An interesting piece by an Australian Technology Journalist, he has the right idea, but full of myths and half truths as usual.
I think you are being generous, I couldn't find enough information in the article to identify myths or half truths. Everyone is jumping on the bandwagon, and the Zero Trust noise level is so high, it is hard for people who know the technology, the risks, etc. to make sense of the landscape, much less those at the edge.
(ISC)2 members have access to a Zero Trust express learning (approximately 2 hours in length). Check it out here: "Preparing for a Zero Trust Initiative".
I would like to say "don't be satisfied with implementing ZTA and completely throw VPN, active directory and something vulnerable away".
@Masahiro Great thoughts I would also like to put forward an IBM Business Point of View on the subject with statistics. https://www.ibm.com/thought-leadership/institute-business-value/report/zero-trust-security
Download the article and give it a read for yourselves.
@mgorman Well ZTNA is a myth it is a construct invented by Gartner, and it only illustrates one Use Case, the protecting remote workers - there are currently about 43 Use Cases available.
The term ZTNA was never part of the original Zero Trust principles.
Rather like another well known vendor stating they have Trusted Access, if you cannot trust anyone, anything, how can you have trusted access?
I do not disagree, as I said, Zero Trust has become the latest buzz word to justify budgets and market products. It has also expanded the definitions over time. While I agree with you 100% that a gateway model is not Zero Trust, as you are then trusting the gateway, it has become commonly accepted, and is even noted in NIST work. At the same time we can say that ZTNA isn't real Zero Trust, that is an argument at almost any implementation level, because it is not a standard, it is not a given model, it is a set of principles and a goal. Like any other security layer, partially implementing Zero Trust principles may have beneficial effects, if done properly. As privacy regulation helped a lot of organizations clean up their data stores, perhaps Zero Trust will lead to better segmentation and permission management, at least for a while.
@mgorman Thank you for your comments and wise words.
An interesting article popped up from the CSOonline, which spells out some of those myths iand misconceptions is shown below:
I think the best one is that this means you don't trust your employees. I have had this conversation several times recently about other controls. I trust our employees, generally, I don't trust whoever SAYS they are our employee, until they PROVE they are our employee. Once you get there in your head, Zero Trust becomes easy, you just have to ask that question over and over, and over. Who is this, and how do I KNOW that?