• dave95067

When is this useful for cybersecurity professionals?

When is this useful for cybersecurity professionals?

Zero Trust is one of the modern cybersecurity industry buzzwords.  Is it just a fad or trend?  Should it be ignored by cyber security professionals to focus on fundamentals?  

At its most abstract… Misplaced trusts result in risks that are not adequately recognized, evaluated and mitigated.

This sometimes-misunderstood buzzword is not new.  The concept of Zero Trust was created by Forrester Research to describe a security model that no longer heavily relies on network perimeter security.  Zero Trust is achieved when...

User Access

Strong authentication and least-privileged access policies

Trusted connectivity

The connection coming into your resource meets the trust


Trusted connecting platform

The platform that from which the user is connecting meets the

trust requirements.

Instead of assuming (trusting) that these components of access and authorization policy enforcement and validation have been satisfied, ensure that trust has been explicitly granted to the person or process that is initiating or requesting services.

Zero Trust was first written about in 2010.  In more recent years, there has been a key branch in how Zero Trust is being applied.  There are now two very different contexts in which it is being used and it can be a source of confusion.

In the context of software and service design, it references applied granularity in

access controls (authentication and authorization).  Some examples that have had the

most press are Google’s BeyondCorp model and Microsoft’s Conditional Access and

endpoint security technologies.

In the context of platform design, it represents the controls to protect or ensure the

separation between user and kernel level processes. You will find this approach

referenced with Microsoft’s Kernel Patch Protection, AppGuard’s endpoint protection,

AWS design of their Nitro hypervisor.

Topical interest in the platform design context has an audience when we consider (a) which platforms to build and host our systems and (b) whether we include additional protection layers. The remainder of this article will be more specific to the software and service design context for which cybersecurity professionals have greater day-to-day control and involvement.

This Zero Trust in the cyber security world is achieved by a collection of cooperating technologies and methods to facilitate this granular validation. In forming this definition, the word trust is getting heavily used – possibly over-used.  But, a little more consideration of trust is needed…

Trust Requirements

Q: What information and services are being protected?

Q: What is the risk to my business if this information and these services are not

available or the integrity/privacy is compromised?

Q: How much can I invest to protect these information and services?

Businesses have long since realized that it is both cost and operationally prohibitive to build monolithic data centers that supply one-size-fits-all security.  Organizations are taking a journey in maturity to evaluate security requirements at a granular level.  The Zero Trust models fits this need for granularity.  

Not every technology-based business solution requires maximum security Zero Trust.  So, how do you apply Zero Trust type methods on a scale?


If you are a medium-to-large organization, you’re going to have multiple approaches that facilitate varying levels of trust.

A good security practitioner knows that a key secret resides in well executed segmentation strategy

* Access segmentation

* Data segmentation

* Platform segmentation

Are your application builders and service providers giving you solutions that directly use all three pillars of zero trust to dynamically ensure your organization’s security policies?

Zero Trust can be applied in a targeted manner if your organization has done a good job at segmentation.  Otherwise, you’re facing two choices, (a) apply zero trust methods broadly and spend more for levels of protection not required for all systems, or (b) under-protect those assets and resources that are worthy of this level of protection.  Aiming for Zero Trust can easily become cost prohibitive.

Mobile devices, cloud services and the well-proven human weakest-link have been the major contributors to the march to obsolescence of perimeter security strategies.  Our organization have real pressures to conduct business outside of the boundaries of our corporate networks.  The idea that our corporate networks could act as an air-gap has become an outdated business model.  The success of ransomware has proven the effectiveness cybersecurity perimeter technologies should have always been open for question.

As of today, full-network perimeter security strategies are a temporary stopgap while organizations mature their other capabilities.

Technologies to create both trusted endpoints and strong access must play a larger role in enforcing who, what, where and when policies.  Each device consuming the company’s services must become its own perimeter.  Our company’s services must make dynamic trust decisions using the three zero trust pillars of access control, connection risk evaluation and connecting platform trust/integrity.

When is it useful to think about zero trust? Zero trust is useful only when you break it down to the underlying questions:

> How is your organization creating and managing all of the little perimeters?  Are

you being effective?

> Are you segmenting your business technologies so that you can focus resources

on protecting the high-value assets and not over-burden your organization with

excessive operating costs?

> Are you segnmenting your business technologies so that you can focus resources

on protecting the high-value assets and not over-burden your organization with

excessive operating costs?

This is when it is useful to thing zero trust.

1 view

4600 Churchill Dr

Shoreview, MN  55126

612 314 5190  Corporate Offices

  • White LinkedIn Icon

©2019 by