Formulated by a research analyst over a decade ago, the zero-trust security model was embraced by thought leaders. And when Google, with its unlimited budget and resources, began adopting something close to the zero-trust framework through BeyondCorp, the effort had a legitimate and prominent early adopter.
Eleven years after its introduction, IT and security leaders still look at zero trust in exasperation. The gaps and needs of existing infrastructure, the demands to maintain incremental improvements, and the inability to simply start from scratch stand as obstacles between reality and utopia.
According to the National Security Agency’s guidance released on February 26, 2021, there are four key aspects of a zero-trust mindset:
Coordinated and aggressive system monitoring, system management, and defensive operations capabilities
Assuming all requests for critical resources and all network traffic may be malicious
Assuming all devices and infrastructure may be compromised
Accepting that all access approvals to critical resources incur risk, and being prepared to perform rapid damage assessment, control, and recovery operations.
Assuming the compromise of all devices, infrastructure, and traffic is as impractical in the boardroom as it is futile within the SOC. Unfortunately, mindsets, like frameworks, fail to offer practical direction, clear advice, or next steps. This leads to four key traps made by well-intentioned zero trust adopters.
Common zero trust traps
Before I explain these, let’s set the groundwork. The components of zero trust include the following six domains:
Identities: Describe, verify, and secure the accounts across your entire enterprise. This includes all user, service, API, and other access-granting accounts throughout your cloud, on-p ..