Possibly the biggest misnomer of recent times is the term ‘zero-trust’, in relation to identity management and authentication of users wanting to access an organisation’s protected resources (computer applications, databases, sensitive documentation etc.). Vendors and industry commentators seem to see the term as referring to the brave-new-world in which current IAM and access control technology is dated and inadequate. This has been accompanied by an inability to describe what zero-trust really is and how it is applied. Zero-trust is not a technology, it’s not a solution, you can’t go to your favourite vendor and buy a bit of zero-trust. It’s a corporate strategy, it’s a reference architecture, it’s a foundational belief. You construct a zero-trust environment by adhering to set of practices that will, over time significantly reduce the vulnerability of your organization’s business operations.

The first step is to ensure a holistic approach to authentication and authorization service. There’s no point in establishing a strong authentication service for webserver applications while leaving the network segmentation relying on high-level group memberships.

Secondly, and yes – this is why it’s a misnomer, use a ‘trust-but-verify’ approach. When a particular data store is used as a source of authentication services, use another mechanism to verify it. This will typically use the person’s smartphone (push authentication for low assurance, facial recognition or fingerprint for higher assurance).

‘Zero-trust’ needs a corporate culture that values security and it requires a least-privileges approach to access control. Nothing new.