Mendhak / Code

‘Zero Trust’ security is a poor choice of words

There is a growing focus on Zero Trust security models across businesses, and with this changing landscape will come a new set of security paradigms and processes that end users will need to adapt to.

This isn’t going to be a frictionless process — workflow changes are very difficult to take up in established environments. They tend to have a habit of highlighting areas that hadn’t been considered before, with it comes the disruption and ripple effect on everything around it.

Why it’s important

User frustration will be brought to the forefront, and this security model will be seen as a blocker to productivity and ‘getting the job done’. What will not help is the users is being told that this is part of a ‘zero trust’ security model. From the user’s perspective, this phrase has a negative connotation — it tells the user that they are not trustworthy, and it goes against building trust in the workplace.

It’s important to point out here, if we want widespread adoption of a new security model, getting buy-in from the people who will be living it, is paramount. With the right buy-in, the same users can become proponents and even champions of the new systems, and that helps everyone. Antagonistic phrasing paired with a troublesome implementation can make the same users the biggest barriers to its adoption.

Naming things is hard

Naming things is hard, I’m not good at it; I can, however, recognize where a better name would help. Also, that isn’t going to stop me from making suggestions anyway.

From a security perspective, ‘zero trust’ makes a lot of sense and conveys information about the underlying trust model. Expecting users to grasp its implications from just that is a You’re Not Wrong meme. If security is everybody’s responsibility, there needs to be a sense of togetherness on the journey. The naming and messaging needs to tell the user that the speed bumps they’re encountering are there for a reason, the reason should be easy to intuit. Ideally (but more likely impossibly) it ought to also convey that it is worth it in the grand scheme of things.

Marketing

As distasteful as it may seem to technologists, the ‘marketing’ around a name plays a big role. An example from another area is ‘serverless computing’, which most certainly involves servers, just not servers that its users would normally be concerned with. It is a misnomer from the implementer’s perspective, that conveys certain aspects of its usage to developers. It certainly beats “deploy and run your code to my server” which starts going into details that some people would rather not think about.

On the other hand, we don’t want to go too far with the naming. An example that springs to mind is the prefix ‘magic’. See Magic links, where a user clicks a link to authenticate. Calling something ‘magic’ is in the realm of telling the user they’re too stupid to understand what’s going on.

Examples

Google have phrased their implementation as “BeyondCorp” which takes the connotations away by talking about the edges. Could this be evolved to take on a more generic meaning?

“Parameterless Security” or “Boundaryless Security” - in a similar vein to BeyondCorp, it’s conveying a sense of security that’s everywhere. Quite a mouthful to say.

“Continuous Verification” or “Continuous Security” - this is somewhat accurate, though it sounds a bit tedious; would a user think that they’ll need to keep logging in every few minutes?

“Just in Time Access” - not too bad, this conveys the why of certain things happening. This might get confused with Just in Time compilation.

“End to End Security” - it’s generic, and sounds similar to “End to End Encryption” which has a modern usage made popular by Whatsapp. Could work.

Conclusion

Zero Trust is a phrase with negative connotations. I hope that someone with a better head can come up with more suitable naming and messaging around the Zero Trust model to help inculcate its benefits and its necessity, and get buy-in from users.

Proper naming and messaging will assist with its adoption, as the implementation of Zero Trust is not going to be frictionless, despite vendor claims to the contrary.

To put it antagonistically, anyone saying that it will be frictionless is either trying to sell a product, or is a policy maker that is unlikely to feel its effects (or should I say, zero-empathy?).