A Matter of Zero Trustby Jay Cuthrell
This week we take a look at Zero Trust, Zero Trust Model, Zero Trust Security Model, Zero Trust Reference Architecture, Zero Trust Network Access, and Zero Trust Network Architecture. So, if this seems like an elongated list now, you should have zero — ahem — trust the list will be the last of the variants.
For me, “Zero Trust” is simply a shorter way of saying “Trust No One” using 9 characters and 1 space (2 words) instead of 10 characters and 2 spaces (3 words). Both work just as well for haiku with 3 syllables each.
i had a budget
zero trust ate it quickly
vendor paid for lunch
trust no one they said
set allow all to deny
There are many ways to refer to zero trust. As you might expect, the variations on what gets appended to “zero trust” goes on and on depending on the service provider or solution/software security vendor.
Here’s a quick sample across companies, products, government, and the Internet book of knowledge:
- Google = zero trust model = BeyondCorp1
- Tailscale = Zero Trust Networking = Incremental2
- Cisco = Zero Trust Security = Borderless Networks3
- VMware = Zero Trust Network Segmentation = Micro-segmentation4
- F5 = Zero Trust = NGINX Secure Connectivity5
- NIST = Zero Trust Architecture = NCCoE6
- US DoD = Zero Trust Reference Architecture = DISA + NSA7
- Wikipedia = Zero Trust Security Model = aka ZTA, ZTNA8
Zero trust jargon is arguably at least a decade old. Partly, this is due to the growth of virtual private networks (VPN) and the challenge of VPN deployments along with implementation frustration.
If you’ve ever had to use a VPN regularly, you know it is better than having to drive into an office — but the novelty wears off quickly. And if you’ve ever met me, you know I refer to VPN as the acronym for vexing productivity neutralizer.9
Still, I have been using VPN since the late 1990s and still do. However, my mood changed when there was the glimmer of hope from companies like Tailscale.10
Ultimately, the why this matters is due to our societal appetites for what comes next. Eventually, how end users interact and how developers create the things end users interact with will lead to lower friction experiences.
From Cisco’s early “Borderless Networks” in the early 2010s to the modern day rush to prepend every product name with “zero trust”, it was the early work at Google (BeyondCorp circa 2009-ish11) that set the expectation bar: things should just work without an extra layer of software (VPN client) or steps (logging in with the VPN client) for the ideal user experience.
BTW, I remember blogging about Google Secure Access VPN in 2005 as part of their beta (everything is a beta) service called Google WiFi. Yes, it was a thing and — like most Google things — it went away eventually.12
[blows dust off old wordpress_mysql_dump_posts_2markdown files]
Circa 2005… off Google Secure Access VPN
Until then… Place your bets!
I am linking to my disclosure.
✍️ 🤓 Edit on Github 🐙 ✍️
Get Fudge Sunday each week