The topic of Zero Trust has been on my mind for a while now. When I read the title of the article Zero Trust: Bund will bei IT-Sicherheit niemandem mehr vertrauen (EN: Zero Trust: Federal government no longer wants to trust anyone when it comes to IT security), I was initially a little surprised, because in my first article on Zero Trust I already expressed some hope that there would be guidelines from the BSI.
The hope was mainly related to stricter guidelines, because I am aware that Zero Trust alone is neither sufficient nor necessary to have more security. Even the adaptation of the approach by the approach:
- Assume breach
- Don’t trust, always verify
- Least privilege
in combination with MFA seems to me to make sense for the development of many systems. In my experience, there is still too much optimism and baseless trust in one’s own abilities to develop software and operate systems. But with this way of thinking I don’t need Zero Trust in the strict sense.
Interestingly, around the same time came a blog entry from Fefe with reference to his presentation. I agree with him that a lot of what is marketed as Zero Trust is far from it and rather falls into the category of rebranding or even snake oil. The fundamental flaws in securing systems and networks can be avoided without Zero Trust – and (deliberately) won’t be.
On the other hand, I still maintain that an announcement like the one in the U.S. can set an impulse. At least, among other things, it sets concrete requirements for secure IT systems, most of which represent an improvement. In my experience, however, a lighthouse is needed in addition to an impulse, and I don’t see one yet.
In the end, however, I am disappointed by the article in Heise. As I understand it, it’s just petty buzz-word claims, but no concrete actions. Truly resilient specifications: Missing. The results of the search for Zero Trust on the BSI site are also rather modest so far. On the other hand, there is of course the question of whether a set of rules analogous to SP 800-207 Zero Trust Architecture would be helpful. Stricter requirements in BSI IT-Grundschutz could be a sensible step in my view. In any case, the lighthouses called for above do not just fall from the sky. If the lighthouses do exist, the lights are probably switched off so as not to attract too much attention.
On the one hand, it is probably difficult to measure what added value Zero Trust brings, because unsuccessful attacks (analogous to successful attacks before detection) are difficult to measure. On the other hand, other accompanying measures could already be successful without Zero Trust.
Translated with www.DeepL.com/Translator (free version)