Zero Trust (ZT) continues to make waves, as US federal agencies are now publishing guidance, such as the OMB’s M-22-09 or DoD’s ZT strategy for effective implementations (no pun intended). While still jammed in myths, which could indeed be sorted out with some effort, it enables the state to be considered a source of trust in cybersecurity.
At this point, I would like to address a confusion, which is whether ZT has replaced Defense in Depth (DiD) and other acknowledged cybersecurity principles or not. If ZT has not replaced these principles, how do they relate to ZT? What about the others, such as the principle of least privilege or segregation of duties? Well, ZT has not replaced these principles at all. Now let's try to understand how they continue their relation with ZT as security specialists ensure their reliability while using these principles in an effective and efficient manner.
Like in any house construction, everything starts with a safe and sound foundation to prevent certain things to collapse or fall on your neighbor's property. This foundation involves common industry practices for ZT. At this point, I would like to highlight three basic principles that are mostly ranked important for ZT, yet mostly misaligned.
As you apply these principles, you will see that you and your organization are on the right path when it is time to assess your ZT maturity.
Do you realize how convenient life has become? We have manuals and guides for almost anything to show us how to do things. These will guide you in understanding how to do something right. Unfortunately, you will skip the guide and trust on the rule of thumb to assemble the bike for your vacation or use the wrong tool to tighten a screw. It may not cause a big trouble to assemble a bike wrong, yet faults in cybersecurity may cause much costly and big-scaled troubles when it comes to the implementation of security principles. Focusing on these three highlights will help you to grasp the following:
Zero Trust has made a long way as an information security model. In the meantime, it has often become a matter of debate and doubt. But there is one thing certain: If we focus on what ZT has been built on, we can see that it provides a common target for most (if not all) of these basic principles to be effective in practice.