A Matter of Zero Trust
This week we take a look at Zero Trust, Zero Trust Model, Zero Trust Security Model, Zero Trust Reference Architecture, Zero Trust Network Access, and Zero Trust Network Architecture.
This week we take a look at Zero Trust, Zero Trust Model, Zero Trust Security Model, Zero Trust Reference Architecture, Zero Trust Network Access, and Zero Trust Network Architecture. So, if this seems like an elongated list now, you should have zero — ahem — trust the list will be the last of the variants.
And they may not want it to end 🎶
For me, “Zero Trust” is simply a shorter way of saying “Trust No One” using 9 characters and 1 space (2 words) instead of 10 characters and 2 spaces (3 words). Both work just as well for haiku with 3 syllables each.
i had a budget
zero trust ate it quickly
vendor paid for lunch
trust no one they said
set allow all to deny
There are many ways to refer to zero trust. As you might expect, the variations on what gets appended to “zero trust” goes on and on depending on the service provider or solution/software security vendor.
Here's a quick sample across companies, products, government, and the Internet book of knowledge:
Google = zero trust model = BeyondCorp1
Tailscale = Zero Trust Networking = Incremental2
Cisco = Zero Trust Security = Borderless Networks3
VMware = Zero Trust Network Segmentation = Micro-segmentation4
F5 = Zero Trust = NGINX Secure Connectivity5
NIST = Zero Trust Architecture = NCCoE6
US DoD = Zero Trust Reference Architecture = DISA + NSA7
Wikipedia = Zero Trust Security Model = aka ZTA, ZTNA8
It's hard when you're always afraid 🎶
Zero trust jargon is arguably at least a decade old. Partly, this is due to the growth of virtual private networks (VPN) and the challenge of VPN deployments along with implementation frustration.
If you've ever had to use a VPN regularly, you know it is better than having to drive into an office — but the novelty wears off quickly. And if you’ve ever met me, you know I refer to VPN as the acronym for vexing productivity neutralizer.9
Still, I have been using VPN since the late 1990s and still do. However, my mood changed when there was the glimmer of hope from companies like Tailscale.10
There can hardly be a question of why 🎶
Ultimately, the why this matters is due to our societal appetites for what comes next. Eventually, how end users interact and how developers create the things end users interact with will lead to lower friction experiences.
From Cisco’s early “Borderless Networks” in the early 2010s to the modern day rush to prepend every product name with “zero trust”, it was the early work at Google (BeyondCorp circa 2009-ish11) that set the expectation bar: things should just work without an extra layer of software (VPN client) or steps (logging in with the VPN client) for the ideal user experience.
BTW, I remember blogging about Google Secure Access VPN in 2005 as part of their beta (everything is a beta) service called Google WiFi. Yes, it was a thing and — like most Google things — it went away eventually.12
[blows dust off old wordpress_mysql_dump_posts_2markdown files]
Circa 2005… off Google Secure Access VPN
Circa 2005… on Google Secure Access VPN
So, what will be the next “zero trust” innovation to improve end user experience?
Until then… Place your bets!
As a reminder, I work at Taos, an IBM Company. If you’d like to learn more about Taos and how we help companies embrace the platform business model, check out this video:
I am linking to my disclosure.