⬅️ Twit Can Happen 🧠Cadillac WebAssembly Line ➡️
A Matter of Zero Trust
Billy Joel - “A Matter of Trust” (1986)
Getting Informed
This week we take a look at Zero Trust, Zero Trust Model, Zero Trust Security Model, Zero Trust Reference Architecture, Zero Trust Network Access, and Zero Trust Network Architecture. So, if this seems like an elongated list now, you should have zero — ahem — trust the list will be the last of the variants.
Please Subscribe!
And they may not want it to end 🎶
For me, “Zero Trust” is simply a shorter way of saying “Trust No One” using 9 characters and 1 space (2 words) instead of 10 characters and 2 spaces (3 words). Both work just as well for haiku with 3 syllables each.
i had a budget
zero trust ate it quickly
vendor paid for lunch
trust no one they said
set allow all to deny
no perimeter
There are many ways to refer to zero trust. As you might expect, the variations on what gets appended to “zero trust” goes on and on depending on the service provider or solution/software security vendor.
Here’s a quick sample across companies, products, government, and the Internet book of knowledge:
- Google = zero trust model = BeyondCorp1
- Tailscale = Zero Trust Networking = Incremental2
- Cisco = Zero Trust Security = Borderless Networks3
- VMware = Zero Trust Network Segmentation = Micro-segmentation4
- F5 = Zero Trust = NGINX Secure Connectivity5
- NIST = Zero Trust Architecture = NCCoE6
- US DoD = Zero Trust Reference Architecture = DISA + NSA7
- Wikipedia = Zero Trust Security Model = aka ZTA, ZTNA8
It’s hard when you’re always afraid 🎶
Zero trust jargon is arguably at least a decade old. Partly, this is due to the growth of virtual private networks (VPN) and the challenge of VPN deployments along with implementation frustration.
If you’ve ever had to use a VPN regularly, you know it is better than having to drive into an office — but the novelty wears off quickly. And if you’ve ever met me, you know I refer to VPN as the acronym for vexing productivity neutralizer.9
Still, I have been using VPN since the late 1990s and still do. However, my mood changed when there was the glimmer of hope from companies like Tailscale.10
There can hardly be a question of why 🎶
Ultimately, the why this matters is due to our societal appetites for what comes next. Eventually, how end users interact and how developers create the things end users interact with will lead to lower friction experiences.
From Cisco’s early “Borderless Networks” in the early 2010s to the modern day rush to prepend every product name with “zero trust”, it was the early work at Google (BeyondCorp circa 2009-ish11) that set the expectation bar: things should just work without an extra layer of software (VPN client) or steps (logging in with the VPN client) for the ideal user experience.
BTW, I remember blogging about Google Secure Access VPN in 2005 as part of their beta (everything is a beta) service called Google WiFi. Yes, it was a thing and — like most Google things — it went away eventually.12
[blows dust off old wordpress_mysql_dump_posts_2markdown files]
Circa 2005… off Google Secure Access VPN
So many hops… so many ISP eyeballs…Circa 2005… on Google Secure Access VPN
Less hops… and only Google eyeballs…So, what will be the next “zero trust” innovation to improve end user experience?
Until then… Place your bets!
Disclosure
I am linking to my disclosure.
1Read: Zero Trust and BeyondCorp Google Cloud
2Read: Zero Trust Networking Definition
3Read: Cisco Zero Trust Security
4Read: Zero Trust Network Segmentation and Micro-segmentation
5Read: Seven zero trust rules for Kubernetes
6Read: Implementing a Zero Trust Architecture
7Read: Department of Defense (DoD) Zero Trust Reference Architecture
8Read: https://en.wikipedia.org/wiki/Zero_trust_security_model
9Read: Thinking Remotely
10Read: https://news.ycombinator.com/item?id=31842778
11Read: The BeyondCorp Story
12Read: https://web.archive.org/web/20051116174445/http://wifi.google.com/faq.html