Zero trust (ZT) is now a top subject in information technology. We observed similar landscape changing technology initiatives before, personal computer (PC), web and web2.0, service oriented architecture (SOA), wireless network, mobile device, cloud computing, and many more. Understanding zero trust and preparing your organization for it is an imperative step. It is the first link in the chain of success.

If you visit the internet, every big player has a distinct page on ZT. Many of them are part of the solution circles, and offer product and services, usually seen next to their explanation of this subject. I randomly picked and listed a few of them, and please feel free to explore and compare the interpretations and focuses from various industry leaders.

Wikipedia: https://en.wikipedia.org/wiki/Zero_trust_security_model

Redhat: https://www.redhat.com/en/topics/security/what-is-zero-trust

Palo Alto: https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

Crowdstrike: https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/

Microsoft: https://www.microsoft.com/en-us/security/business/zero-trust

Cloudflare: https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/

AWS: https://aws.amazon.com/security/zero-trust/

Verizon: https://www.verizon.com/business/resources/articles/what-is-zero-trust-architecture/

Broadcom: https://www.broadcom.com/solutions/symantec-security-solutions/zero-trust-ecosystem

Akamai: https://www.akamai.com/resources/zero-trust-security-model

IBM: https://www.ibm.com/security/zero-trust?

My diagram suggests you go directly to the source. Zero trust architecture, in NIST SP 800-207 is final since August 2020. NIST publishes standard and principles on technologies. SP stands for special publication, and 800 refers to computer security. You also see examples of past and draft subjects such as Secure Web Services (SP 800-95) and Micro Services Architecture, Containers and VMs (SP 800-180). A good grasp on SP 800-207 should serve your well when adopting ZT.

In my point of view, zero trust is a state, a state of secured computing. It is not one architecture, not a single solution, not a onetime problem solving (Y2K etc.), not a painless panacea someone promised you. Rather, it is a multi-layered, cross-discipline, and orchestrated architecture shift with major retooling based on a set of well-defined security objectives and principles. Along with the technology change, it also involves people, culture, and process adaptation since the new state means the new norm. It is a state because, at end of the day, you are either no zero trust (you may have valid business reasons), complete in zero trust, 15% overall in zero trust, or 95% critical asset in zero trust. Zero trust is also a shared journey that you, and your ZT partners (solution providers), to continue mature, advance, and adapt in the ever changing world of computing.