Questions about Zero Trust

Is zero trust the end of VPN devices in general? Or just another thing to add on top of the security structure?

I’ve been reading up on it a bit. Definitely don’t have a full understanding on it, I can see why it’s good. I don’t see how it replaces IPSec VPNs. From my understanding, IPSec is the most secure way of data transmit and I can see certain customers doing both IPSec VPNs + zero trust as it adds another layer within the perimeter. Wouldn’t just zero trust still have some of your data exposed (ie, IP header)?

zero trust ““model”” is a repackaged & evolved form of a least privilege model. Only this time its looking to incorporate intelligent micro segmentation using multiple layers and technologies organization wide. This doesn’t mean the vpn is dead. It just means data is secured end to end through a multi-layered authorizations process. multiple tools are required to meet all aspects of a zero trust. a zero trust model is meant to protect your data & assets from compromise internally and externally, or where ever it resides. in other words “trust nothing check everything”

Google “beyond Corp” — Google wrote a bunch of papers on it many years ago and runs it in production. Cisco/Duo ZTNA is an interpretation of this and will replace some VPNs but not all of them, IMO.

Zero Trust is not a product but an model/architecture. Zero Trust assumes everything on your network is bad until proven otherwise.

Cisco breaks this down to 3 Ws:
Securing the Workforce
securing the Workload
Securing the Workplace

Workforce can include things like Secure Connectivity (vpn) to resources. Device hygiene and continuous posture assessment.

Workplace would be SDA, SD-WAN, 802.1x - north south traffic.

Workload is a about protecting your applications. East West.

Zero Trust is not a new concept.

Pretty good answer.

It isnt about specific technologies and how they are exactly implemented. How you do it is often a different for any company. Like a company with BYOD will implement it different, no controll over the Endpoint, as a company who could install certain Software for device control. Like a specific vpn client and or a specific certificat for AAA and so on.

I see. Make sense.

Wasn’t it first introduced in like 2010-2011? I’d say that’s pretty new, especially with how slow new security concepts get rolled out (IMO). Although most of my customers have been military, so it makes everything slower.

a lot of vendors are coming out with new or evolved offerings that assist in strengthening a zero trust model. this leads to larger marketing budgets which is why we are hearing about it more even though it has gone by many names over the years.