ZTNA (noun)
Rick Howard: The word is: ZTNA
Rick Howard: Spelled: Z for zero, T for trust, N for network, and A for access.
Rick Howard: Definition: A technology set design to support the cybersecurity first principle strategy of zero trust, that limits device people and software component access to only designated authorized resources and nothing more.
Rick Howard: Example sentence: The Zero Trust Network Access Solution prevented the attacker from moving laterally within the network.
Rick Howard: Origin and context: In the early 2000's, the U.S. Military started experimenting with the idea of de-perimeter under the project name the Jericho Forum. The concept was to move away from the old perimeter defense model; to decouple the identification and authorization functions away from the workload. In other words, you don't connect to the sensitive workload and then try to log in. Instead, you connect to a separate system that verifies your identity and validates that you are authorized to connect to the sensitive workload. If you are, then the system establishes the connection to just that workload and nothing else.
Rick Howard: The Jericho Forum captured some of the first ideas about what would eventually be known as the cybersecurity first principle zero Trust strategy, but they never built it. The man who gets the credit for the name Zero Trust and the initial concepts and the model is John Kindervag. . In 2010 while working for Forrester, he published a research report entitled "No More Chewy Centers: Introducing the Zero Trust Model of Information Security," which outlined a security model that assumes that all network traffic is untrusted and must be verified before access is granted.
Rick Howard: The same year that Kindervag published his paper, Google got hit by a massive Chinese cyber espionage attack called Operation Aurora, the Hackers Unit 61398 of the People's Liberation Army, APT1, as it would become to be known later, targeted 34 major companies, including Google, Microsoft, and Juniper, with three goals: number one, accessing the Gmail accounts of Chinese human rights activists, number two, spying on the Google's internal legal discovery portal, the portal that managed law enforcement requests for information pertaining to ongoing investigations, and finally, number three, stealing the source code and signing certificates of those 34 companies.
Rick Howard: In response to the Aurora attack, Google's site reliability engineers redesigned their internal security architecture from the ground up. Using the concepts of de-parametrization and the zero trust philosophy. This might be the first publicly acknowledged deployment of ZTNA technologies. A few years later, Google released a commercial product called BeyondCorp that incorporated many of the ideas they developed internally. ZTNA technologies involve verifying the identity of each user, device, and software component attempting to access a resource, and then enforcing policies that determine what level of access each should have based on factors such as role, location, device status, and behavior
Rick Howard: Nerd reference: John Kindervag, the father of the original Zero Trust idea, spoke at the Create the Future Conference in 2022.
John Kindervag: So there's a lot of myths about zero trust. The first one is zero trust means making a system trusted. How much trust should there be in a zero trust system? I tried to make it as explicit as as I could, zero. We're trying to get rid of trust, not make system trusted. Zero trust is also not about identity. It consumes identity, but it isn't equal to identity. I can prove that with two words. Snowden, Manning, they were trusted users, they had all the right identity in MFA, but nobody looked at their packets post authentication. And then there are zero trust products, that is not true. There are products that work well in zero trusted environments. But Zero Trust is a strategy designed to stop data breaches and make other cybersecurity attacks unsuccessful. It's a strategy that uses products
Rick Howard: Word Notes is written by Tim Nodar, executive produced by Peter Kilpe and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.