There’s an old corny joke about a shady company looking to hire an accountant. When they ask one candidate what two plus two is, he answers “Whatever you want it to be”. To which they reply, “You are hired!”. That sort of explains the somewhat amorphous nature of accounting.
Similarly, if you ask 50 information security professionals what zero trust security is, you’ll likely get a few divergent answers. Of which some will answer: Zero trust is whatever you want it to be.
Zero trust (ZT) and zero trust network (ZTN) security means that no one is trusted by default from either inside or outside the network, and that verification is required from everyone trying to gain access to network resources. However, various vendors and governments have defined it in numerous ways.
NIST for example writes that ZT is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. And that a zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).
But for those looking to get insights into the often mess that is known as ZT, Zero Trust and Third-Party Risk: Reduce the Blast Radius (Wiley) by Gregory Rasner is a good high-level resource to use. Rasner is the author of Cybersecurity and Third-Party Risk: Third-Party Threat Hunting which I reviewed in 2022. And this book builds on a lot of the topics detailed there.
Rasner gives the reader a high-level overview of the fundamentals of ZT & ZTN. He details how to start a ZT program from the ground up, with a focus on implementing zero trust with third-party vendors.
While at Forrester Research, John Kindervag created the zero trust model of cybersecurity. But since then, it has morphed into a lot of different things. To the degree that in 2017, Forrester did a ZT refresh and created Zero Trust Extended (ZTX). Much of it was centered around getting ZT more integrated into cloud computing.
Rasner does a good job of having the reader ask a lot of questions to better see if they can potentially leverage ZT. If you or your vendors can’t answer these core ZT questions, then you know you don’t understand ZT, and should not move forward on any ZT initiative.
Too many firms consider ZT as vendors have been pushing it, and it has been a hot Gartner topic, but many don’t have a clue why they truly need ZT. But as the book shows, any such implementation is bound to fail. To which the book provides the reader with a good starting point in which to commence their ZT journey.
While ZT is all the rage, such that it was hard to walk more than 20 feet on the expo floor at RSA Conference 2023 without running into a vendor touting ZT; it still is a complex and evolving set of technologies, that is a serious endeavor to correctly implement.
But for those brave enough to attempt to tackle the topic of ZT, Zero Trust and Third-Party Risk is a good starting point.