As we transitioned from traditional network environments to a modern distributed IT landscape marked by remote work, cloud computing, and the increased use of personal devices for work, traditional security models have become ineffective. This shift necessitates a more robust and adaptable security approach, leading to the adoption of the Zero Trust framework. This new approach is moving away from old perimeter-based security models to one where identity and authentication becomes the central part. This approach necessitates continuous checks on the security status of assets and user privileges to protect an organization’s data and resources.
Zero Trust originated from the work of Stephen Paul Marsh in 1994. In his doctoral thesis on computer security at the University of Stirling, Marsh introduced the term “Zero Trust,” laying the foundation for what would become a pivotal security framework in the digital age. Fast forward to 2009, after the infamous Operation Aurora, a cyberattack attributed to a Chinese APT (Advanced Persistent Threat), Google began implementing a new security model known as BeyondCorp, which embraced the principles of Zero Trust.
In 2010, John Kindervag, a security analyst at Forrester Research, further developed and popularized the concept by advocating for stricter cybersecurity programs and access controls within organizations. His work helped bring Zero Trust to the forefront of corporate security discussions. Between 2014 and 2018, Google documented its experiences with the Zero Trust model, sharing its learnings through a series of articles on BeyondCorp. This marked a significant milestone in the adoption of the Zero Trust philosophy across industries. By 2018, U.S. cybersecurity experts from NIST and NCCoE solidified its place in the cybersecurity world by publishing NIST SP 800-207, the Zero Trust Architecture, formalizing the framework for broader use.
Zero Trust Network Access (ZTNA), introduced by Steve Riley at Gartner in 2019, quickly became a hot topic in the cybersecurity world. However, many consider ZTNA a misstep or oversimplification of the broader Zero Trust principles. Vendors eagerly adopted ZTNA, seeing it as a way to remain relevant in a rapidly shifting security landscape. While ZTNA aimed to apply Zero Trust concepts to network access, critics argue it fell short of the original vision, which focused on securing applications and data, regardless of network boundaries.
In hindsight, Riley himself expressed regret for not using the term Zero Trust Application Access (ZTAA) instead of ZTNA. In a 2022 interview with SecurityWeek, he reflected that the term ZTAA would have better captured the true essence of Zero Trust by focusing more on application security rather than network access alone. However, by the time this realization came, ZTNA had already gained traction, and he acknowledged it was likely too late to make a change. This sentiment reflects the broader shift in cybersecurity toward moving beyond the traditional network perimeter and focusing on securing what truly matters—applications and data.
Within Zero Trust, there are 6 relevant pillars to collectively enhance an organization’s security posture:
When the four basic pillars are strong, organizations can add the following two pillars enabling to scale the Zero Trust strategy:
We love to use this mental model to visualize the 6 pillars and where they live, it helps to focus efforts of the security team in the right places.
The Zero Trust framework is a comprehensive approach to modern cybersecurity. By implementing its core pillars, organizations can better protect themselves against the dynamic threats of today's digital world.