"Zero Trust in Zero Trust"
In May of 2021, President Biden issued an executive order launching a government-wide initiative to strengthen its cybersecurity practices. The mandate required agencies to implement zero trust architectures and a cloud-based infrastructure by 2024 in order to improve security and reduce potential risks. However, Professor of Electrical and Computer Engineering at Carnegie Mellon University (CMU) Virgil Gligor argues that the strategy leaves much to be desired and that reaching zero trust is not attainable. According to Gligor, several principles would have to be met in order to achieve zero trust. All of the security properties of a corporate network must be proven and with absolute certainty. In his technical report titled "Zero Trust in Zero Trust?," Gligor argues that "black box" devices employed in all enterprise servers and endpoints, make zero trust impossible because there will be at least one security property that cannot be proven unconditionally and with certainty. Zero trust architectures are not resistant to penetration, so they do not eliminate the possibility of breaches. According to Gligor, the government's principal objective in implementing these architectures is to limit adversaries' lateral movement by segmenting networks to reduce the damage an adversary may wreak. To secure these network segments or implicit trust zones, the government outlines a plan that grants access to resources based on continuous verification of user attributes, such as roles, permissions, and access levels, and enforces the principle of least privilege. Gligor says this concept is technically flawed. This article continues to discuss Gligor's argument achieving zero trust is not possible.