Paul Burt

@ThatMightBePaul

Google first implemented their internal version of Zero Trust in 2009. The first paper on Zero Trust was published in 1994. So, why did it take all those years for it to catch on?

In Google’s case, they adopted Zero Trust at a time when they saw an increase in cyberattacks from hacking groups in China. That increased threat put pressure on them to change how they protect user data.

If you follow tech news, you know that security breaches like this are a regular occurrence. According to one source 2022 had the highest number of data breaches ever -- up to 50% more than the prior year. What was once seemed like a dripping faucet, is starting to look more like a burst pipe.

Why are people switching away from VPNs while there's an increased threat? Zero Trust requires not only a change in philosophy, but also in implementation. Technologies like Wireguard and HashiCorp’s Boundary are two open source Zero Trust solutions that many consider. As such, they’re a great way to understand the concept.

Modern Zero Trust solutions focus on authenticating every connection to a device or service. In other words, just because someone is inside of your castle walls that does NOT necessarily make them trustworthy. If someone does get phished, or credentials get compromised in some other way, the amount of damage that can be done is isolated to just one server.

Why do we need to change VPN technology? It has to do with that castle and village metaphor.

Traditional VPNs are similar to a castle. A single gateway server controls access in and out of the system. All traffic must flow through the VPN gateway, just as all traffic in and out of a castle must go through a gate.

That single point of ingress and egress makes for a convenient place to check things. Who is this person? Are they authorized to be here?

Once they pass, they’re in the network – err, castle — for good.

OpenVPN is an example of a popular approach. Many organizations rely on OpenVPN style technologies, and it is a good defensive strategy compared to just leaving everything open on the public internet. Or worse, using "special" ports as "security" — hint: it's not.

That said, can we do better? What if we don’t just want good, but we’re actually aiming for great?

Instead of just checking things at the castle gate, we could do our security checks at every door. Every home, and every room does the check. Further, when someone knows where they’re going, they can walk directly to the house that they want to visit. No need for them to change their route, and first head through the castle gate.

This is a big part of the shift that modern Zero Trust strategies embrace. Wireguard is a nice open source example of a modern solution, and is also useful as a contrast against the traditional approach of OpenVPN.

Wireguard is a much smaller codebase, since its only aim is to solve the problems of establishing a connection and encrypting traffic. Concerns like LDAP and any business logic are left for an admin to figure out.

That specific focus is reminiscent of a UNIX-like philosophy. Do one thing and do it well. In fact, WireGuard is so UNIX-y that as of version 5.6 of the Linux Kernel, it’s included by default. Similar to how UNIX processes get composed together with pipes, Wireguard gets composed together with a control plane. It’s the control plane where LDAP and the other neat features live.

It’s a Village, not a Castle

Zero Trust’s more direct type of connection and security check is more akin to a village, or a city. You’re encouraged to connect directly to a resource, rather than through a VPN gateway or a bastion host.

Security checks happen more frequently, and are scoped more precisely. That’s because the connection is more specific to just you, as opposed to the shared bridge – err, VPN, used by all of your co-workers.

The castle vs village visual is a great model, because it also illustrates the challenge of handling a large amount of traffic. How difficult is it to expand a castle’s walls? You can see the difficulty of this in the real world with multiple clusters, across multiple time zones and cloud providers. Do you run multiple VPN networks?

Similarly, how easy is it for traffic to overwhelm and take down a single gate into the castle? VPN Gateways and bastion hosts can become single points of failure. Although, to be fair, there are well tested strategies for fixing that.

Bastion Hosts and VPNs are Monolithic

The challenge of maintaining a single massive server is something most folks in infrastructure are familiar with. Sometimes this is framed as vertical scaling versus horizontal scaling. A vertical server can be simpler to manage, up to a point.

Once a large amount of traffic starts flowing, then the switch to a horizontal architecture is common. Expanding vertically is difficult. Expanding horizontally mostly means just adding more servers. The castle, or VPN’s expansion is more akin to a vertical strategy.

Zero Trust’s recent rise in popularity coincides with the advent of infrastructure-as-code (IaC). It would be tedious to manually manage the software and settings required for Zero Trust across hundreds or thousands of servers. Since a lot of us are already automating these kinds of horizontal changes through IaC, Zero Trust fits in naturally.

To be clear, traditional strategies are popular. VPNs work quite well, up to a point. So, when is that point, and when should you start considering Zero Trust at your business? You can take some guidance from some real world examples of the traditional approach, and the places who've shared the story about their choice to transition away from it.

• OpenVPN case study
  • A Better Alternative to Usernames and Passwords
• Segment’s approach to infrastructure
  • The Segment AWS Stack
  • Bye bye bastion hosts...Hello AWS IAM!
• Teleport's approach to traditional bastion hosts
  • Setting Up an SSH Bastion Host

Your organization should consider Zero Trust Networking if:

• Your dev’s connection to servers and services are slow
• You are struggling to manage a VPN Gateways or Bastion Hosts
• You are worried about the increasing number of attacks and breaches
• You already embrace infrastructure-as-code or a solution like Terraform
• The amount of user data that you manage makes your business stakeholders nervous

Zero Trust is more than just Wireguard or direct connections to servers. We partner with a number of organizations dedicated to simplifying and creating robust Zero Trust solutions. If you’re curious about the various approaches, here are some additional resources from our partner’s about Zero Trust networking.

• Tailscale
  • Popular solution built on Wireguard protocol
• HashiCorp Boundary
  • Created by talented engineers from a company most folks already trust
• Twingate
  • Built for the Enterprise from the ground-up, and relies on split tunnel networking
• Smallstep
  • Innovating on traditional SSH with a cert-based connectivity approach

For more detailed guides on Zero Trust, both NIST and NCSC (US and UK government agencies), have detailed guidance. NIST’s guide is here, and NCSC’s guide is here.

Additionally, Google has released their own Zero Trust framework, which they call BeyondCorp.

No. These are reliable and trustworthy technologies. Many of the solutions that power Zero Trust are new, and only appeared within recent years.

As we said, these solutions are good. Zero Trust should be seen as an improvement that pushes your organization towards being great.

Indent is a nice addition to any Zero Trust strategy. Similar to how Zero Trust limits the amount of damage that can happen if credentials are compromised, Indent also limits damage. How can an attacker do damage if the credentials automatically expired?

Indent fits in as part of a Defense in Depth strategy. Overall security strategies, which includes Zero Trust, are always made by combining multiple solutions.

How are you planning to architect your networking setup? Let us know, send us a tweet.

Have questions about what's the best networking solution for your team? We're happy to help you think through the options — book time with out team →