Modern Terms and Concepts for a Zero Trust Mindset
Published 07/26/2024
When Zero Trust was first coined by John Kindervag in 2009, it challenged the “trust but verify” approach of traditional security models. At the time, Zero Trust required us to challenge the assumption that trust is implicit. Especially with the complex networks, systems, and services that we see in today’s vast digital supply chain, trust cannot be not assumed at any level. As digital and operational infrastructure has evolved, so have the concepts to implementing Zero Trust. The phrase Zero Trust characterizes that trust does not exist at all and, as Jeffrey Ritter would later point out, trust is a human emotion, while “digital trust” should be a rules-based decision.
As we continue to evolve the Zero Trust approach, let’s outline core concepts that help set up a modern Zero Trust mindset.
Protect Surface
Applying a Zero Trust strategy involves building a high level of confidence toward a valued asset. Traditionally, we use the terms “attack surface,” “critical assets,” and “crown jewels.” For Zero Trust, the term “protect surface” isn’t necessarily new but is used because it better represents the specific attack surface that applies to critical assets. The protect surface puts the focus more on the asset instead of an attacker that comes in many forms. This mentality allows us to minimize damage and limit the blast radius of attacks and penetrations. This is especially important in the cases of Shadow IT, Shadow Access, and zero day vulnerabilities.
Trust Boundaries
Trust boundaries are areas where traditional trust towards the protect surface is identified, whether implicit or explicit. In these areas, boundaries can be established and measured to be validated via least privilege, continuous verification, automation, and other core Zero Trust principles. The OSI model layers and current Zero Trust pillars support these trust boundaries. Trust boundaries shift the focus from implicit trust to continuous verification, ensuring that every boundary is authenticated, authorized, and protected.
Confidence With Validation
A modern Zero Trust approach eliminates the term “trust” altogether. In order to remove trust as a human emotion, trust should be a rule-based decision. Confidence is a term that can be validated or measured. Within “trust boundaries” or surrounding a “protect surface”, we want to find a means to measure the level of confidence protecting that asset or accessing that asset. In simple terms, low confidence is denied while high confidence is allowed.
In Conclusion
The Zero Trust approach is an ongoing journey that evolves with the threat landscape and technology advancements. The concepts of the “protect surface”, “trust boundaries”, and “confidence with validation” allow us to apply Zero Trust principles appropriately. By adopting these principles, organizations can build more resilient systems that evolve with technology.
To stay abreast of the latest terminology and engage in discussions with the top experts in the field, visit the Zero Trust Advancement Center and join CSA working groups and events. Involvement in these programs will provide further insights, provide practical knowledge, and keep you up to date with modern terms and concepts as you implement and refine your Zero Trust approach.
Together, we can work towards building a modern and resilient security framework that adapts to new challenges and protects our most critical assets.
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
The Lost Art of Visibility, in the World of Clouds
Published: 11/20/2024
Why Application-Specific Passwords are a Security Risk in Google Workspace
Published: 11/19/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024