Virgil D. Gligor is Professor at Carnegie Mellon University, where he co-directed of CyLab the cybersecurity and privacy institute – between 2008 and 2015. He was the (co-)chair of over a dozen conferences, including the IEEE Security and Privacy, ACM CCS, the Internet Society’s NDSS. Gligor was an Editorial Board member of several journals and the Editor in Chief of the IEEE Transactions on Dependable and Secure Computing. He received the 2006 National Computer Systems Security Award given by NIST and NSA, 2011 Outstanding Innovation Award of ACM SIGSAC, and 2013 IEEE Computer Society’s Technical Achievement Award. He was inducted into the Cybersecurity Hall of Fame in 2019.
We review the standard definitions of trust, zero trust, trusted service, and trust establishment, and show that zero trust is unachievable in any enterprise network; i.e., at least one security property is impossible to establish unconditionally with confidence for some devices and many others are impractical to establish for other devices. In fact, zero trust has meaning only as an unreachable limit of trust establishment. Since NIST’s zero- trust architectures cannot be about zero trust, we review their key characteristics and show that their main goal of limiting the effects of security breaches to single trust zones is often unmet. These architectures can never serve as security models nor can they be used to protect critical infrastructures as they cannot counter many common attacks, much less advanced ones. However, mature zero-trust architectures can reduce recovery costs after breaches, but the reduction is lower than provided by some alternate techniques.
In view of these facts, it seems surprising that a 2021 Presidential Executive Order incorrectly calls NIST’s zero-trust architecture a “security model,” mandates its adoption, and frequently requires trust establishment, which exclude zero trust. Nevertheless, these architectures are motivated by practical goals. They rely on low-cost security assurance to limit some penetration damage and decrease recovery cost. They aim to detect trust-zone penetrations early by continuous monitoring of network devices. They maintain backward compatibility with existing (insecure) commodity software to facilitate timely deployment. In contrast with the low-cost assurance of these architectures, trust establishment encourages flexible cost allocation among security functions and assurances, risk reduction, and adversary deterrence.