It may seem strange to apply concepts from Chinese philosophy to an IT security model, but representing complex ideas in simple terms can be a powerful tool for understanding and communicating. By viewing zero trust through the lens of Yin and Yang, we see that to be complete, the scope of the model must include how users and devices access all resources. This includes not just our own applications and data, but also resources we don't control... on the Internet.
The concepts of Yin and Yang represent two complementary aspects of one whole. Yin represents darkness, cold, restfulness, inwardness, and inhibition. Yang represents, brightness, heat, movement, outwardness, and excitation. Surprisingly, these aspects can be related to a zero trust security model.
Today our enterprise applications and data live in the cloud as well as the datacenter. Valid users and devices are on the corporate LAN, at workers' homes, or from nearly anywhere there is an Internet connection. The old model of perimeter security has lost relevance. We are moving from a "trust, but verify" stance to a "never trust, always verify" one.
Take a Holistic View of Zero Trust
Much of the thought around zero trust has been about how users are granted access to protected applications and data. In other words, since zero access is assumed, it is about what we choose to grant access to. This is clearly important, but is it the whole picture? To be a holistic security model, shouldn't it apply to any resource our users try to access, even if that resource is not under our control in our datacenter or cloud service?
We all know that the Internet abounds with security threats like malware, phishing, and command & control domains operated by malicious actors. Many enterprises also have an acceptable use policy for what kinds of websites their users may visit. So how does the zero trust model apply to internet resources?
One of the core concepts of the zero trust model is that all resources should be accessed securely, regardless of the location of the resource. So we must include the Internet in the model somehow.
However, we cannot apply quite the same approach to the Internet that we do for resources we control. The Internet is too vast and too diverse to specify every resource we want our users to access. Instead, we typically block access to malicious or prohibited websites, and allow everything else.
Apply Yang to Application Access; Yin to the Internet
If we consider access to our own application and data resources as something to explicitly permit, it might be well represented by Yang; we make an active choice to allow access.
Conversely, access to Internet resources (again, not cloud resources that we have some control over) could be represented by Yin; we take a more inhibitive approach and block access to undesirable resources.
Check Out Akamai's Holistic Zero Trust Approach
There are a number of architectures that enterprises and vendors have proposed for the zero trust model. Akamai's approach to zero trust is holistic, in that it considers both secure application access and protection for internet access. Check out our reference architecture below. (Click the image for a higher resolution version.)
You don't need to understand Chinese philosophy to take away the main point of the post, which is that effective security needs a holistic approach. So keep that in mind as you develop your company's zero trust strategy.