A major buzzword passed around this year is the term “zero trust.” As with similar phrases that have come before, there are different definitions depending on who you ask and what area of technology they care about. I wanted to talk about what it means in the context of building and delivering secure applications to the federal government, and the role Sonatype’s products play in this space. Today, I’ll talk about how we help support a zero trust architecture strategy.
What is zero trust?
Credited to John Kindervag, “Zero Trust Network” first appeared in a 2010 article in CSO Online when he was a researcher for the well-known Forrester Research company. Since then, the concept has evolved into a strategic approach to combine modern tools and all areas of IT from users to network devices, to components in the software supply chain, and all environments regardless of location or logical separation. To condense zero trust down to one simple statement; it means not assuming any part of your IT infrastructure is secure.
Wait, isn’t that a little cynical you might say; or how are we supposed to operate without trusting that our applications are running safe software on secure networks and servers?
Previously, a strong security perimeter would enable an internal, “trusted” domain, implicitly granting trust to all entities within this domain boundary. Despite the name, some trust is granted in a zero trust model, but it is conditional and neither permanent nor explicit. The focus is instead on a “trust but verify” approach that affects even “internal” resources that previously would not have their identity or authorization challenged.
Another big change in a zero trust architecture is the lifecycle of servers. Previously, they were akin to special pets that you kept patched and fought relentlessly to keep (Read more...)
