We Need to Talk About Zero Trust. It’s Necessary!

Jonas Bøgvad
Jonas Bøgvad

Table of Contents

Introduction

We heard this buzzword before, "Zero Trust"(ZT), put on the agenda by big tech giants in the last couple of years, especially Microsoft. The model is not new, as you might think the giants have translated the principles to align with their tech and help you adopt. But they all have the core principles in common.

never trust, always verify

History

Let's dig into some history as I want to share something from Wikipedia.

In 1994 (April ) the term "zero trust" was coined by Stephen Paul Marsh in his doctoral thesis on computer security at the University of Stirling. Marsh's work studied trust as something finite that can be described mathematically, asserting that the concept of trust transcends human factors such as morality, ethics, lawfulness, justice, and judgement.

So it all began in 1994, right? The beginning of an era. Instead of listening to our feelings, we needed to prove them mathematically before we could trust anyone. The Zero Trust model got developed over time to adapt to new knowledge and the present time. In 2018, NIST and NCCoE published Special Publication(SP) 800-207, Zero Trust Architecture.

What is Special Publication(SP) 800-207 by NIST?

NIST (National Institute of Standards and Technology) Special Publication, 800-207, is a series of cybersecurity measures and guidelines highlighting the core components of Zero Trust principles. To fix any misunderstanding of Zero Trust, it is not a product or a service but an approach to designing and implementing security principles.

From here on, looking at the history of the Zero Trust model, things got adopted by major companies like Microsoft (might have been earlier).

Read more here: Zero trust security model - Wikipedia | The federal Zero Trust strategy and Microsoft's deployment guidance for all - Microsoft Security Blog

Microsoft Zero Trust deployment guidance

Zero Trust is a security strategy. It is not a product or a service but an approach to designing and implementing the following set of security principles:

  • Verify explicitly
  • Use least privilege access
  • Assume breach

That's why you must remember that this is not a quick fix. It is a more extensive roadmap and a way of doing any new implementation like Microsoft 365 E5 or changing existing infrastructure, so they all align with your recent adoption of the Zero Trust framework by Microsoft.

Microsoft has made a Zero Trust deployment guide to help you implement the Zero Trust strategy with Microsoft technology. You can find the guide here: Zero Trust Deployment Overview | Microsoft Docs

After learning about the foundational concepts, you can proceed with guidance materials to help you in your Zero Trust journey. I can recommend looking at the Rapid Modernization Plan (RaMP) or Microsoft 365 Zero Trust deployment plan | Microsoft Docs

I hope you enjoyed this short article, and remember to constantly remind yourself of the following.

never trust, always verify