Chapter 47. Zero Trust Software Architecture
Jacqueline Pitter
No doubt you’ve heard of zero trust, information security’s favorite buzzword! Technology security vendors label everything as a zero trust solution these days. And yet, since their implementations are so vastly different from one another, it’s difficult to grasp what zero trust stands for.
The confusion is because, in short, zero trust is simply an idea.
NIST SP 800-207 laid out the components of a zero trust architecture in 2020, which is modeled after John Kindervag’s original think tank–generated idea in 2008 of “never trust; always verify,” achieved by focusing on reducing and protecting your attack surfaces:
-
Shrink implicit trust zones with security boundaries as much as possible.
-
Deploy reasonable security controls on all protect surfaces.
-
Controls should include constant scrutiny of anything crossing a security boundary for verified authenticity and nonanomalous intent.
The zero trust concept applies to all technology architecture, including applications and software. Software design can achieve improved security by developing application environments with a zero trust mindset. In software architecture, this would be achieved with the intentional creation of functional security boundaries and revalidation of any person or process that attempts to cross it, as well as scrutinizing application data ...
Get 97 Things Every Application Security Professional Should Know now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.