{"id":86357,"date":"2018-08-06T13:00:23","date_gmt":"2018-08-06T20:00:23","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=86357"},"modified":"2019-05-06T15:52:50","modified_gmt":"2019-05-06T22:52:50","slug":"clarifying-zero-trust-not","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2018\/08\/clarifying-zero-trust-not\/","title":{"rendered":"Clarifying What Zero Trust Is \u2013 and Is Not"},"content":{"rendered":"<p>Last fall, I wrote about how people were <strong><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2017\/11\/trust-is-a-vulnerability\/\">beginning to understand the essence of Zero Trust<\/a><\/strong>. \u00a0Since then, there seems to have been an inflection point in industry\u2019s embrace of Zero Trust, and now, even more people are advocating it, more vendors are posturing it as a go-to-market message, and more enterprises are moving towards adopting it.<\/p>\n<p>However, as the concept gains popularity, I find that more people are mistaken about what it really is.<\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-size: 18pt;\">The Concept of Trust<\/span><\/p>\n<p>One way to see if someone understands Zero Trust is to analyze how they talk about the word \u201ctrust.\u201d If a pundit is trying to get you to a \u201ctrusted\u201d state, then they don\u2019t understand Zero Trust. The point of Zero Trust is <em>not<\/em> to make networks, clouds or endpoints more trusted; it\u2019s to eliminate the concept of trust from digital systems altogether. The \u201ctrust\u201d level is zero, hence Zero Trust. Simple!<\/p>\n<p>Trust is a human emotion that refers to the level of confidence someone has in something, but it\u2019s a vulnerability and an exploit in a digital system. It has no purpose in digital systems, such as networks. There is no use for \u201ctrust\u201d in these systems, except to be used by malicious actors, who exploit \u201ctrust\u201d for their own nefarious gain. The only thing that can happen to trust in a digital system is for it be exploited, and the only outcome for trust is some type of betrayal.<\/p>\n<p>What typically confuses people is the anthropomorphization of the network that has happened over time. People and trust in the physical world is not the same as packets and vulnerabilities in a digital system. People are not on the network; packets are. Most people confuse the trustworthiness of human beings with the trustworthiness of packets. By depersonalizing packets, we can do what we need to do, which is inspect that packet and apply access control methodologies. This way, the packet only gets access to approved resources at the approved time \u2013 and all of that is logged and analyzed \u2013 so we can assess if there was an appropriate digital behavior.<\/p>\n<p>So, for folks trying to move to a Zero Trust environment, step one is to eliminate the word \u201ctrust\u201d from your vocabulary as it relates to digital systems. Trust is binary; it is on or off. Think about using the term \u201cconfidence\u201d instead. Confidence can exist on a continuum. It\u2019s an important distinction.<\/p>\n<p>The old model of trying to create \u201ctrusted\u201d digital systems has never worked to prevent breaches. As people mature their thinking around Zero Trust, it is imperative that they understand the most fundamental principle of the concept: trust is not the desired state; trust is the failure point you want to avoid.<\/p>\n<p><em>\u00a0<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>John Kindervag walks us through what is, and what isn't, Zero Trust.<\/p>\n","protected":false},"author":391,"featured_media":86654,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[155,6724,6765],"tags":[4779],"coauthors":[4243],"class_list":["post-86357","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-2","category-points-of-view","category-secure-the-enterprise","tag-thought-bubble-with-john-kindervag"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2018\/08\/thought-bubble-blog-feature-img-650x300.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/86357","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/391"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=86357"}],"version-history":[{"count":2,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/86357\/revisions"}],"predecessor-version":[{"id":86699,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/86357\/revisions\/86699"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/86654"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=86357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=86357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=86357"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=86357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}