Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Newcomer II

Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

Dear Colleagues,


I believe Zero Trust (ZT) architecture is the next generation security model for on-premise as well as hybrid and cloud-based systems. In my research of this relatively new topic, I found only a handful of resources available. To share what I know and to provide a baseline for your own exploration of ZT architecture, I created a simple website at Please feel free to visit and check out the list I compiled. Also please share with me any notable information sources that I might have not included in my modest catalog. Thank you very much!

Best regards,

10 Replies
Newcomer III

I presented a paper at RSA 2002 on the topic and it was written up in Information Security magazine.  Here are a few links.


Perimeter Defense in a World Without Walls: 


"Beyond network perimeter defense: A 'submarine warfare' strategy", Information Security Magazine, Aug, 2002.  Last accessed 1-Dec-2017 at: +


I think the essential mindshift is something I told my CISO at Cardinal Health around 2012 that pissed him off a little bit - "The internal corporate network is just the part of the Internet that we own, and it's a little less safe than Starbucks."


If you stop thinking about your corporate network as trusted (because, truly, it shouldn't be trusted) then you arrive at the zero trust model.  Anywhere you have users clicking on things in their email and browser, that's not a trusted zone.


What I think is more viable is what you can find in the Information Security Management article, which is an enclave model, a locked down fortress internal in the network where the crown jewels are stored.  To actually achieve this, however, you need to break credentials at the firewall to that enclave, and treat it like a different company.  If the backup, monitoring, patch management, orchestration, security monitoring, and change control accounts are the same in the unsecured zone and the enclave, then you're kidding yourself.


Sr. Consultant, Security Strategy & Architecture
InfoSec Innovations
+1 614.805.4289
Better Information Security Through: Science, Creativity, and Caring
Newcomer II

Hello Daniel,


Thank you very much for such a detailed response and for all the links that you provided! I sincerely appreciate it. I also love your assessment of what corporate network really is today. What a wonderful way to put it! May I quote you on the homepage of my new knowledge sharing portal


One of the most potent business strategic thinking ideas I have found in my research and practice is to imagine that one's products are free. Such "preposterous" idea makes one think really hard about how to deliver new value to one's customers. I think, your message to the CISO is right on the money in the very same way--it forces the "now what?" approach to making a corporate infrastructure significantly more secure. Unpleasant as it might be, this is akin the muscle pain we feel after a good physical exercise. No pain, no gain. Thanks again!



Aleksandr Zhuk, DM, CISSP, BRMP, ITIL Expert

Newcomer III

Sure.  Just to clarify, don't quote Cardinal's name.  I said the quote while I worked there but it wasn't because Cardinal Health had insecure networks.  In fact, they have a robust security program.  I think this is true of any firm.  Wherever you have users clicking on links in email & browsers, you have an attack surface.  Most organizations have flat networks, and you have an (N)^2 problem with that attack profile.  


Your typical Starbucks public WiFi network has maybe 30 nodes, with hugely variant security, but most are likely not terrible, and auto-patch is quite common now on consumer desktops.  It's a low-utility network that really only does a few things - legal opt-in to T&Cs, metering, DHCP, DNS resolution, IP gateway services, content filtering, and some traffic isolation.  That's about it.  It's not uber high-security, but it's low-utility and low-volume, so small attack surface.  (N)^2 where nodes are 30 = 900.


Compare this small, relatively secure network with 50,000 or 100,000 endpoints on a typical large corporate network grown organically over 20+ years.  (N)^2 where nodes are 50,000 = 2,500,000,000


Worse, you'll typically find one or more of these to be true:

  • 500 consultants using Goodness-only-knows-what as their compute platform
  • 10 vendors a day connecting in
  • rogue switches & access points
  • VPN accounts that got handed out from time-to-time to non-employees
  • test/dev/QA parked in production network (yes, the _CODE_ is Dev, but the server & network are prod)
  • Shadow IT
  • IoT that walks in the door
  • Modems for fax support
  • a huge stack of firewall "open" requests, with an empty box of "close" requests
  • likely no tracking of ownership of firewall rules, or governance
  • rules that folks are afraid to turn off/ turn on
  • that one firewall where the last command is PERMIT ANY ANY
    • (I've found 2 in my career.  Yup, they tried to blacklist the Internet)
  • BYOC - Bring Your Own Computer
  • (likely unsecured) printers
  • those guys that installed a hypervisor and are running a few rogue operating systems on their desktop
  • the secret wink-wink-nudge-nudge proxy server that bypasses content controls
  • remote satellite offices where Jimmy has installed an extra connection on the network to (local ISP / hotel where they like to have meetings / shared conference room down the hall)
  • other remote satellite offices where the wiring closet is also used to store mops, lightbulbs, holiday decorations and cleaning supplies, and 18 people access it a month
  • pockets of desktop admin use
  • pockets of resistance to upgrade, using old crap
    • that one mission critical app that runs on Windows 2000/ RedHat 6.2/ Oracle 8i-Rel 3/ Microsoft Bob
  • patching exclusion lists
  • endpoint compliance reporting exclusion lists/errors in reporting
  • that special laptop/server/switch/router/tablet for the CFO or COO that isn't really locked down
  • PCs that 40 executives have installed in their homes that remote VPN from their home network
  • likely huge holes in firewalls internally
  • facilities & physical security devices
    • you know, the ones where they periodically install DHCP services and start handing out addresses?
  • SCADA milling machines, robots, conveyors, pumps, actuators, valves, etc.
  • ATMs & POS vending machines
  • cafeteria point-of-sale
  • third party devices hosted on your network
  • hundreds of third parties that connect into your infrastructure to perform support & maintenance
  • DevOps teams likely able to download & install as needed
  • broad use of collaboration sharing technologies where the user clicks "Share my Desktop"
  • likely pockets of internet-facing test

That creates quite a mosh pit.  While much of it is armored, in the aggregate, it's like a flotilla of mixed battleships, destroyers, tankers, cruise ships, bass boats and leaky sailboats.  LOTS of surface area, lots of targets.



Newcomer II

Hello Daniel,


Thank you for your permission to use your words (no company names--of course) and for further explanation of your Starbucks metaphor! Very well done! Thank you!




Community Champion

Great posts.


Why should I trust you website then?:P


One of the deep down fundamental problems of the 'Zero Trust' model(and just for clarity I think it's one of the best paradigms around is keeping everything operating while moving on to it, nothing kills an initiative like stopping services eve if borking 'The old expensive thing that sits in the corner and Spoils Everything if it isn't kept fed with copious unsigned PE files and access databases via NetBEUI...TM' might be a blessing in disguise.


Google's BeyondCorp framework is probably the most talked about vendor neutral effort, and as a model I think makes a lot of sense It's also a pretty good antidote for the Zero (Rabid) Trust Person who will soundbite it in meetings and then build layers of evermore tenuous argument on top of knowing the buzzword and trying to panic someone into buying/committing/etc into making something 'Secure' but really failing to understand what they are doing.


"And, now  by the power of Opsware's global root access I shall now put all the HP-UX boxen into trusted mode, It is done, we are impregnable!"


"Impressive... could you just connect to one of them so we can take a look?"







Newcomer II

Hello @Early_Adopter,


Thank you for your great comments and the jolly tone! You are right--don't trust my website at least at the offset! Smiley Happy Thank you for the Google's BeyondCorp link! The portal is a treasure trove of great research information. Have a great weekend!


All the best!


Community Champion

@azhukDoes your web site still exist?





Defender I

John @Caute_cautim 

August 2020, NIST has just published Special Publication, SP 800-207, Zero Trust Architecture

and the National Cybersecurtiy Center of Excellence (NCCOE) has released a public draft of the in-development Implementing a Zero Trust Architecture.




D. Cragin Shelton, DSc
My Blog
My LinkeDin Profile
My Community Posts
Newcomer II

Thanks a lot for the tip CraginS! I really appreciate it.