"Zero Trust" is still something that's misunderstood even by folks in the #infosec space. So here's a quick thread to help clear things up:

"Zero Trust" is not BeyondCorp, although that implements a solution based on the core principles of Zero Trust.

"Zero Trust" is not a product - you can't buy yourself a Zero Trust, and no matter how much vendors will pitch you, there's no "Zero Trust inside" label.

You can't deploy a Zero Trust. It's not an initiative or a project with a fixed goal. Your "Zero Trust" OKR is not "35% complete".

Zero Trust is a core concept much like "Defense in Depth", "Least Privilege", "Fail Safe", or Kerckhoffs's principle. Here, it is the simple assumption of a compromised or hostile environment.

That's it. I know, doesn't seem like much, and doesn't even sound novel. But what follows does overthrow a few decades of operational practices. It also begets specific initatives you _can_ drive and measure:

If we assume all networks to be hostile, then we necessarily require transport encryption for all traffic.

Operating in a hostile environment requires that clients authenticate the services they talk to, just as services need to authenticate the clients connecting to it; mutual authentication becomes mandatory.

But authentication by itself is not sufficient: authenticated clients require explicit authorization to be allowed to perform actions, and authorization needs to always be limited to the least privilege required. So you need to integrate a granular RBAC system.

Because we assume our adversaries to be persistent, any trust, once established, needs to be renewed periodically, and any actions need to be logged to ensure a complete audit trail.

That is, a system's access capabilities derives explicitly from its _identity_, such that its access can be audited, extended, restricted, or revoked and is not inherited implicitly from any specific physical or logical position within the network.

Building a PKI, developing suitable RBAC, monitoring for and enforcing mutual auth and encryption on layer 7 as well as below (remember: defense in depth) sounds like a lot of work. And it is. It'll take you years to move your old infrastructure into this new world.

But it's not only a clear security win: Zero Trust enables identity-based deployment of services with automated access controls & capabilities at time of birth and lets you ditch manual configuration or high-risk, broad network manipulation. And you can get there incrementally.

And somewhat paradoxically, you can actually make certain counter-intuitive access decisions and for example allow connections to internal services from the internet because you treat your "internal" network as equally trustworthy as the internet (i.e., not at all).

You can deploy services without having to think about which security zone or what network they have to go into, and you still are assured that lateral movement is restricted because everything requires explicit authentication and authorization.

But you only get the benefits if you don't think of it as a single _thing_, a one-time effort, a product, a temporary industry trend, a buzzword. Instead, accept it as a mind set, a principle, a core concept. It's simple: the environment is assumed hostile - the rest follows.

Zero Trust. It doesn't have to be this way.