I wrote a fairly complex post a few months ago called “Zero-trust”: my love/hate relationship, in which I discussed in some details what “zero-trust” networks are, and why I’m not convinced. The key point turned out to be that I’m not happy about the way the word “zero” is being thrown around here, as I think what’s really going on is explicit trust.
Since then, there hasn’t been a widespread movement away from using the term, to my vast lack of surprise. In fact, I’ve noticed the term “zero-trust” being used in a different context: in p2p (peer-to-peer) and Web 3.0 discussions. The idea is that there are some components of the ecosystem that we don’t need to trust: they’re “just there”, doing what they were designed to do, and are basically neutral in terms of the rest of the actors in the network. Now, I like the idea that there are neutral components in the ecosystem: I think it’s a really important distinction to make to other parts of the system. What I’m not happy about is the suggestion that we have zero trust in those components. For me, these are the components that we must trust the most of all of the entities in the system. If they don’t do what we expect them to do, then everything falls apart pretty quickly. I think the same argument probably applies to “zero-trust” networking, too.
I started thinking quite hard about this, and I think I understand where the confusion arises. I’ve spent a lot of time over nearly twenty years thinking about trust, and what it means. I described my definition of trust in another post, “What is trust?” (which goes into quite a lot of detail, and may be worth reading for a deeper understanding of what I’m going on about here):
- “Trust is the assurance that one entity holds that another will perform particular actions according to a specific expectation.”
For the purposes of this discussion, it’s the words “will perform particular actions according to a specific expectation” that are key here. This sounds to me as exactly what is being described in the requirement above that components are “doing what they’re designed to do”. It is this trust in their correct functioning which is a key foundation in the systems being described. As someone with a background in security, I always (try to) have these sorts of properties in mind when I consider a system: they are, as above, typically foundational.
What I think most people are interested in, however – because it’s a visible and core property of many p2p systems – is the building, maintaining and decay of trust between components. In this equation, the components have zero change in trust unless there’s a failure in the system (which, being a non-standard state, is not a property that is top-of-mind). If you’re interested in a p2p world where you need constantly to be evaluating and re-evaluating the level of trust you have in other actors, then the components in which you have (hopefully) constant trust relationships are “islands in the stream”. If they can truly be considered neutral in terms of their trust – they are neither able to be considered “friendly” nor “malevolent” as they are neither allied to nor can be suborned by any of the actors – then their static nature is uninteresting in terms of the standard operation of the system which you are building.
This does not mean that they are uninteresting or unimportant, however. Their correct creation and maintenance are vital to the system itself. It’s for this reason that I’m unhappy about the phrase “zero-trust”, as it seems to suggest that these components are not worthy of our attention. As a security bod, I reckon they’re among the most fascinating parts of any system (partly because, if I were a Bad Person[tm], they would be my first point of attack). So you can be sure that I’m going to be keeping an eye out for these sorts of components, and trying to raise people’s awareness of their importance. You can trust me.
Alice, Eve and Bob - a security blog 