Instead of the “inside” and “outside” notion of traditional firewalls and perimeter defense technologies, the Zero Trust Network notion has its origins in Cloud+Mobile first world where the person carrying a mobile device can be anywhere inside/outside the enterprise and is connected securely to the services s/he needs access to.
The essential idea appears to be device authentication coupled with a second factor in the shape of an easy to remember password, with backend security smarts to identify the accessing device. More importantly, every service that is access externally needs to be authenticated, instead of some services being treated as internal services and being less protected.
Some properties of zero trust networks:
- Network locality based access control is insufficient
- Every device, user and service is authenticated
- Policies are dynamic – they gather and utilize data inputs for making access control decisions
- Attacks from trusted insiders are mitigated against
This is a big change from many networks which have network based defense at the core (for good reason, as it was very cost effective). To create such a network, from an existing network, one way to start is to identify, enumerate and sequence all network flows.
I attended a talk by Centrify on this topic, which resonated with experiences in cloud, mobile and fog systems.
Related effort in Kubernetes – Progress Toward Zero Trust Kubernetes Networks, Istio Service Mesh , API Gateway to Service Mesh. One can contrast the API gateway as being present only at the ingress point of a cloud, whereas with a Zero-trust/Service-mesh/Sidecar approach every microservice building-block has its own external proxy and ‘API’ for management added to it. The latter would add to latency concerns for real-time applications, as the new sidecar proxies are in the data path.
The key original motivation behind Istio, in the second presentation by Lyft above, was greater observability and reliability across a complex cluster of microservices. This strikes me as a greater motivating use-case of this technology, than added security. From the security point of view, there is a parallel of the Istio approach with SDN problem statement of a horizontal and ubiquitous security layer.