Mike Thomas, Managing Director of Innopsis details the concept of Zero Trust, strongly supported by the Government Digital Service (GDS), as the way ahead for all the networking requirements of the public sector
The concept of Zero Trust is being lauded by the Government Digital Service (GDS) as the way forward for all the public sector’s networking requirements.
So what is Zero Trust?
The concept of Zero Trust was first introduced in 2010 by a former analyst, John Kindervag. He observed that organisations were adopting a ‘Keep and Moat’ approach to network security. Each CIO built a network that kept outsiders out and only allowed those with the right credentials in.
A “wall and ditch” was built around the corporate data to keep any infiltrators out. However, Kindervag noted that if someone managed to breach corporate defences, they had free access to all of the corporate data assets. He developed a theory that if you knew who a person was, what device they were using and where they were, you could set a policy to allow or disallow them access to services and data.
Whilst organisations kept services within the bounds of the corporate network, accessed only via locally connected computers, or via VPN’s, the problem was about how strong you could make the walls guarding access. As the world started to migrate to cloud-based hyperscalers, like Google, Amazon and Facebook, this model started to break apart. Users wanted to access corporate applications and data from mobile phones, their homes, or coffee shops using the public internet.
Adapting to public cloud services
Google was the first organisation, at scale, that discovered the need to change the way it operated due to wholesale adoption of public cloud services. In response, Google initiated its ‘BeyondCorp’ Zero Trust security framework. With new mobile device management systems, devices and their subsequent users could be identified using biometrics. The systems could prove the individual user and using GPS data from a mobile allowed the geographic location of the device to be identified. The data captured from the mobile devices meant that the Zero Trust model could be realised.
Adding additional capability per user, allowed other devices, such as laptops, to be used. However, this left the biggest issue; identifying who should have access, what devices they had and where they were in real time. It took Google two years to implement the ‘BeyondCorp’ system by rigidly following HR processes and auditing their ICT environment.
Next, Google categorised its applications, data layers and services and applied a set structure that would allow users to access appropriate services on appropriate devices in defined localities. When the data was complete enough, then access was provided at a high level and then turned down to the optimum operational level.
Google then asked itself whether it even needed a corporate network. It decided that it didn’t; the internet worked fine for its purposes and so it was dismantled.
GDS’s approach to Zero Trust
GDS is following a similar path. The well-known GDS blog ‘The Internet is OK’ was the forerunner of the government’s Zero Trust Networking approach. The intention here has been stated to adopt Zero Trust Networking and dismantle networks within the public sector. Innopsis is supportive of the first half of the proposed strategy but urges caution for the latter half.
If we liken the security of the network to physical security at the workplace, we can liken the firewalls and network access protection to the walls, doors and gates leading into the corporate office, guarded by doormen and access control equipment scanning ID cards.
Inside the office, most companies employ door scanners as well as requiring ID badges to be shown at all times. Some establishments insist visitors are accompanied at all times by staff. Even though you can get into the building, you are not trusted. You constantly need to reinforce your identity and right to be there. This is similar to the Zero Trust concept.
However, having cracked the identification issue, most organisations have yet to abandon the office. There are other reasons to visit and work in an office other than security. Collaboration, engagement and environment come to mind immediately. I don’t see many head offices closing to allow all staff to relocate to Starbucks!
On the same basis, companies don’t buy networks purely for security. Yes, it’s part of the mix, but so is Availability, Accountability and Latency. The internet works, because network providers play nicely. There are no SLA’s, beloved of government, data packets get through on a best endeavours basis. There are no rules where and how traffic is routed. If it works, it works, if it doesn’t, it doesn’t.
If the data speed drops, then wait until it will hopefully return. I’m sure we’re all familiar with the cry at home ‘the internet is slow tonight’. That might interfere with watching “Strictly” on iPlayer, but what would be the impact if the payroll run slowed down to a crawl or when checking passports at immigration if no access was available?
Currently, escalation processes are in place to allow the communications route to be checked and escalated along the entire path. Engineers can re-route to avoid breakdowns and services can be guaranteed. There is no escalation path with the internet. The provider can only resolve from the customer’s premises to their internet handoff points.
Increasingly, corporate communications are using multimedia, real-time IP-based communications. To realise these magical devices, the IP packets must be prioritised to enable stutter-free speech, flicker-free video and group calls worthy of television. This facility is not available over the internet. You take your chance with all the other data flowing. Is this acceptable? It might be okay to make a cup of tea and come back to watch television after the blimp has gone. It might not be the same if a trial is being conducted remotely or a surgeon is monitoring a patient.
The answer, in Innopsis’s opinion, is to take a hybrid approach. This is the adoption of Zero Trust across the network, but maintaining MPLS based networks for the major offices and data centres. This will allow flexibility for remote and mobile workers. Branch offices can utilise internet connectivity, but main corporate offices can have a robust controlled environment to communicate with the data centres, hyperscalers and other offices. Whilst the overall solution may cost more; there is Zero Trust hardware to buy, some savings could be made by using internet connectivity and losing the surety of corporate network connectivity to small offices.
Adoption of Zero Trust
The next big issue to overcome is the adoption of Zero Trust. It is unlikely to be an easy task to implement a single Zero Trust solution for all the public sector. Being able to account, in real time, who exactly the 4.5 million civil servants are, plus identify what devices they have now and are using and are allowed to use, plus knowing where they are and if they should be there, is a challenge that makes Brexit look easy.
A more likely scenario is for each department and council to implement their own version of Zero Trust. The downside of this approach is that there is no common agreed standard between Zero Trust solution providers as is unlikely to be in the short to medium term. This means that if adopted, the public sector will be taken back to the situation that PSN was deployed to fix. Each department, each council, each public sector body could be isolated from each other. Information will not flow between organisations. The progress made over the last eight years to share data will be reversed. This is not progress.
To return to another point about utilising the Internet. The routing of traffic is usually dynamic and related to cost and bandwidth availability. One day, traffic may route via Germany, the next via the U.S., the next via China. There is no control on how or when the traffic is routed. It does not take much for traffic to be interrupted.
Recently, due to an ‘accidental’ routing error in Nigeria, all of Google’s traffic to and from North America was routed via Russia and China where it ‘disappeared’ for an afternoon. Imagine the concerns if ‘accidentally’ the Cabinet Office’s traffic was routed to a black hole stopping all communications? Even with the traffic encrypted, given the will and resources, decryption cannot be ruled out.
There are many other scenarios which could apply to government, which are unlikely in the enterprise world. This is why we need to cautious and not just adopt a novel approach in the commercial world, especially as the UK moves to be independent on the world stage. Zero Trust will allow mobile workers to have corporate style working, it will allow occasional home workers and undoubtedly the coffee shops will benefit. Will it reduce cost? That is yet to be proved. Will it increase security? For some users, it will. Is it risky to move all traffic to the internet? Yes. Very. Some traffic will be fine, but not all.
Mike Thomas
Managing Director
Innopsis
Tel: +44 (0)800 997 8805