Zero Trust: What is it Really, and Why Should You Care?

The old saying goes, there are only two kinds of organizations: those that have been breached and those that will be soon. Clearly, the “moat-and-castle” approach to security has not worked. Simply being “inside” a network – behind a firewall, DMZ and other traditional defenses – does not confer trustworthiness, whether it’s a device, a user, network traffic, or an application.

Years ago, John Kindervag coined the term “Zero Trust” during his tenure at Gartner, in response the ever-disintegrating network perimeter, and attendant failure of traditional network defenses – firewalls, IPS/IDS, proxies, and similar systems.

The question then arises: what IS Zero Trust anyway? Fundamentally, it is acknowledging that there is no safe haven, and that every entity on a network requires validation and authorization.

Implement Zero Trust requires a seismic change in thinking and architecture. The era of cloud computing, however, offers a rare chance to implement entirely new models of data processing, and associated security. Let’s look at Kindervag’s principles1, and see how they align – or clash – with Federal guidelines, regulations, and standards.

  • Identify Sensitive Data 1

You must know what you’re trying to protect, although identifying sensitive data is often more difficult than expected. An inventory of data and systems is more difficult than what you might expect, but it’s a necessary first step in the process.

  • Map the Flow of Sensitive Data1

Once you get a handle on where the data is stored, you have an even more challenging task: where is it going, and where is it supposed to go? This again is difficult. Once, when mapping data flow between multiple complex systems at a Federal agency, I determined that data was in fact doing a complete circle: literally ending where it started, with little or no modification or update along the way.

In Federal terms, this aligns with numerous NIST 800-53 controls. (I won’t bore you by listing them all).

  • Architect the Network 1

Kindervag states, “The actual design of a Zero Trust network should be based on how transactions flow across a network and how users and applications access toxic data.” 1 This approach applies equally to on-premise network design and cloud architecture. It’s a relatively new and different approach to network architecture, and it may take time for technical professionals to learn and implement

  • Create an Automated Rule Base 1

After you identify your data’s home and proper flow, and you have created an appropriate network architecture, enforcement rules will bring the preliminary work to fruition. Kindervag stresses the need for access based on “need to know”1 – a phrase that should resonate with government personnel who work with Secret or Top Secret information.

  • Continuously Monitor the Ecosystem1

In the Zero Trust model, security tools log and inspect all traffic, including traffic “inside” the local network. Remember, you don’t trust anyone in the “Zero Trust” model.

The term “Continuous Monitoring” is also the final phase of the venerable NIST Risk Management Framework, although its meaning here is a bit different.

The key takeaway here is that Zero Trust is a concept and strategy, not a product or specific technology. Implementing Zero Trust involves both implementation of technology, but also a shift in culture and attitude toward cybersecurity. Keep both elements in mind as you pursue your journey into Zero Trust.

Hear more about Zero Trust in this panel recording on “How many problems does Zero Trust solve?” where Dan Jacobs, Director of Cloud Adoption and Cybersecurity at GSA and Paul Jacobs, Cybersecurity Architect at Office of the DoD CIO, and Don Maclean, Chief Cyber Security Technologist at DLT, discuss the truth and myths known about zero trust today.

[1] Kindervag, J. (2017, October 1). Zero Trust: The Way Forward in Cybersecurity. Retrieved February 20, 2019, from