If you’ve been paying any attention to the technology or cybersecurity industries over the past two to three years, you have no doubt been exposed to the term “zero trust.” It is, in some ways, an overused term that means something different to nearly anyone you ask. Some think of it as a set of tools while others think of it as the lack of a security perimeter. Still others think it implies no trust, ever.
Despite the differences of opinion and understanding, many are rallying around zero trust as a more modern approach to securing applications and data than previous security models. They are eager to shift from the legacy of perimeter-based cybersecurity to a model that is data and identity-centric.
So, what exactly is zero trust, where did it come from, and why do you need to know about it? In this analysis, we’ll explore the concept of zero trust, its varying definitions, and its growing popularity as a more effective cybersecurity model than its predecessors.
What Is Zero Trust?
While there are many potential zero trust definitions to choose from, a good starting point is the National Institute of Standards and Technology (NIST), an authoritative source of cybersecurity publications that deliver standards, guidelines, and best practices.
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
In NIST 800-207, the organization states:
“Zero trust (ZT) provides a collection of concepts and ideas designed to minimize
uncertainty in enforcing accurate, least privilege per-request access decisions in
information systems and services in the face of a network viewed as compromised. Zero
trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust
concepts and encompasses component relationships, workflow planning, and access
policies. Therefore, a zero trust enterprise is the network infrastructure (physical and
virtual) and operational policies that are in place for an enterprise as a product of a zero
trust architecture plan.”
History of Zero Trust
Early dialogue on zero trust, or at least concepts related to de-emphasizing perimeter-based cybersecurity approaches, can be traced back to 2004 and a group known as the “Jericho Forum.” That dialogue continued and, in 2010, cybersecurity expert John Kindervag coined the term “zero trust.” The concept gained further momentum through organizations such as Google and its BeyondCorp initiatives, which focus on bolstering its own internal security practices and architecture.
Zero trust picked up significant steam with the publication of the Cybersecurity Executive Order (EO) 14028 “Improving the Nation’s Cybersecurity.” Zero trust was mentioned over 10 times in this order, and it was positioned as a key component of modernizing the U.S. federal government’s cybersecurity. This was followed by publications including the Federal Zero Trust Strategy and the CISA Zero Trust Maturity Model. The recently published 2023 National Cybersecurity Strategy also emphasizes zero trust, further cementing its role in cybersecurity.
While these publications and initiatives are government-centric, they inevitably have led to a tremendous increase in industry dialogue around the concept of zero trust and subsequent efforts by the commercial sector to increase its own adoption of zero trust.
Adding to the momentum for zero trust, there has been significant investment and effort by cybersecurity tech providers to help organizations utilize more modern technologies to enable zero trust outcomes.
I personally work with federal agencies and program offices and have seen firsthand their tremendous interest in zero trust. In response to the Cybersecurity Executive Order, Federal Zero Trust Strategy, and CISA Zero Trust Maturity Model, agencies are starting to assess their current level of zero trust maturity and develop implementation plans to address gaps and deficiencies.
This is leading to increased investments, technology modernization, and improvements to policies and processes related to architecture, data, and identity management, all of which are difficult in large, complex environments like federal agencies.
Why You Need to Know About Zero Trust
One of the biggest differences between zero trust and legacy approaches to cybersecurity is the removal of implicit trust. This isn’t to say that there is no trust or zero trust, but that trust isn’t implicit: Access and authorization decisions aren’t made once and then never revisited. Practices including context-based access control are requirements.
These changes mean that understanding users’ device posture, geographic locations, unique roles and responsibilities, and more drive access-control decisions. They also imply more robust encryption throughout the organization’s systems and applications. This includes segmentation to ensure one incident doesn’t compromise the entire tech infrastructure or organization.
Final Thoughts
If one thing is clear, it’s that both public and private sector organizations view zero trust as a key component of modernizing cybersecurity and mitigating threats in the modern threat landscape. Many organizations are now well on their way to adopting and implementing a zero-trust architecture, but a significant portion of organizations still have yet to begin.
If you’re an information technology (IT) or security leader, you need to have a fundamental understanding of what zero trust is, and what it isn’t, to secure your organization, data, and brand reputation as the threat landscape continues to evolve.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel:
