"Zero trust" is being hijacked by the big corporate hype machine

Published on 2022-08-12.

The term zero trust is a security model, also known as "perimeterless security" that has been known for a long time and that was e.g. implemented internally at Google in 2009 in a project called BeyondCorp. In recent years, mainly due to the high amount of IT security problems we all are facing, the term gained renewed focus and popularity when cybersecurity researchers at National Institute of Standards and Technology (NIST) released their Zero Trust Architecture publication (PDF).

Zero trust is a valuable model that provides many improvements and benefits to the security model of both small and large companies. However, as with so many other terms and concepts, the big corporate hype machine is in the process of hijacking the concept by rebranding their services and turning zero trust into something that it is not.

If your company is interested in the improved security that the "zero trust" model from NIST can provide, the best resources and references for understanding the concept and what it involves are the following three documents:

Some things are important to understand when considering the "zero trust" architecture.

Zero trust doesn't mean that you stop trusting the people you employ. The zero trust concept does involve people and physical access to IT infrastructure, but it's more about devices and computers, that they should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified. While not completely accurate, zero trust can in some ways be compared to the concept of secure by default.

Zero trust is nothing new, not by a long shot. It's just being hyped up by big corporations, mainly those that provide cloud services. In an attempt to take advantage of the major rise in security threats and problems related to cyber security, they are now rebranding a lot of their former services, simply known as "cloud" and are now trying to sell these services as zero trust. The main drive behind this rebranding is an attempt to take advantage of the current condition of the cyber security sector, by selling cloud services as "zero trust" in order to get companies to put ALL their data under the control of the cloud provider. This is NOT what zero trust is about, and understood properly, many resources should never be put under the control of a cloud provider. Often cloud providers simply cannot be trusted with your valuable and important data.

Zero trust is not a do or don't procedure. Rather it is a concept with many subcategories of implementations that can be put into practice gradually, one step at a time.

Don't be fooled by the hype machine of the big corporations. If you're interested in the concepts of "zero trust", study the documents from NIST. If you don't understand the technical issues of the documents, get someone with technical expertise to help you understand, don't simply go to the websites of the big cloud provides because they will try to sell your their service as "zero trust", which just isn't it.