It sounds dramatic, even like a line from a spy thriller: “Trust no-one!” but what does it really mean?
Articles like this one from Tech Beacon are on the rise, promoting the zero trust culture amongst developers and application owners.
‘Zero Trust’ as a concept was first promoted by Google after the 2009 Operation Aurora series of APT (Advanced Persistent Threat) cyber attacks. The underlying principle is not even as new as that. IT security professionals have been warning for a long time of the erosion of trust in the back end, corporate, or any other kind of ‘trusted’ network. As networks are made available to more people through partnerships, gateways, or moves to cloud-centric operations, the concept of the trusted network fades away. ‘This is my corporate network so I can trust anything that comes in from it is no longer a reliable control against attack.
A zero trust application model never assumes that a connection or request is reliable or trusted. It verifies every time a request or connection is made. The device and identity connected are allowed access and that the action being attempted is permitted for that combination of device, user, action, and data.
The BeyondCorp Story showcases Google’s guiding principles for building a zero trust network. It is well worth reading and sharing to promote the case for a 21st-century approach to application, network, and data security.