In light of the DOD's broadly announced adoption of "zero trust" and the numerous articles about risk reduction and implicit trust, it is worth taking some time to examine the two dominant philosophies in the space. Zero Trust Architecture (ZTA) and Open Trust security models are juxtaposed methodologies.
Zero Trust Architecture is a security model that assumes all networks and devices, whether inside or outside the organization's network, are untrusted by default. All access to resources within the network must be authenticated and authorized, even if the user or device is already inside the network. In a ZTA environment, there are no implicit trust relationships between users, devices, or networks. This approach is based on the idea that organizations should refrain from assuming that their internal networks are secure and must verify the trustworthiness of all requests for access to their resources.
In contrast, Open Trust security models are predicated on establishing trust relationships between different entities in a network. This approach assumes that separate entities can establish trust relationships, such as users, devices, or networks, and that these entities can use these relationships to determine whether access to resources should be granted or denied. Open Trust frameworks, on the other hand, permit trust to be established between entities based on their reputation, the quality of their security measures, and the strength of their authentication mechanisms. The desired end-state for each method is similar, but the path to that end-state and the underlying philosophies are wildly divergent.
The foundational difference between Open Trust models and ZTA is that Open Trust models work to establish long-term trust relationships using a combination of Trusted Services Managers (TSM) and to create a Trusted Execution Environment (TEE). Conversely, ZTA is inherently skeptical of long-term trust relationships. It is also worth noting that not every implementation carries that trust relationship through to the end-user.
While the rigidity of Zero Trust Architecture may not seem like a benefit, having clearly defined objectives, common high- and low-level implementations of those objectives, and numerous industry experts in the implementation of that model, make the justification for the adoption of ZTA much simpler than a more custom approach, like Open Trust models.
ZTA’s approach to cybersecurity assumes that every user, device, and network flow is untrusted and must be verified before being granted access to critical resources. Let's explore the seven tenets of Zero Trust Architecture and their benefits:
Ultimately, Zero Trust Architecture is a comprehensive approach to cybersecurity that assumes that every user, device, and network flow is untrusted and must be verified before being granted access to critical resources. By following the seven tenets of Zero Trust, organizations can improve their security posture and reduce the risk of a cyber attack.
Overall, ZTA and Open Trust frameworks are two different approaches to security with some similarities in the outcome but critical differences in implementation.
From a practical perspective for organizations whose primary concerns are reducing the risk threshold, the rigidity of ZTA provides a lower risk threshold and a more excellent audit resiliency than an Open Trust approach to security. On the other hand, if performance is the primary concern of the environment or organization, an Open Trust approach reduces the authentication and authorization overhead in exchange for a slightly reduced risk posture. Finally, there is an increased need for detailed documentation of the trust relationships established within the environment to provide audit resiliency for an Open Trust security environment.
Take the next step toward continuous security improvement
With SimSpace, you can assess
and optimize your complete
security posture — all in one platform