Or The Zero Trust Graveyard… your choice.
I just glanced through an analyst report on “zero trust” and noted the sizable eco-system of startups and security cartel players who have all managed to join the party. After all, it’s a noble aim. If there isn’t a way for an untrusted user, app or file, etc. to enter a TCP/IP network from the internet that would be a great thing. A great thing indeed.
Yet startups embracing zero trust in their messaging have had little success. And I don’t think its because the security cartel players embracing zero trust (perhaps merely for thought leadership points) have succeeded.
What is the zero trust problem hinted at by the analyst? Why is there a higher correlation between zero trust startups and new office space filled with old cubicles… than with hackers declaring bankruptcy?
I have a theory, inspired by conversations with security execs who’ve dabbled in the use of zero trust firewall and segmentation solutions.
The Zero Trust (Complexity) Paradox
For traditional TCP/IP-architected security solutions the security landscape (defense in depth) is so complex that anything added ends up creating more complexity than actual enforcement efficacy. In short, it’s a declining sum game, where every new investment ends up costing you more because of stack fatigue.
I’d prefer to call this zero sum scenario a zero trust paradox. Rising complexity makes it harder for innovation to have a meaningful impact. Deployment is politically and/or technically painful and protracted because of the limited “elbow room” for innovation. And security stacks are getting even more complex as IIoT devices are being added at a healthy clip.
Cities are getting poorer while hackers are getting richer. Indeed, rising complexity is more likely a hacker’s playground than an increasingly secure infrastructure.
This came out loud and clear over an incredible steak dinner with an old friend with some major security insight and responsibilities. So I won’t name him. 🙂
Is there a solution to the paradox? Yes: the transformation of the TCP/IP stack to include a new overlay layer, which should have been included in the first place.
*** This is a Security Bloggers Network syndicated blog from ARCHIMEDIUS authored by Greg Ness. Read the original post at: http://feedproxy.google.com/~r/Archimedius/~3/nkgQLgsvh3o/