One of my favorite modern buzzwords in the technology world is zero-trust. Zero-trust is the idea that no matter where a device joins any network from - be it hardwired, in a computer lab, or over home Wi-Fi - the device is able to identify itself and assert that identity to gain access to networks and subsequent network resources. Zero-trust means treating all devices and all networks as untrusted, or compromised, until they mutually prove themselves otherwise through some form of authentication and authorization. The National Institute of Standards and Technology defines zero-trust (ZT) as a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised. In short, zero-trust is about presenting and demanding just enough proof before digitally transacting.

There are several key principles behind zero-trust architectures (ZTA), chief among them being that organizations must have a single source for issuing user identification credentials. This doesn’t mean a single server, but the authority must be centrally delegated to maintain tight control over the cryptographic system that will tie this all together. Since authentication is an integral part of zero-trust, users aren’t the only ones who have to pony-up information about their identity as machines or devices also have to identify themselves, and in many cases, attest to their own digital health and wellbeing. That may sound strange, but anyone who works in a computerized office environment may be familiar with policies that are applied to our work computers or the work network: such as no unauthorized software installation, or not having access to YouTube at work. Additional authorization or access control policies may apply beyond the basic policies your average office worker might bump into on occasion.

So, if I’ve done my job right, maybe some of our readers have a vague idea of what zero-trust means from a technology perspective. It might also sound like a lot of work, and it is. Managing cryptographic identities is no trivial task, and no human is going to do it on their own either. The single source for user authentication will translate username, password, and maybe a second factor, into a temporary cryptographic identity that is then used throughout a given login session to maintain secure communications. Zero-trust isn’t just about distrusting the world, it’s also about only trusting that which can be verified. The larger the network, or user-base, the more information there is to maintain centrally about the network, its users and its resources.

But why is zero-trust a good thing? Luckily, the technological lift that is needed to bring zero-trust to just about any organization, is about the same as equipping everyone to work remotely from home. Anyone who hasn’t rushed to implement enterprise virtual private networks (VPN) will find themselves uniquely positioned to jump on the zero-trust networking bandwagon in the near future as more cybersecurity and network vendors are integrating the zero-trust concept into their offerings. After the initial lift, there’s a certain simplicity in the maintenance of a zero-trust network that will pay for itself in reduced L1 Help Desk calls about your corporate VPN. It turns out that not trusting anyone or anything is the way of the future, but you don’t have to take my word for it, just Google “zero-trust” and see where the first page of results takes you. Better yet, try using Google Scholar to perform the same search.