Zero Trust – The Elevator Pitch

Over the past few months I’ve heard the term “Zero Trust Networking” from time to time but I didn’t quite understand what was meant by the term. So I started to look into it a bit and here’s my elevator pitch for it:

Traditional company networks are built with the idea of “we (the good guys) inside” and “those (the bad guys) outside” in mind. That means that the company network is protected from the outside world with a firewall, and employees outside the network need a VPN to get access to services inside the network. That means that one trusts a client device inside the network more than one does a device somewhere on the Internet. In this day and age, however, where more and more attacks on network resources inside a company are done via capered devices that reside inside the network, making a separation between “we inside” and “those outside” has become a questionable approach.

This is where Zero Trust comes in: It means that a device or user is not trusted because it’s inside or outside the company network. Instead, the internal network must be hardened in a way so that it makes no difference anymore if a client device is inside the company network or outside on the Internet. Trust is established by strong service authentication. In a company environment, a central authentication and permission service (e.g. LDAP) allows access to a resource (service, storage, etc.). Once you reach this point, a VPN is no longer necessary.

In other words, a company has achieved Zero Trust once there is no VPN server and VPN client software necessary anymore. Obviously, that is very hard to achieve if there are many legacy services that are not well protected from the outside world or can’t hook into a centralized authentication system. But as mentioned above, in the day and age where external attacks are launched via a capered insider devices, the VPN server won’t help you much anymore.

Interestingly, while I do have a VPN server at home, I mostly use it if I want to have a German IP address, as some Internet based services prefer some IP addresses over others. I only have very few services in my network at home that I don’t want to expose to the Internet and hence still need VPN access for. For 95% of my services (e.g. Nextcloud, RSS reader, Online Office, file storage, mail server, XMPP messaging server, etc. etc.) I’ve already reached Zero Trust, i.e. there is no difference between accessing them from my home network vs. accessing them via the Internet. I had no idea I was almost fully Zero Trust already 🙂

For more details, see the Wikipedia article on the topic.