Zero Trust Advances More Secure Mobile World at a Cost
Zero Trust (ZT) has become popular in recent years with many ballyhooed aspects being repackaged as ZT-compliant or similar. Importantly, ZT is paradigm, a philosophy of sorts. ZT undoes decades of perimeter security notions replacing them with the idea that every device and connection must be secured regardless of proximity to a Wide Area Network (WAN) or cloud-based solution access points. ZT architectures (ZTAs, sometimes termed ZT networks) extend security features to the device and connection supporting scanning and detection of indicators of attack (IOA). ZTAs rely on authentication, availability, non-repudiation, integrity, and largely enable enhanced confidentiality of information transmission and receipt (i.e. the CIA-triad of cybersecurity). ZT standards developed nearly three decades ago have matured just in time to meet an increasing remote access and mobile computing technology demand. [1]
ZT value to mobile technology is based on the core element of end-point security, versus “castle and moat” defense approaches. ZT provides a framework to better secure a more mobilized tech-enabled world where ‘work from anywhere’ models are the new norm. ZT increases the identity and access management (IAM) components of security, increasing requirements to authenticate and access content. This results in a greater extended defenses, ensuring every transaction is validated and adequately attributed to the requesting device and user.[2] ZT helps harden against, detect, isolate, and evict intrusions,[3] but effects on digital interactions may not all be positive.
Privacy degradations are possible in ZT scenarios. A privacy issues arise from a need to resolve our multitude of personas. A corporate, governmental, or even societal push to resolve each of our identities down to one may impede access to personal privacy. The privacy encroachment originates from an identity resolution (IDRes) for work functions (e.g. employee ID number), personal (e.g. social media), and financial (e.g. tax ID) of a single person. While this may enhance ZTA IAM aspects, it does little to protect the individual from over-reach from corporate or government regulators. More importantly: over-indulgence in ZT IDRes presents a risk by elevating impact to entities across their various personas. The increased impact stems from the potential and likelihood of compromise for a fully resolved identity. [4]
ZT also does little to consider the backbone for communications providers. Information and communication technology (ICT) providers have drawn into question the reliability of the CIA-triad of cybersecurity. Huawei’s motivations for unresolved (and known) cybersecurity vulnerabilities is peculiar. Huawei’s subjectivity to coercion from People’s Republic of China government officials remains a cause for concern.[5] The fragmented infrastructure aspect of trust puts the packet transmission at risk, and further presents risk to privacy.[6] New generations will need to determine how ZT works in a compromised world while balancing privacy matters.
The future of mobile tech security (like current trends) reinforces the increased demand for technology that applies a ZT approach. More mobile tech with more frequent remote access requirements can only be resolved through a ZT model. But fragmented ICT backbones threaten aspects of ZT that must be more sufficiently addressed. Privacy should not be neglected to achieve more holistic security, but the trend is inclined towards less access to digital privacy.
References:
[1] K. E. Foltz and W. R. Simpson, “Zero Trust Technology Integration Issues,” Institute for Defense Analyses, 2021. Accessed: Aug. 27, 2022. [Online]. Available: http://www.jstor.org/stable/resrep34846
[2] J. Doherty, Wireless and Mobile Device Security. Burlington, UNITED STATES: Jones & Bartlett Learning, LLC, 2021. Accessed: Aug. 27, 2022. [Online]. Available: http://ebookcentral.proquest.com/lib/gwu/detail.action?docID=6461875
[3] “MITRE D3FEND Knowledge Graph.” https://d3fend.mitre.org/ (accessed Aug. 27, 2022).
[4] L. NEWCOMBE, “LOOKING AHEAD,” in Securing Cloud Services, 2nd ed., IT Governance Publishing, 2020, pp. 403–417. doi: 10.2307/j.ctvwcjj1n.21.
[5] K. Waldron, “HUAWEI AND NATIONAL SECURITY: LESSONS FOR 6G,” R Street Institute, 2020. Accessed: Aug. 27, 2022. [Online]. Available: http://www.jstor.org/stable/resrep27015
[6] C. for S. and I. S. (CSIS), ““Never Trust, Always Verify’: Federal Migration to ZTA and Endpoint Security”,” Center for Strategic and International Studies (CSIS), 2022. Accessed: Aug. 27, 2022. [Online]. Available: http://www.jstor.org/stable/resrep41889
