Re-blog: Zero-Trust – IT’s an Architectural State of Mind

Reblog. Original (

What Is Zero Trust?

The term ‘Zero Trust’ was first coined by John Kindervag in 2010, building off a concept put forward by David Lacey at the Jericho Forum, an international group founded in 2004 that worked to promote deperimeterization.

Deperimeterization means to “protect an organisation’s systems and data on multiple levels, by using a mixture of encryption, secure computer protocols, secure computer systems and data-level authentication” (Wikipedia). Our Managing Security Consultant, Colin Robbins, has been discussing deperimeterization for over 5 years.

Over the past few years, the world has seen a period of digital transformation. The increasingly popular use of Cloud-based solutions and remote working are eroding traditional security boundaries. Network architecture is changing, as static work environments are being phased out in favour of letting employees work from any location at any time.

In this new world, the role of local networks and Intranet changes, it no longer poses a significant security boundary, as business data is now outside of that network on cloud services. Thus, the priorities of the local network have shifted to providing access, not security. The need for security has not been diminished and a replacement solution must be found – this is where Zero Trust fits in – it helps provide confidence that your users and devices are appropriately trusted to be able to access your (on premise and cloud-based) services.

Zero Trust Architecture – NCSC

Zero Trust is a term being (mis)used by some product vendors, to push their unique angle on it. To cut through this, the NCSC, along with techUK, are working toward a non-partisan view of the base principles.

As part of this, the NCSC has developed a series of principles that will help people understand and migrate to a zero trust architecture. These principles are still in development and they have recently reduced the 10 alpha principles down to 8 beta principles.


Continue reading Zero-Trust – IT’s an Architectural State of Mind


New Identity – Old Problem

Like many, during lockdown I’ve been catching up on a number of Webinars.   It’s given me the opportunity to do some catch up in the Identity Management field.

During the EEMA annual conference, a distinguished speaker observed “We are in danger of re-inventing the wheel, without learning from the past”, which caused me to reflect on the identity lessons from my identity management past.  (Apologies to the speaker, I forgot exactly who made the comment).

My first reflection is:

  • Identity Management technology is easy
  • Scalable Identity Management technology is hard
  • Securely deploying Identity Management technology is hard

Which is where the conundrum lies – the “next generation” see the current solutions as hard to deploy, and think there must be an easier way, and sure enough come up with an idea for “easier technology” – get momentum, then stall because scaling and deploying it is hard!

My second reflection is there are three domains of identity:

  • Citizen identity
  • Consumer identity
  • Business identity

These are fundamentally different things, with different requirements and challenges.   Don’t let your “solution” confuse them – you will fail.  Yes, there are common technologies that will play a part, but the scalability and deployment challenges are fundamentally different.

My third reflection, I’ve probably been in the game too long to offer new solutions, it is time for the next generation – but please do study history, the challenges are not new.

Out of Office Dilemma

As we approach the Christmas holiday period, I thought I’d share a cautionary tale on setting up your Out-of-Office auto-response. For quite a while now I have been building a relationship with a prospective customer. While I have had discussions with a person there – let’s call him Bob –  Bob has worked hard to keep his privacy. Continue reading “Out of Office Dilemma”

Payment Services Directive

So, Tesco was hacked. Although there is no official word yet on how this happened, the chatter among people far smarter than me are suggesting the issue is related to passwords and the Tesco Club card.

Followers of CyberMatters will recognise that I often blog about password issues. Is there anything new to say on the subject I hear you ask? Yes…  Continue reading “Payment Services Directive”