Let’s talk Zero Trust. Protocol examining how it’s a heavily overused term. Let’s quote from the article.
Depending who you ask, zero trust is an architecture, a strategy, a goal — or probably, all of the above. The concept of zero trust first gained momentum at Google in the wake of the 2009 “Aurora” attacks, attributed to Chinese government hackers, which included the theft of source code from the company. As a security term, “zero trust” was popularized starting in 2010 by John Kindervag, then a Forrester analyst.
Continuing.
Alex Weinert, vice president and director of identity security at Microsoft, has a favorite quote on zero trust, he said during a recent online panel hosted by Protocol. Weinert once asked a chief information security officer to define zero trust, and the answer he received was, “It means whatever the person on the other side of the table is trying to sell.”
Less flippantly, zero trust can be seen as an organizing principle for how to stop modern cyberattacks. Today attackers tend to follow a certain trajectory: After gaining initial access to an environment, they move around on the network, take over additional accounts, and elevate their account privileges to let them take additional, more damaging actions.
And finally
Some security product categories are overtly associated with zero trust, such as zero trust network access, which is a VPN replacement that’s built around zero trust principles. For instance, zero trust network access tools can use additional data sources to verify a user beyond just their credentials, such as their location or the security posture of their device.
But deploying that particular technology doesn’t single-handedly achieve zero trust. And given the fact that zero trust does incorporate a variety of different technologies, that’s led a number of cybersecurity vendors to take some liberties with the term.
Why do we care?
I wanted to highlight this article due to the critical insight – every vendor wants to be zero trust, but none of them are in isolation. If zero trust is an architecture, a strategy, a goal, or a combination, they all require the services to install and configure them.
This should be lots of good news. The desired outcome and the path are via services. Here’s the rub. Suppose vendors oversaturate the market with messaging and those liberties with the messaging, and customers end up disappointed. In that case, they’re likely to blame both the vendor and the implementer.
Set expectations realistically and then deliver. And push back on the vendor nonsense.