I have been lecturing on Zero Trust for the last couple of days, and to add weight that we can no longer go on any longer using traditional security techniques - even the NSA provided guidance this week.
We need to eliminate the bias, and myths facing our industry, and commence the journey, by convincing our organisations from the CXO suite down, that we need to change - the cybercriminals are pushing out some many exploits, most organisations simply cannot cope and adjust to the amount of flexibility that our respective organisations expect in support of their business objectives.
Security strategy needs to in alignment with the organisations business strategy and objectives - we can do this using Zero Trust. But do your own research, get to the real truth without vendor bias and understand the principles. It certainly is not a silver bullet, but you will experience small wins initially by simply embarking on the journey. Read the NSA guidance for yourselves and make your own minds up:
I too embrace the "never trust, always verify" philosophy as a core architectural design construct. I do a lot of work evangelizing that core Zero Trust Architecture (ZTA) tenant to Fortune 500 companies. What I've found is that change is hard - no kidding. I have to teach broad foundational concepts to not only CIOs and CISOs. but also to the enterprise architects - giving them practical design patterns helps them move forward. Often it means that network access, application access, and continuous monitoring needs to be re-engineered and there is always little to no budget to do that. Today, I tend to focus my ZTA design on Cloud - that is where I see real acceptance and change.
@AppDefects A good philosophy, it is a steep learning curve for many - but as you state a lot of awareness and concentration needs to put in at the top of the organisation to ensure they understand the the required cultural changes, which need to ripple down through each and every organisation.
Cloud environments, in fact can make it harder, especially if the customer, does not fully understand the limitations of the service, and also what will happen when things go awry and suddenly the responsibility falls on the customer to resolve the issue or incident.
Here is an interesting piece, which unfortunately I disagree with "Zero Trust" is not about "Trust" - obviously someone did not do their homework.
I tend to agree with @Caute_cautim. They could have at least read the seminal paper on Zero Trust Architecture (ZTA)... Google's "BeyondProd". It really gets at your point of how hard it is to implement ZTA for Cloud architectures... that is my guiding light...