Virgil Gligor, Carnegie Mellon University
From 12.00 until 13.30
At CNB/F/110 (Lunch) + CAB G 52 (Seminar), ETH Zurich
CNB/F/110 (Lunch) + CAB G 52 (Seminar), ETH Zurich
We review the basic notions of trust, trust minimization, zero trust, and trust establishment. We show
that zero trust impossible in any enterprise network and has meaning only as an unreachable limit of
trust establishment. Hence, trust establishment -- not the zero trust “buzzword” -- can be a foundation of
network security. We also review the key characteristics of zero-trust architectures as presented by the
National Institute of Standards and Technology (NIST) in the clearest technical explanation of this
concept. We show that the modest goal of limiting the effects of security breaches to single implicit trust
zones is often unachieved by these architectures. We argue that they can never serve as security models
as they are unsound even for their modest goal, and inadequate for pervasive use. Evidence shows that
zero-trust architectures have low security value as they cannot address many common attacks, much less
advanced ones. Nevertheless, mature zero-trust architectures can reduce recovery costs after security
breaches, but the reduction is lower than provided by some alternate techniques.
In view of these observations, mandating adoption of zero-trust architectures in all government
networks seems surprising. A 2021 Presidential Executive Order incorrectly calls NIST's zero-trust
architecture a ``security model," mandates its adoption, and frequently requires trust-establishment
measures, which exclude zero trust. This recognizes some basic zero-trust inadequacies while missing
others identified in this presentation. Promoting zero trust is not simply assigning an inappropriate label
to a modest goal. Rather, it is encouraging simplistic security analyses that leave critical networks
vulnerable to serious attacks, while promoting the myth that low-cost assurance can always be effective.
In contrast, trust establishment encourages flexible cost allocation among security functions and
assurances, risk reduction, and adversary deterrence.
Join us in CNB/F/110 (Lunch) + CAB G 52 (Seminar).