The below statement is from the first published paper about a new approach to tackle the security challenges in modern networks by John Kindervag from Forrester in 2010: The Zero Trust network architecture.

It took nearly 10 years for this to get into the mainstream and to be picked up by many IT Security and Network Architects and IT Security companies. Google scaled this (as usual) and published their experiences on beyondcorp which quickly spread and lead to a wider perception of zero trust network architectures among us.

The statement below is so relevant, even 9 years after it was published first by Forrester. We are still fighting with the numerous controls that we needed to install on top of the existing networking infrastructure, like perimeter firewalls where we write policy as IP-to-IP rules, VLANs that make it hard to span over infrastructure borders like the gateway to your public cloud infrastructure or the WAN network.

There is a very big overlap between my personal experience from working with IT Security and Networking staff and the Forrester paper:

  • The current model is not secure
  • There is no trusted network
  • You have to design your network from the inside out
  • There is no segmentation if there is no visibility
  • A zero trust network is highly segmented
  • There needs to be a central management for segmentation (otherwise management will be a nightmare)