Broker Check

Zero Trust 101

February 22, 2022

Steve King, managing director of Cyber Theory, has posted  a "Zero Trust Dictionary" compiled by John Kindervag (who invented the concept) online to explain this concept of cyber security.

"Zero Trust" is, in Kindervag's words "a strategic initiative that helps prevent (but does not  stop all) successful data breaches by eliminating digital trust". Ronald Reagan said "trust, but verify"; Zero Trust's basic principle is "never trust, always verify".

Zero Trust is a strategy, not a technology. It asks "what is the business trying to achieve?" and starts from the inside - the most critical parts of a network - and works outward. Access is determined based on least privilege. This limits stolen credentials and insider attacks.

Resources that need protection are

  • Data - sensitive information such as payment card information, protected health information, personally identifiable information, and intellectual property. Stolen or exfiltrated data is toxic.
  • Applications that use sensitive data or control critical assets.
  • Assets - including information technology, operational technology, or critical Internet of Things devices.
  • Services on which the business depends.        

Collectively, these resources are known by the acronym DAAS. Each DAAS element is contained in a "Protect Surface". "Segmentation gateways" - physical or virtual - connect to "protect surfaces" and place a "microperimiter" aroind them. This ensures that only known and validated users have access. Micro-segmentation divides networks into small segments, so attackers' access is limited.

Zero Trust is rapidly being adopted by both governments and private companies.

For more on Zero Trust, read "Zeroing In On The Zero Trust Model Via Simulation Platforms" by King, Kindervag and Chuck Brooks, at