Huh? What? At least that was my response the first time I heard the words "zero trust" when I started working at the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) in the fall of 2018. Mind you, I was also making a fresh start with an enormous jump to cybersecurity from a career track that had generally been in software engineering.

Sure, I did design and develop secure software solutions and even put together secure systems and platforms at times throughout my career, but zero trust seemed like a different ballgame to me. For one thing, it didn't have a fence.

What do I mean by that? Well, the traditional approach to cybersecurity relies on barriers—firewalls—that control traffic coming in and out of a network. Zero trust, on the other hand, is about assuming no barriers. It is usually mentioned in the same breath as "removing perimeters," "shrinking perimeters," "reducing perimeters," or "going perimeter-less." These are common references to the idea of "de-perimeterization," which was originally introduced by a group called the Jericho Forum back in 2005.

 …