Zero jargon... We have a trust problem!

“The single biggest problem in communication is the illusion that it has taken place” (George Bernard Shaw).

Communication mightn’t be the cyber industry’s single biggest problem. But it’s close! In particular, the illusion that jargon-filled language actually works is becoming a real a issue. Zero trust... SASE.... Spear-phish... Drive-by download. These terms all make sense right? No, they don't, and indeed, there’s a growing case that such jargon may well undermine trust in the cyber profession as a whole.

As a case in point, how many “zero trust” stories have you heard? The answer is probably somewhere between five and fifteen. But surely there is only one that makes sense: Completely removing trust from an IT environment. Zero. Everything must go. And yet, it seems like each company has a different version of this concept, and in the way that only jargon can, each “zero trust” story inevitably creates far more confusion than it does clarity. Zero trust for cloud... Zero trust for CASB... Zero trust for endpoint... what's the difference?

Jargon is typically used as an attempt to be hyper-efficient in getting an important message across. It’s also sometimes used to sound cool (and usually has the opposite effect!). But in every case, jargon gives a specific meaning to particular word/s that is only understood by a few people. Everyone else who hears these words thinks they mean something else, undermining understanding of the very concept the words are trying to describe. Worse though, when the same word/s mean different things to different people, five different cyber professionals talking to a single user or customer can sometimes inadvertently use the same words to say entirely different things (hence the many different “zero trust” stories).

Put yourself in the user/customer’s shoes: how do you trust any of the cyber-professionals talking to you when they all say the same words but mean something completely different. Indeed, when you put it like this, it sounds like the textbook definition of being deceived! As a result the customer often trusts no-one and simply ignores them all... this is not the outcome we are seeking as cyber professionals!

In trying to be efficient, our jargon has created a trust problem. Very few cyber professionals try to be misleading. Indeed, most are just trying to help make the many complicated concepts in cyber sound straightforward. The good news is that if we in the cyber industry can get back to plain-speak, we can start to turn our jargon induced trust deficit around. So here goes... let’s start the journey by trying to talk about "zero trust" with as little jargon as possible!

Back in 2009, Forrester identified that IT networks needed to change. Most had been designed to talk amongst themselves based on established patterns. If a server, router or switch was meant to talk to another server, router or switch, then it was setup so that this could happen with very few ongoing security checks. Forrester found that attackers were exploiting this “trust” by taking over components of the network and then using them to move around to other components freely. Forrester said that instead, every time a server or switch (or anything else) speaks, the recipient network component should verify that it is who it says it is before it listens. Never trust, always verify.

It’s never really been about “zero trust”, but rather trusting a single source of truth instead of every component blindly trusting every other component in the system. As an analogy, think about 1,000 people being in a room, blindfolded, each trying to talk to someone else they don't know well. Before the blindfolds go on, to verify who they are, everyone pulls out their drivers licence and shows it to their conversation partner. It’s slow. It takes concentration. But ultimately, everyone verifies who everyone else is from a trusted source (the licence) and the conversation begins.... guess who had a fake licence? The chances of detecting such a fraud are pretty low. Worse though, if someone switches partners (or brings a new friend into the room) mid-conversation it's almost impossible to detect with blindfolds on unless their voices are very different; and, even this would be hard to detect with all of the noise from the 998 other people talking in the room!.

In zero trust, the blindfolds are off and all participants must hold their licences up for the duration of the conversation. The concentration (compute power and bandwidth) required to constantly talk and check the ID is higher than in the first example, but no one is going to get away with swapping partners mid conversation! Sure, they can still try to use a fake licence (zero trust does not equal zero risk), but the overall risk level drops dramatically. Ultimately, if someone who isn’t meant to be there does get in, they probably won't be able to get around anywhere near as easily!

In 2017, Forrester coined the term “zero trust extended” (argh! more jargon!). This just means that a term that was originally all about the network now also applies to cloud, data and apps. This is really important, as just like a bad guy can jump from server to server, applications and the cloud also allow them them to move around your environment until they find what they want to steal or break.

Despite the challenges created by cyber-professionals using the term "zero trust" as jargon, it’s important to highlight that it’s actually a critical concept. Perhaps the best example of this is Operation Aurora, following which Google were able to use zero trust to harden their defences after being hacked wide open by an APT (https://www.darkreading.com/threat-intelligence/9-years-after-from-operation-aurora-to-zero-trust/a/d-id/1333901). One could argue that Palo Alto Networks’ defence against the recent Solarwinds supply chain attacks is also a good example of how zero trust helps to keep the bad guys at bay: “You really need to catch that first victim or that first exploit and be able to isolate the box and stop the process... “Attackers will always take the easiest point of entry.” (https://www.businessinsider.com/how-palo-alto-networks-avoided-solarwinds-hack-2021-1?r=AU&IR=T)

So, when someone tells you the next zero trust story, don't ignore it because they're using jargon, but do make sure you ask them exactly what they mean. And make sure you also ask about the scope (network, data, apps and or cloud) of their capability, the way the trusted source for verification works, how the links between IT components and the trusted source are protected, and importantly, how they would detect a fake licence / credential being present in the system.

More broadly, some folk do "Dry-July", others do "Mo-Vember"; perhaps the cyber industry should give "Jargon-Free June" a go... it'll be difficult, but I'm game to give it a go if you are!