31 January 2019
The concept of Zero Trust is being lauded by the Government Digital Service (GDS) as the way forward for all of the public sector’s networking requirements.
Zero Trust originates from a theory that if you know who a person is, what device they are using and where they are, you can set a policy to allow or disallow them access to services and data. If one, or more, of these elements are missing, the user can’t be trusted.
The GDS blog ‘The Internet is OK’ was the forerunner of the government’s Zero Trust Networking approach [editor’s note:also see front page news, May 2018 issue]. The intention was to adopt Zero Trust networking and dismantle networks within the public sector. Innopsis is supportive of the first half of the proposed strategy but urges caution for the latter half.
Companies don’t buy networks purely for security. Yes, it’s part of the mix, but so is availability, accountability and latency. The internet works because network providers play nicely – there are no SLAs, data packets get through on a best endeavours basis, and there are no rules as to where and how traffic is routed. If it works, it works; if it doesn’t it doesn’t.
Currently, processes are in place to allow the communications route to be checked and escalated along the entire path. Engineers can re-route to avoid breakdowns and services can be guaranteed. There is no escalation path with the internet. The provider can only resolve from the customer’s premises to their internet’s hand-off points.
The answer is taking a hybrid approach. Adopt Zero Trust across the network but maintain MPLS based networks for the major offices and data centres. This will allow flexibility for remote and mobile workers. Branch offices can utilise internet connectivity but the main corporate offices can have a robust controlled environment to communicate with the data centres, hyperscalers, and other offices.
Zero Trust networking will give benefits across the public sector, similar to the benefits experienced by local public sector organisations in Yorkshire who have achieved the same with a common authorisation service allowing public sector workers to work from any public sector building. Zero Trust will enable mobile workers to have corporate style working, and will also allow occasional home workers.
But will it increase security? For some users, it will. Is it risky to move all traffic to the internet? Yes. Very. Some traffic will be fine, but not all.