EN 
Several weeks ago, I had a chance to sit down with John Kindervag and discuss FireMon’s new partnership with Illumio. During that conversation, John shared a story about the origins of the phrase “Zero Trust” that I had never heard before, and it completely changed my perception of the phrase.
I am a significant believer in the Zero Trust concepts, but I must admit that I never loved the phrase. It didn’t sit quite right with me, as the very first thing we do in adopting Zero Trust concepts is create policies that define “trust.” I acknowledge that it isn’t blind trust. The trust policies that are built in a Zero Trust policy are based on identities and state information about sources and destinations.
Rather than allowing all internal “trusted” systems to access all external “untrusted” systems, we instead create explicit access based on system identities such as:
- Resource type
- Business purpose (often with tags)
- Current state (active end-point security agents installed, no known vulnerabilities, authenticated user)
We no longer accept that a system is trusted simply because it sits on the internal network. These are great principles, but that isn’t “zero” trust. That is trust established through identity and verification.
From Old School Firewalls to Zero Trust
Then John reminded me of the old-school firewall technology where interfaces were defined with trust levels. Each interface defined a trust level from 0 to 100, where 0 was least trusted (outside/internet) and 100 was most trusted (inside/internal). Traffic was allowed by default from high trust to low trust level, but required an ACL to get access from low trust to high trust levels.
And that’s it—Zero Trust defines that we should treat all access like it is originating from a low trust level (zero trust) that requires explicit access be granted, otherwise it should be denied. No more implicit trust based on network location.
This throwback to old-school firewall behavior of trust levels reframed the origins of Zero Trust for me. It isn’t about “no trust,” it’s about no implicit trust, just like the default behavior of the low trust security level of 0 in old-school firewalls.
I have long embraced the Zero Trust concepts, and now I fully embrace the phrase. Thanks again to John for a great conversation. Reach out to our team for more information on how we are approaching Zero Trust and microsegmentation with Illumio. Watch the conversation here.