0T - rFronteddu/general_wiki GitHub Wiki

For me, the easiest way to conceptualize zero trust is by considering what it is not. Perimeter-based security (as provided by perimeter firewalls for example) is a good counterexample. The idea of a firewall is that there is an inside and an outside, with systems on the inside being “trusted” and those outside being “untrusted”. This division of the world into trusted and untrusted regions fails both the principle of least privilege and the definition of zero trust. Traditionally, a device on the inside of a firewall is trusted to access lots of other devices that are also inside just by virtue of its location. That is a lot more privilege than needed to do its job, and contrary to this description of zero trust provided by NIST:

“Zero trust…became the term used to describe various cybersecurity solutions that moved security away from implied trust based on network location and instead focused on evaluating trust on a per-transaction basis.”

VPNs are another example of an approach to security that fails to meet this definition, because, even though modern VPN technology lets you connect to a corporate network from anywhere, it still creates the sense of an inside that is trusted and an outside that is not.

My theory about the occasional backlash that I’ve seen around zero trust has two parts. First, the name is an oversimplification of what’s going on. It’s not that you literally trust nothing. But rather, trust is not assumed just because of a device’s (or user’s) location, and nor does an entity gain wide access to resources just because it was able to authenticate itself for a single purpose. So “zero-trust” might be better termed “narrow and specific trust after authentication” but that’s not very catchy.