Put Zero Trust Architecture in Realization

The concepts around Zero Trust are not “new”. You might have heard that but let me give you some background into just how long the tenets of ZT have been around.

An early concept of Zero Trust can be found by looking at Auguste Kerckhoff, who was a professor of German language at Ecole des Hautes Etudes Commerciales (HEC) in Paris in early 1883. Kerckhoffs’ seminal article, La Cryptographie Militaire, was published in two parts in the Journal of Military Science that year. In that document he stated that there are six critical points for any cipher. Translated from French, they are:

• The system must be practically, if not mathematically, indecipherable;
• It should not require secrecy, and it should not be a problem if it falls into enemy hands;
• It must be possible to communicate and remember the key without using written notes, and correspondents must be able to change or modify it at will;
• It must be applicable to telegraph communications;
• It must be portable and should not require several persons to handle or operate;
• Lastly, given the circumstances in which it is to be used, the system must be easy to use and should not be stressful to use or require its users to know and comply with a long list of rules.

Sound somewhat familiar? If you think you have heard those concepts before you are correct. We have been inundated with Zero Trust over the last few years as a marketing ploy, but the basic ideas of the strategy are long held for those who know security, and its history. In applying Kerckhoffs’ principle to Zero Trust, the emphasis is on the use of strong cryptographic keys and encryption algorithms to ensure that even if an attacker gains access to the system, they will not be able to obtain sensitive information or tamper with critical systems. This means that any Zero Trust architecture must be designed with strong encryption algorithms, secure key management practices, and other cryptographic measures to protect data and resources from unauthorized access. Or it is not a Zero Trust system, period.

Claude Shannon is another innovation, who also knew the basic tenets of Zero Trust long before they were an industry norm or marketing term. Shannon is considered to be one of the fathers of the digital age and a code breaker in the intelligence community. Shannon noted in many of his public facing articles that we should “assume the bad guys know our systems.” That sounds very much in line with Zero Trust. His honest point here is a lesson we forget then relearn after each subsequent breach. Designers & defenders should assume the bad guys know our systems, and we should assume that those systems are compromised. Again another basic Zero Trust principle that was well understood and leveraged all the way back to 1949.

The Jericho Forum also discussed Zero Trust long before it became an industry standard approach, and of course John Kindervag took ZT to a stratospheric level with his assertions around enabling effective enterprise security via these tenets. Those concepts and tenets are not “new”, but there are some significant changes in the technology in the market that are helping companies deploy ZT.

Confidential computing technology can be combined with Zero Trust strategies to enhance the security of an organization’s data and systems.

Confidential computing is a security model that enables data to be processed in a trusted execution environment (TEE), such as a hardware-based enclave, where the data is encrypted and protected from unauthorized access. This ensures that the data remains confidential even when processed in untrusted environments, such as the cloud. In practice, confidential computing can be a key enabler of Zero Trust security. By processing sensitive data in a TEE, confidential computing can provide an additional layer of protection for data at rest, in transit, and in use. This makes it more difficult for unauthorized users or processes to access the data, even if they manage to bypass other security controls. By adding in common ZT technologies such as requiring continuous authentication and verification of access requests, a ZT system combined with confidential computing can ensure that only authorized users and processes can interact with the TEE and the data it protects.

While the approaches and thinking around Zero Trust are not new, as I described, the technologies that can enable this strategy are constantly evolving. I do not personally advocate for any particular “buy this” solution in the space, but I do think that if you look at how the needs of modern businesses are evolving it’s wise to consider some of the newer solutions. Always consider how technology is maturing to meet your individual organizational needs, and then decide if those offerings align with your strategic initiatives. If the concepts of Zero Trust stand the test of time and innovation evolves to help better secure you business, isn’t it worth taking a look at these new solutions?