Never trust a stranger
A few years ago, every piece of software suddenly “supported” the Cloud. In reality, the only change was that normal on-premises, server-based software was running on infrastructure hosted in the cloud with a few VPN connections to ensure it worked. Technically, this is true but is it really what is implied by a cloud-based system? Or is it just stretching the truth to claim support so they can jump on the bandwagon?
We are seeing the same thing happening now with the “Zero Trust” security model. Lots of marketing materials declare that “Zero Trust” is supported but don’t define what “Zero Trust” actually means. The product in question may only offer support for one small section of a Zero Trust model yet imply support for everything.
Both Microsoft and Google have done their best to define their own interpretations of a Zero Trust security model. Both have documented changes made to their own internal networks and procedures to establish a path for customers who wish to join them on this journey.
Microsoft defines a Zero Trust security model as using the following guiding principles*:
- Verify explicitly. Always authenticate and authorize based on all available data points including user identity, location, device health, service or workload, data classification and anomalies.