic zero-trust inadequacies while missing others identified in this presentation. Promoting zero trust is not simply assigning an inappropriate label to a modest goal. Rather, it is encouraging simplistic security analyses that leave critical networks vulnerable to serious attacks, while promoting the myth that low-cost assurance can always be effective. In contrast, trust establishment encourages flexible cost allocation among security functions and assurances, risk reduction, and adversary deterrence.
Bio
Virgil D. Gligor is a Professor at Carnegie Mellon University. His research interests have ranged from access control mechanisms, penetration analysis, and denial-of-service protection to cryptographic protocols and applied cryptography. He was an associate editor of several ACM and IEEE journals and the editor in chief of the IEEE Transactions on Dependable and Secure Computing. He received the 2006 National Information Systems Security Award jointly given by NIST and NSA, the 2011 Outstanding Innovation Award of ACM SIGSAC, and the 2013 Technical Achievement Award of IEEE Computer Society. He was inducted into the National Cyber Security Hall of Fame in 2019.
More information
Abstract
We review the basic notions of trust, trust minimization, zero trust, and trust establishment. We also review the key characteristics of zero-trust architectures as presented by the National Institute of Standards and Technology (NIST) in the clearest technical explanation of this concept. We show that the modest goal of limiting the effects of security breaches to single implicit trust zones is often unachieved by these architectures. We argue that they can never serve as security models as they are unsound even for their modest goal, and inadequate for pervasive use. Evidence shows that zero-trust architectures
have low security value as they cannot address many common attacks, much less advanced ones. Nevertheless, mature zero-trust architectures can reduce recovery costs after security breaches, but the reduction is lower than provided by some alternate techniques. Finally, we show that zero trust impossible in any enterprise network and has meaning only as an unreachable limit of trust establishment. Hence, trust establishment -- not the zero trust “buzzword” -- can be a foundation of network security.
In view of these observations, mandating adoption of zero-trust architectures in all government networks seems surprising. A 2021 Presidential Executive Order incorrectly calls NIST's zero-trust architecture a ``security model," mandates its adoption, and frequently requires trust-establishment measures, which exclude zero trust. This recognizes some basic zero-trust inadequacies while missing others identified in this presentation. Promoting zero trust is not simply assigning an inappropriate label to a modest goal. Rather, it is encouraging simplistic security analyses that leave critical networks vulnerable to serious attacks, while promoting the myth that low-cost assurance can always be effective. In contrast, trust establishment encourages flexible cost allocation among security functions and assurances, risk reduction, and adversary deterrence.
Bio
Virgil D. Gligor is a Professor at Carnegie Mellon University. His research interests have ranged from access control mechanisms, penetration analysis, and denial-of-service protection to cryptographic protocols and applied cryptography. He was an associate editor of several ACM and IEEE journals and the editor in chief of the IEEE Transactions on Dependable and Secure Computing. He received the 2006 National Information Systems Security Award jointly given by NIST and NSA, the 2011 Outstanding Innovation Award of ACM SIGSAC, and the 2013 Technical Achievement Award of IEEE Computer Society. He was inducted into the National Cyber Security Hall of Fame in 2019.
More information
Practical information
- General public
- Free
- This event is internal
Contact
- Host: Jean-Pierre Hubaux