Highlighting a blog post today by KuppingerCole over on MSSP Alert, which digs into the recently released NIST “Zero Trust Architecture” publication. It’s a great read, and so I will quote liberally from the article.
In practice, Least Privilege means only granting sufficient permissions to accomplish specific actions and not more than that; Defense-in-Depth means inserting layers and gates of security at all relevant control points in a use case. Wide open networks behind firewalls are easy targets. These ideas have become more commonly accepted in modern security architectures, as organizations realize that firewalls and other perimeter-based designs are porous and not sufficient for protecting against proliferating threats.
We have often heard about “Zero Trust Networking” at trade shows and conferences. SP 800-207 does a good job of explaining that ZTA is not limited to networks. In fact, ZTA must transcend network-layer thinking in order to be successful.
Why do we care?
I’m preaching ZTA aggressively and want to observe this is not a product based solution, but a services based one. All the products in the world won’t deliver zero trust, so the onus is entirely on services providers.
That puts all the benefit and opportunity there too. I’m not convinced that smaller providers really understand this architecture and design, so I’m going to be promoting it. It may not be first mover territory, but I think there is a lot of room to grow.
Source: MSSP Alert