Zero Trust and Dynamical Perimeters based on Identity

NIST has recently published the final version of SP 800 207 “Zero Trust Architecture” which is a recommended reading.

This gives me the opportunity to consider how vastly the IT architecture has changed in the last 20 years. From the concept of a single IT physical perimeter, we now have multiple physical or virtual perimeters which can be dynamic due for example to Software Defined Networks or Cloud services.

But most importantly who and what is inside a perimeter, which can be even a single application, depends not only on the physical and/or virtual location of the device (both server and/or client) but on the identification / authentication / authorisation of the user and/or the device. So, given the proper identification / authentication / authorisation, a user and its device can be admitted inside a high security perimeter even when connecting from any network in the world. 

Moreover, authentication and authorisation are not “once for ever” but each, even tiny, perimeter should perform them again. This requires strong authentication processes which both authenticate the user and also her/his device and its security. Often this process can be done in two steps: the user authenticates her/him-self to the local (portable) device typically with MFA / Biometrics etc., and the device then manages the authentication to the remote services thus providing a simpler user experience.

This is the development we see every day in most major IT / Cloud services, and which, sooner or later, will also lead to decrease our dependency on the use of Passwords.