The way most software systems are secured today is fundamentally flawed. They rely on “perimeter” security: a firewall guarding access to a protected network. Inside the perimeter traffic is mostly trusted. This paradigm relies on assumptions that nobody actually believes are true: that people are never careless or dishonest and never make mistakes. One slip up that allows an attacker inside the perimeter and it’s game over.

Security considerations aside, perimeter security is expensive and annoying. Maintaining a perimeter is an operational burden. VPNs are notoriously frustrating for users. Access requests that would help someone do their job faster are frequently denied because the perimeter is all-or-nothing and fine-grained access cannot be granted.

A better security model exists. Instead of relying on IP and MAC addresses to determine access we can cryptographically authenticate the identity of people and software making requests. It’s a simple concept, really: what matters is who or what is making a request, not where a request comes from. In short, access should be based on identity.

This general approach to security was branded “zero trust” by Forrester in 2010. Google has called the idea “BeyondCorp” in the context of corporate IT (they moved to this model to improve their own security after Operation Aurora). Names aside, the idea is obviously good. Zero trust concepts improve security and reduce security overhead.

Zero trust is an idea, not a technology. But there are a number of technologies that are relevant to zero trust architectures: authenticated encryption (X.509, TLS), single sign-on (OAuth OIDC, SAML), multi-factor authentication (OATH OTP, FIDO U2F), encryption mechanisms (JWE, NaCl), and verifiable claims (JWT, SAML assertions), to name a few.

Unfortunately these technologies are complex. They’re hard to work with, hard to debug, and hard to string together to build and operate a complete system. This is largely a tooling problem. No good tools exist for working with zero trust primitives. smallstep simplified PKI implementations for Zero Trust on our infrastructure, or yours!