My holiday reading was “Humble Pi - A Comedy of Maths Errors”.  It was supposed to be some light relaxation, not a thread to set me off on writing a Zero Trust blog.  Oh well, maybe I can cover the cost of my flights on expenses!

Zero Trust is a complex topic, involving the determination of what is being trusted and how that trust is asserted.  However, how do you scope the boundary of where your trust assessment goes?

Let’s use the humble Lava Lamp as an example.

As described in more detail on “Humble Pi”, let's say my business need is to set up a TLS connection between a client and server, and I need a scalable connection, so I contract Cloudflare – they seem like a trustworthy brand, and reportedly handle 10% of all Internet traffic.

To set up a TLS cryptographic connection, requires a good source of random numbers to seed the session key.  Random numbers are hard for computers to produce (pseudorandom is not good enough), and even harder to produce at scale.

To solve this, Cloudflare has “arranged about 100 lava lamps on one of the walls in the lobby of the Cloudflare headquarters and mounted a camera pointing at the lamps.  The camera takes photos of the lamps at regular intervals and sends the images to Cloudflare servers”, from where an algorithm turns the images into random numbers based on minor fluctuations in the colouring of the lava lamps.

So, back to the use case, my TLS connection is now dependant on the physical security of the lobby of the Cloudflare headquarters.  Break into the lobby, attack the camera to replay a recording of yesterday’s lava lamp display, and I now have the potential to predict the random number sequence, thus break the TLS connections (non-trivial, but conceptually possible).

Does this mean that to be sure of security of my TLS connection, I need to go and audit the Cloudflare physical security – I suggest that would be “extreme” Zero Trust.

No, in reality, I run a process that determines the potential areas of risk and looks at how you gain assurance that the risks have been suitably considered and covered.  In my use case, this risk is likely to be related to the need for a secure client / server connection.  The mitigation, the use of a reputable 3rd party service.  Then, crucially the assurance of the service using a due diligence process (e.g., check their party service reports like SOC2 audit or ISO 27001).

Aside:  I would be fascinated to know if any security risk assessment has actually included “Risk of Lava Lamp compromise” – please do let me know (unless you are Clouldflare, who I hope has done it in great detail).

So what?  This is just another example that you cannot buy Zero Trust as a shrink-wrapped product.  It is an approach that involves determining what you trust (risk assessment…) and how trustworthy it is (assurance, supply chain assessment…).  That’s why at Nexor we adopted a service-led approach to the supply of security solutions, using Zero Trust principles.