“Doubt is an unpleasant condition, but certainty is an absurd one.”

Whilst I claim no particular knowledge of the eighteenth-century philosopher Voltaire, the quote above (which I admit to randomly stumbling upon in a completely unrelated book) stuck in my mind as a fitting way to consider the shift from traditional, perimeter-focused ’network security’ thinking to that of ‘ZTA’ (Zero Trust Architecture.)

Whilst much is talked and indeed marketed about for ‘Assume Breach’ or ‘ZT’ (Zero Trust) models, these have not always been well understood or universally agreed terms. In some cases, they are simply thrown about as nothing more than ‘buzzwords.’ Certain vendors have muddied the waters further by attempting to equivocate or even claim such terms as their own in relation to specific products or feature sets. Which is why the recent NIST Special Publication 800-207 provides a great, industry-neutral starting point for providing some authoritative and much-needed clarity as to what we actually mean by ZTA.

For some time, many of us have come to realize that the concept of granting implicit trust to data or resources based solely on factors such as network location or device ownership rarely works efficiently from either a business or security perspective. A line of more realistic thinking has thereby inevitably evolved that actually assumes attackers to be present and active on ‘the network’ regardless if ‘the network’ is on-site, in the cloud, owned/managed by the organization themselves or behind one or a hundred firewalls. This helps with focusing more security attention (and hopefully return on investment) towards the authentication, authorization and continual evaluation of posture—all of which should help in making better decisions for granting and monitoring access to the actual data, resources, services and other assets which really count and matter most to (Read more...)