In the Beginning, Before Zero Trust

Written by Christer Swartz, Director Industry Solutions, Illumio.

 

I entered the cyber industry a long time ago, when I joined a small startup, way back in the year 1989. Back then, our global headcount was 50 people, and we called ourselves cisco systems (when “Cisco” was still spelled with a lower-case letter “c,” and before “systems” was dropped from the name). Back in this ancient time, we made all of 3 products: a router (which we also called a “gateway”), a bridge (before switches), and a terminal server (since dumb-terminals were still common at the time). And during those early years, there was one word which we almost never mentioned, and that word was “security.”

This was the very early days of what would become the Internet. This was the era of the NSFNET, which had replaced ARPANET a few years prior. Using the NSFNET for commercial purposes was not legal until the year 1991, given that the infrastructure was a publicly-funded project. 

The single biggest priority at the time was high availability. How could links between routers and bridges survive an outage, or re-route around congestion, or utilize redundant connections? Why bother with securing anything? None of this was used for commerce and the data being sent was mostly boring, with little value. Security was an after-thought, at best.

Fast-forward 30+ years and much of the global economy now depends on the Internet, and the underlying infrastructure is generally reliable enough that users can pretend it’s not there. Now one of the top priorities is using it all securely. But since security was never a priority in the beginning, this amounts to trying to fit a square peg into a round hole. Is this an un-solvable problem?

 

Let’s build security appliances, or perhaps not

We eventually decided that maybe, just maybe, security was of some importance, and Cisco produced the PIX firewall in 1994. This was a full 10 years after the company was founded, and was the result of a corporate acquisition, so Cisco can’t be accused of being hasty.

It was a small step in the right direction, but it assumed that all threats were outside of the network perimeter, with anything inside the perimeter being trusted. Someone named John Kindervag decided this was a naïve assumption, and what would later become Zero Trust was born.

In those early years, broader security discussions focused on the network, especially methods for authenticating routing protocols like BGP, because we viewed the network as the center of the universe.But all the great security breaches over the past many decades have proven that assumption wrong. How often has any network firewall been effective at preventing security breaches? Yet many people still cling to a network and appliance-centric view to securing data. There must be a different way.

 

Cybercrime: The 3rd biggest GDP in the world

If you add up all the costs and profits associated with cybercrime and you consider it all as the GDP of a country, that total number is just shy of $10 trillion, as of 2024, behind only the GDPs of China and the US. Cybercrime is a very profitable business model, and with the advent of AI it will only become more profitable, unless security is addressed in a fundamentally different way. The unfortunate truth is that crime pays.

Therefore, cybersecurity has to be totally decoupled from the past. Zero Trust abstracts security away from any network or cloud perimeter and pushes the trust-boundary out to every single resource, agnostic to any security appliance. Network security is still required, but it has very different priorities than workload security.

Zero Trust assumes that your environment is already littered with threats, and that the weakest link in any security architecture is between the keyboard and the chair. Therefore we need to assume that 100% of us will be breached, and the goal is to isolate that inevitable threat without losing time trying to first understand that threat.

If you try to break down the door to my house, I could first ask you why. However, it might be more effective for me to first lock my door and then ask questions later. Zero Trust locks the doors without asking too many time-delaying questions, making cybercrime far more difficult to profit from. 

 

Security cannot remain stuck on the mistakes of the past

Those early days of the Internet were ambitious, but not all visions can predict the future. That future is now, and cybersecurity needs to reinvent itself. Zero Trust is the solution, like a phoenix rising from the ashes of the past.