A brief(er) history of zero trust: Major milestones in rethinking enterprise security
Apr 20, 2022
Editor’s note: The following is an excerpt from the forthcoming white paper “A brief history of zero trust: Major milestones in rethinking enterprise security.”
Why tell the story of zero trust?
Many in IT security believe zero trust is a game-changer, a fundamental rethink about enterprise security and protection of the networks and resources that house our best ideas, connect our brightest talent, and grant access to transformative productivity tools.
But to understand how truly revolutionary the zero trust model is in cybersecurity, it’s necessary to how the idea of zero trust architecture evolved into one that fundamentally overhauls decades-old thinking.
What follows is a brief history of some of the key moments in the making of the zero trust movement.
Key moments in the history of zero trust
1987 – Engineers from the Digital Equipment Corporation (DEC) publish the first paper on firewall technology, ushering in decades of "castle-and-moat" network security thinking
2001 – IEE Standards Association publishes the 802.1X protocol for network access control (NAC
2004 – The Jericho forum is chartered, introducing the principle of de-perimeterization
2007 - The Defense Information Systems Agency (DISA) publishes its "black core" model for a software-defined perimeter, which struggled to gain traction.
2009 – Google's BeyondCorp is founded to reimagine security architecture in the wake of Operation Aurora
2010 – Analyst John Kindervag coins the term "zero trust" in a paper for the Forrester Research Group
2013 - The Cloud Security Alliance's software-defined perimeter, dependent on SPA, flounders due to tech limitations; The Jericho Forum declares de-perimeterization a “fact” and disbands
2017 – Continuous Adaptive Risk and Trust Assessment (CARTA) is designed as a risk management framework by Gartner
2019 – Gartner introduces the concept of the secure access service edge (SASE)
2020 – NIST publishes SP 800-207 as a unified framework for establishing zero trust architecture (ZTA)
2021 – Gartner specifies the security components of SASE are a new market category, known as the secure service edge (SSE)
2022 – The U.S. Government's Office of Management and Budget mandates the adoption of zero trust principles for all agencies by 2024
802.1X and network access control
The 802.1X protocol was released in 2001 as a standard regulating network access control (NAC) for wireless devices. The increasing adoption of these wireless devices was complicating notions of a strictly defined corporate perimeter, and organizations were feeling a need to address their growing use.
The 802.1X supplicant, or client, was meant to allow networks to authenticate an endpoint before allowing a connection. Unfortunately, not all devices were 802.1X-capable. Printers, IoT systems, and other connected devices prevented this method from serving as a universal solution to the problem of unauthorized network access.
The Jericho Forum imagines a bold way forward
In 2003, a group of European technology leaders recognized the problems inherent to castle-and-moat network architecture and began discussing ways to bring down the network walls.
They convened a working group in 2004 known as The Jericho Forum, which introduced the idea of “de-perimeterization” and gave the world a set of "commandments" that laid the groundwork for best practices for governing perimeter-less networks.
More than a buzzword: Enter “zero trust”
In 2010, Forrester analyst John Kindervag published a paper titled “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security." More than a buzzword, it gave the IT security industry something to latch onto when architecting a new model for connectivity.
The premise was that presence on a network was not a sufficient basis for granting trust. Identity – and the ability to verify it – replaced the perimeter as the core criterion for access. Alas, up to this point, nothing fundamental had shifted in the enterprise environment itself. Networks were still an all-or-nothing, inside-or-out construct.
Beyond (the perimeter) Corp
As is so often the case in cybersecurity, threat actors drove the next evolution in network security. China’s People’s Liberation Army conducted a major operation against U.S. tech companies including Akamai, Adobe, and Juniper Networks – and Google responded with BeyondCorp.
The intent, according to Google, was “shifting access controls from the network perimeter to individual users…[enabling] secure work from virtually any location without the need for a traditional VPN.” Zero trust, in its purest sense of disregard for the on/off-network distinction, had arrived.
But Google was seeking to address a difficult problem, and despite trying to “pave the path for other organizations to realize their own implementation of a zero trust network,” it was still a strategy beyond the capabilities of most enterprises in 2010.
“The Man” weighs in on zero trust
In 2020, the National Institute for Standards and Technology (NIST) reframed the conversation with its NIST 800-207 standard for zero trust architecture.
This new cybersecurity paradigm was focused on resource protection and the premise that trust should never be granted implicitly, but must continuously be evaluated. The shackles of the perimeter and the notion of the virtual private network were discarded.
Its essentials are key to understanding how zero trust operates, and why it’s a departure from the approaches that came before it. The 800-207 standard stipulates key tenets and assumptions for zero trust. Three of the most critical points (from a much longer list) are:
- No resource is inherently trusted.
- All communication is secured regardless of network location.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
If this was a paradigm shift in terms of thinking about zero trust, the revolution in terms of advancement came with the U.S. Office of Management and Budget (OMB) M-22-09 directive, issued in 2022. Suddenly, zero trust became the law of the land, at least where U.S. federal agencies were concerned.
But the implications were broader. With executive endorsement – almost certainly bearing in mind a high-profile 2021 supply chain attack that compromised federal agencies including State, Treasury, Homeland Security, Commerce, and Energy – the zero trust methodology had the weight of the American government behind it.
Further refining zero trust
The U.S. government’s endorsement of zero trust principles didn’t mark the end of advancement for this model. Zscaler's approach to zero trust architecture aligns closely with NIST's ZTA framework and Gartner's definition for SSE. And it goes beyond these standards, with three fundamental advancements in zero trust thinking:
- All traffic is zero trust traffic
- Identity and context always come before connectivity
- Applications - and even app environments - should remain invisible to unauthorized users
To learn more about this modern approach to zero trust, including how Zscaler is driving the next milestones in rethinking enterprise security, look for the upcoming white paper “A brief history of zero trust: Major milestones in rethinking enterprise security.”
In the meantime, listen to this episode of Cloudy with a Chance of Trust podcast from the archives:
Visit the 1 year anniversary hub
Join the community forum