Zero Trust and Identity: Evolving from Castles to Cities

The common analogy for protecting computer networks has typically been that of the castle, complete with big walls and surrounding moat. Though this is a good one, the growth and innovation in security technology, including the Zero Trust Model, add complexities. Let’s take a look and see if the analogy still stands.  


Zero Trust Blog 1.jpg


The castle not only contained the people being protected by the lord but also housed their businesses. As a result, an ecosystem of services often grew up inside the castle’s boundaries.

This neatly aligns to the Users / Applications / Services models that relate to things that need to access data networks within a company. To stretch the metaphor further, trade with those outside the castle is through the drawbridge and any access to the drawbridge is protected by armed guards. This also neatly aligns with basic perimeter security and user authentication system models. And if we always stayed inside the castle walls or ran every application behind a corporate firewall, this would be enough.

It’s Not Enough

However, as the corporate world has gotten bigger, faster, and more complex, so has the need to innovate, challenge, and rip up existing business practices. The boundaries that used to protect us have now become a hindrance. The castles’  very narrow drawbridges slowed commerce down and the guards were not able to protect from various new threats. Additionally, the castle itself was prone to insider attacks (guards open to bribery), all of which rendered the old perimeter security model absolutely useless. 

Access to novel applications and services in the cloud is one of the largest drivers for technological change in companies today. Every executive I talk to is focused on running their business better and is absolutely happy to offload the necessary IT tasks to someone else who is better at it. “Why build, run, maintain a host of applications when it’s done for me brilliantly by someone else?” Like all of us, they want to be freed up to do their actual job.

Effectively we are now “corporate cities” with open trade routes (APIs).The applications (both our own and ones we have brought from elsewhere), and  the users (our corporate citizens) are now widely distributed from downtown, through the suburbs, and all the way out to other cities.


Zero Trust Blog 2.jpg


So what does this, highly stretched analogy/metaphor combination have to do with security?  The key failure in any security system is always a human one – be it a guard focusing on building a bigger wall while missing the crooked guard sneaking around or the cannon shot coming from the other direction. Human failure — be it a simple omission, shadow IT, or social engineering. 

Where Does Zero Trust Come In?

The core principle of Zero Trust is in its name: Trust no one, trust nothing — so instead of putting up firewalls, DMZs, etc., and assuming that it will all be enough, we now treat every actor (User, Application, Service) as a threat until proven otherwise.

This might seem like a negative approach but it does mimic human behavior. Our nature is to distrust new people until we get to know them and we as humans use a network trust model to accelerate this process: Alice knows Bob and I know Alice, so Bob must be cool … 

So what enforces a Zero Trust model … (or actually delivers Trust)? You need to know who/what is asking for access to the application or service. You need to be sure that they are doing something you expect them to be doing, from a location that you would expect them to be in and you want them to only be doing something that you think they should be doing.

If I am the CFO of company A — on my mobile phone, at home on my WiFi network, after hours but not too late — and wanting to check SFDC for some numbers, then let me.

If something changes during my session, e.g,. I try to access the source code repository for the companies software product from a different IP, then something might not be quite right. So why not ask me to confirm who I am and re-authorize me with a biometric signal e.g. FaceID?

No longer is it assumed that the users, things, applications, services, and data are all on the castle-side of the moat; rather, everything is distributed.  Having full control over them now requires a more evolved security system.

So at its core, Zero Trust needs an effective Identity and Access Management Platform.  But as technology is constantly evolving, you also need to cater for new services/technologies to protect and enable. Therefore your approach to security and identity needs to be future-aware.

In the past few years, everyone has moved to the cloud (for at least some things),  consuming SaaS and PaaS as standard and there has been an explosion in the rate of APIs being deployed and used in business. The next wave taking hold is distributed microservices  — and soon behind that will be IoT and service ecosystems. Each of these “things” is a sophisticated actor in your technology ecosystem with increasing capability to wreak havoc in the wrong hands. My theory here is that we should treat any “thing” as a user so that we can apply the rules and expected patterns around it 

If we break it down, we have data (something of incredible value) and “things” that can interact with that data (I include humans in this bucket). This is what we need to protect in every deployment model and context.

None of this is new 

If you look at large, consumer facing services provided by companies, they already effectively employ a Zero Trust model. Banking, Healthcare, Connected Car, Telco  — they all have important data and services about me — and protect me and my data using an approach akin to Zero Trust. There is an opportunity for consumer and workforce facing services to converge in the areas of Establishment of Identity, Trust, Authorization, and Access. We see many customers using similar approaches for employee and customer IAM  security.

One scenario is: I am an employee of Bank A. I am also a customer of Bank A. If you know my context, request, behaviors, etc. in the workforce as well as the consumer space, then you can have a better understanding of me in each separate context as well.

Our ability to deduce user/system context is ever improving and it is increasingly normal to process many signals from many providers to build a real-time picture of the interactions in our ecosystem. Orchestrating this long list of biometric, behavioral, risk, threat, AI/ML etc technologies is itself both a reflection of Zero Trust and an opportunity to enhance the customer’s or employee’s experience by applying just the right amount of friction in the journey when needed — and also stepping out of the way when possible.

This constant evolution of technologies provides space to innovate our services to workforce and consumers. It can reduce dependency on hardware, people, and legacy; it can drive new efficiencies in our operations. It also affords new opportunities for malevolent actors to exploit our services and get to our data. Staying ahead of this arms race is vital. As an initial security posture, Zero Trust helps focus our approach in the right areas.

Additional links: 

Webinar:  Bot, Human, Friend or Foe

Webinar: Is Identity the new Perimeter

Implementing Zero Trust and CARTA with ForgeRock AM

Need additional help or prefer to speak to someone directly? Contact us here

*** This is a Security Bloggers Network syndicated blog from Forgerock Blog authored by Alex Laurien. Read the original post at: