Zero Trust
One of the underlying assumptions of all the strategies I’ve discussed in this chapter is that once a user or system has authenticated access to the IT environment, then it is trusted. The popularity of this convenient capability is evidenced by the ubiquity of Single Sign-On (SSO) requirements among enterprises. It’s interesting that this assumption is as old as the oldest strategies I have examined. This assumption hasn’t changed much since enterprises started procuring their first PCs. Some will argue that this assumption is one reason the industry has seen so many data breaches over the decades. I think it’s fair to say that champions of the Zero Trust model would agree with this. Although this approach is regarded by many as new, it was first conceived almost 20 years ago by a group of CISOs, according to industry lore.
The concept behind this approach is that all resources, including those inside the perimeter, should be untrusted....
