Zero Trust certainly has its benefits over the old perimeter-based model, but it also requires new, and massive, trust in third-party cloud providers. A bit more on that:<p><a href="https://invisv.com/articles/zerotrust.html" rel="nofollow">https://invisv.com/articles/zerotrust.html</a><p>What we need to move towards is something more like Oblivious Trust -- you rely upon third parties but they have nothing sensitive in the first place.
With many new ideas, the early folks love the benefits and aren't put off by the challenges. With ZTNA, after doing quite a few deployments myself, I can say that the biggest challenges are operational. Nothing will piss off developers more than having had access to a resource one day, lose it unexpectedly, and then not know who to track down to get it back. Or, users hating on their VPN, want something else, and then that something else (often just another VPN provider) works differently and causes them disruptions. ZTNA is a long journey, not a quick fix.
ive always correlated zero-trust with that which was recently on top of HN: <a href="https://dilbert.com/strip/2023-02-11" rel="nofollow">https://dilbert.com/strip/2023-02-11</a><p>treat your employees like cattle; see how far that will go
Zerotrust is cancer.<p>I dismissed it a few years ago as a harmless hype but I am now seeing real harm being caused by this hype.<p>To avoid writing an essay here let me keep it short and explain why: I am seeing orgs spending valuable time, money and resources on box checking and implementing false security all over. It is being used in place of improving security posture that is aware of threat context facing the organization. It has scope-creeped beyond the original intended purpose of ensuring all actions are explicitly authorized and eliminating implicit trust to mean a buch of ridiculous goals and hype words no one can explain consistently.<p>I caution everyone to avoid using the term but to still implement the original beyondcorp architecture.<p>Another cancer that is begining to spread:"passwordless".