[nonrandomstring]

These are sentiments I can agree with.

Replacing products with sound principles is a primary mission, and at its core is an educational project. I still think Ranum's "dumbest ideas in security" are a treasure-trove and so we debated them on Cybershow.

My reservations are:

Zero Trust is an unfortunate hyperbolic misnomer. For now it's the best we've got. Sure, it's a necessary reaction to the many awful and plainly wrong ideas in security still around today, but I think it can be misleading and even counterproductive. Nothing happens without trust. The big deal is whether you trust your verification methods. Obviously therein lie regressions and madness.

It is no surprise that NSA put emphasis on "continuous monitoring" as that's their core mindset. There ain't no such thing. See sampling theory and beware of grandiosity like "collect it all" and "total information awareness". Over-monitoring, and automating can lead to other regressive problems, like data management, and then monitoring the "autonomous" processes for trust. Visibility is not the only dimension to security and to think otherwise is omnipotent. Nowhere in these kind of documents do I see the word "correctness". Which is worrying for people who value formalities and mathematics. There is a gap between engineering and security mindsets - one that Ross Anderson tried so hard to bridge (with significant success)

Also, a plug for Zero Trust World 2025 [0] in Florida, which we'll be attending (boosting Threalocker's application whitelisting drive).

[0] https://ztw.com/