Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

The Past, Present, and Future of Zero Trust

Published 12/12/2021

The Past, Present, and Future of Zero Trust
Written by Shamun Mahmud, Senior Research Analyst, CSA.


There has been a lot of discussion on the topic of Zero Trust (ZT). CSA has been involved in the realm of ZT since 2013, via the Software Defined Perimeter Working Group (now known as the SDP and Zero Trust Working Group). The first SDP Specification was published in 2014, encompassing the principles of ZT. These ZT principles were applied in a few different models, such as DoD’s Dark Cloud or Google’s BeyondCorp. Here are some basics about ZT:

What is Zero Trust

Zero Trust security is an Information Security model that mandates strict identity verification for every user and device trying to access resources on a private network, whether they are sitting within or outside of the corporate network perimeter. Traditional networks trust anyone or anything already inside the network. ZT networks use the “verify, then trust” principle.

The Evolution of Zero Trust

In the old days, once a user or device was granted access to the network, it could access all of the network's resources. For instance, a company would rely heavily on a firewall to thwart malicious access and actors. But once you gained access through the firewall, you could access most if not all of the company’s information (including HR data/PII, company financials, and intellectual property). I think you get the picture of potential vulnerabilities in this approach.

There has been a movement to “defense in depth” in recent years. It is an improved approach that adds a few safeguards. These combined countermeasures (such as NGFW, IDS/IPS, DLP and data encryption) are more effective in reducing the threat surface.

Presently, ZT has burgeoned as an IT Security paradigm that provides a much improved Security Posture for most enterprises. ZT networks use the “verify, then trust” principle. This means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network.

Zero Trust Resources

Watch this recording from the CSA Research Summit 2022 about the past, present, and future of Zero Trust.

Learn more about Zero Trust by visiting CSA’s Zero Trust Advancement Center.

Share this content on your favorite social network today!