Why Read This
There's an old saying in information security: "We want our network to be like an M&M, with a hard crunchy outside and a soft chewy center." For a generation of security and risk (S&R) professionals, this was the motto we grew up with. It was a motto based on trust and the assumption that malicious individuals wouldn't get past the "hard crunchy outside." In today's threat landscape, this is no longer an effective way of enforcing security. Once an attacker pierces the shell, he has access to all the resources in our network. We've built strong perimeters, but well-organized cybercriminals have recruited insiders and developed new attack methods that easily bypass our current security protections. To confront these threats, S&R pros must eliminate the soft chewy center by making security ubiquitous throughout the network, not just at the perimeter. To help S&R pros do this effectively, in 2009, we developed a new information security model, called the Zero Trust Model of information security. Since then, we have seen its widespread acceptance and adoption, from cloud and security vendor powerhouses to manufacturers and retailers. This report explains the vision and key concepts of the Zero Trust Model.