A Matter of Zero Trust

November 6, 2022 by Jay Cuthrell

Share and discuss on LinkedIn or HN

Billy Joel - “A Matter of Trust” (1986)

Getting Informed

This week we take a look at Zero Trust, Zero Trust Model, Zero Trust Security Model, Zero Trust Reference Architecture, Zero Trust Network Access, and Zero Trust Network Architecture. So, if this seems like an elongated list now, you should have zero — ahem — trust the list will be the last of the variants.

Please Subscribe!

And they may not want it to end 🎶

For me, “Zero Trust” is simply a shorter way of saying “Trust No One” using 9 characters and 1 space (2 words) instead of 10 characters and 2 spaces (3 words). Both work just as well for haiku with 3 syllables each.

i had a budget
zero trust ate it quickly
vendor paid for lunch

trust no one they said
set allow all to deny
no perimeter

There are many ways to refer to zero trust. As you might expect, the variations on what gets appended to “zero trust” goes on and on depending on the service provider or solution/software security vendor.

Here’s a quick sample across companies, products, government, and the Internet book of knowledge:

Google = zero trust model = BeyondCorp1
Tailscale = Zero Trust Networking = Incremental2
Cisco = Zero Trust Security = Borderless Networks3
VMware = Zero Trust Network Segmentation = Micro-segmentation4
F5 = Zero Trust = NGINX Secure Connectivity5
NIST = Zero Trust Architecture = NCCoE6
US DoD = Zero Trust Reference Architecture = DISA + NSA7
Wikipedia = Zero Trust Security Model = aka ZTA, ZTNA8

It’s hard when you’re always afraid 🎶

Zero trust jargon is arguably at least a decade old. Partly, this is due to the growth of virtual private networks (VPN) and the challenge of VPN deployments along with implementation frustration.

If you’ve ever had to use a VPN regularly, you know it is better than having to drive into an office — but the novelty wears off quickly. And if you’ve ever met me, you know I refer to VPN as the acronym for vexing productivity neutralizer.9

Still, I have been using VPN since the late 1990s and still do. However, my mood changed when there was the glimmer of hope from companies like Tailscale.10

There can hardly be a question of why 🎶

Ultimately, the why this matters is due to our societal appetites for what comes next. Eventually, how end users interact and how developers create the things end users interact with will lead to lower friction experiences.

From Cisco’s early “Borderless Networks” in the early 2010s to the modern day rush to prepend every product name with “zero trust”, it was the early work at Google (BeyondCorp circa 2009-ish11) that set the expectation bar: things should just work without an extra layer of software (VPN client) or steps (logging in with the VPN client) for the ideal user experience.

BTW, I remember blogging about Google Secure Access VPN in 2005 as part of their beta (everything is a beta) service called Google WiFi. Yes, it was a thing and — like most Google things — it went away eventually.12

[blows dust off old wordpress_mysql_dump_posts_2markdown files]

Circa 2005… off Google Secure Access VPN

So many hops… so many ISP eyeballs…Circa 2005… on Google Secure Access VPN