* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com.au/blog/corporate/)
* [Cybersecurity Canon](https://www.paloaltonetworks.com.au/blog/category/canon/)
* Cybersecurity Canon Candi...

# Cybersecurity Canon Candidate Review: Zero Trust Networks: Building Secure Systems in Untrusted Networks

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2018%2F10%2Fcybersecurity-canon-candidate-review-zero-trust-networks-building-secure-systems-untrusted-networks%2F)  
[](https://twitter.com/share?text=Cybersecurity+Canon+Candidate+Review%3A+Zero+Trust+Networks%3A+Building+Secure+Systems+in+Untrusted+Networks&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2018%2F10%2Fcybersecurity-canon-candidate-review-zero-trust-networks-building-secure-systems-untrusted-networks%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2F2018%2F10%2Fcybersecurity-canon-candidate-review-zero-trust-networks-building-secure-systems-untrusted-networks%2F&title=Cybersecurity+Canon+Candidate+Review%3A+Zero+Trust+Networks%3A+Building+Secure+Systems+in+Untrusted+Networks&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/2018/10/cybersecurity-canon-candidate-review-zero-trust-networks-building-secure-systems-untrusted-networks/&ts=markdown)  
\[\](mailto:?subject=Cybersecurity Canon Candidate Review: Zero Trust Networks: Building Secure Systems in Untrusted Networks)  
Link copied  
By [Ben Rothke](https://www.paloaltonetworks.com/blog/author/ben-rothke/?ts=markdown "Posts by Ben Rothke")  
Oct 17, 2018  
6 minutes  
[Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown)  
[Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)  
[Ben Rothke](https://www.paloaltonetworks.com/blog/tag/ben-rothke/?ts=markdown)  
[CISSP](https://www.paloaltonetworks.com/blog/tag/cissp/?ts=markdown)  
[cybersecurity canon](https://www.paloaltonetworks.com/blog/tag/cybersecurity-canon/?ts=markdown)  
[Cybersecurity Canon Review](https://www.paloaltonetworks.com/blog/tag/cybersecurity-canon-review/?ts=markdown)  
[Rothke](https://www.paloaltonetworks.com/blog/tag/rothke/?ts=markdown)  
[Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown)

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2017/06/cybersecuity-canon-blog-600x260.png)

*We modeled the [Cybersecurity Canon](https://cybercanon.paloaltonetworks.com/) after the Baseball or Rock \& Roll Hall-of-Fame, except this canon is for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.*

*The Cybersecurity Canon is a real thing for our community. We have designed it so that you can [directly participate in the process](https://cybercanon.paloaltonetworks.com/nominate-a-book/). Please do so!*

Executive Summary

Ken Thompson was the co-winner of the 1983 Turing Award. While his acceptance speech for *Reflections on Trusting Trust* is 35 years old, a most timely observation of his is that "You can't trust code that you did not totally create yourself. No amount of source-level verification or scrutiny will protect you from using untrusted code."

As complex as networks were in 1983, they are exponentially complex now. And are now correspondingly more difficult to secure. By taking a Zero Trust approach, one can create systems and networks that are much more secure.

Review

The notion of the Zero Trust network, or ZTN, was created in 2010 by John Kindervag, then of Forrester Research. (Full disclosure: Kindervag is currently the field CTO at Palo Alto Networks). Truth be told, ZTN was way ahead of its time then, and to a limited degree, still is. But Kindervag felt that as enterprises were slowly moving towards a data-centric world with shifting threats and perimeters, a new concept of what constituted a secure network had to be created.

In a world of Zero Trust, all network traffic is considered untrusted. What this means from a security perspective is anything that connects to that network must be fully secured. Much of a ZTN is predicated on strong authentication and access control, rounded out by effective data inspection and logging.

Most security professionals, and especially those studying for the CISSP exam, by default think of the three-tier network architecture of the internet, DMZ and trusted internal network. The ZT model throws that away and treats every device as if it's an untrusted internet-facing host. This means that every host on the internal network is considered hostile and compromised. To say this can create cognitive dissonance for some information security professionals is an understatement.

That traditional architecture, often called the "perimeter model" on the CISSP exam, protects systems and data by creating a line or lines of defense that an attacker must penetrate before gaining access to the network. The ZTN is a replacement for that now flawed model.

In *[Zero Trust Networks: Building Secure Systems in Untrusted Networks](https://www.amazon.com/gp/product/1491962194/ref=as_li_tl?ie=UTF8&tag=benrothkswebp-20&camp=1789&creative=9325&linkCode=as2&creativeASIN=1491962194&linkId=5b6fe2852ddcc932d94d84f5a76954b9)* (O'Reilly Media 978-1491962190), authors Evan Gilman and Doug Barth have written a first-rate guide that details the core concepts of ZTN, in addition how to implement them. Note to the reader: if you think that designing and building a ZTN is plug-and-play, think again. Parenthetically, the authors write of the dangers of UPnP, which can allow any application to reconfigure a device. In the ZT model, this would never occur as there is a chain of trust between the host policies.

The perimeter and Zero Trust models are quite different from each other. In the perimeter model, walls are built between trusted and untrusted resources. In a ZT model, everything is considered to be untrusted.

At the RSA 2018 Conference, there were a few vendors touting Zero Trust solutions. The concept is still a few years away from being ubiquitous, but it is growing. From a security perspective, it is certainly an idea whose time has come. But the future growth of ZTN will likely be quite slow.

So, just what is this thing called a ZTN? The book notes that a ZTN is built on these fundamental assertions:

1. The network is always assumed to be hostile.
2. External and internal threats exist on the network at all times.
3. Network locality is not sufficient for deciding trust in a network.
4. Every device, user, and network flow is authenticated and authorized.
5. Policies must be dynamic and calculated from as many sources of data as possible.

For those who thought PKI was dead, the authors write that all ZTNs rely on PKI to prove identity throughout the network. But while public PKI are trusted by the internet at large; the authors write that it is not recommended for use in a ZTN.

A ZTN is particularly valuable when it comes to mobile devices. The authors write that, surprisingly, neither iOS nor Android ships with a host-based firewall. For those, the ZT model introduces the concept of single packet authentication, or SPA, to reduce the attack surface on a mobile, or in fact any, host.

Chapter 9 details how to actually create a ZTN. The ZTN is predicated on seven fundamental concepts. A few of them include that all network flows must be authenticated before being processed; all network flows should be encrypted before being transmitted; all network flows must be enumerated so that access can be enforced by the system; and more. Implementing those concepts is a challenge, but the benefits of a ZTN are quite compelling and make security sense. This chapter should be seen as a high-level introduction to the topics, as the notion of building a ZTN is far too complex and challenging to be fully covered in this 34-page chapter.

The authors are not so naïve to think that ZTNs are a complete information security panacea. They are honest enough to note that ZT, like every technology, protocol and the like, are subject to attack. The book closes with how adversaries could attack a ZTN. From social engineering, DDoS and more, these must be considered when deploying a ZTN.

The concept of a ZTN forces network designers to rethink almost everything they know about security network design. As attacks get more sophisticated and network perimeters become more porous, the need for a ZTN will become more compelling. A ZTN is leading-edge infosec, but it won't likely stay that way for much longer.

ZT moves security from the network, obliterates the notion of a perimeter, and places it in the realm of identity and application-based security. For those looking to get a head start on what the future of a secure network may look like, *Zero Trust Networks: Building Secure Systems in Untrusted Networks* is an excellent reference to get a solid introduction on the concept.

Conclusion

A Zero Trust network is based on the notion that both internal and external networks simply can't be trusted. That's a great approach to take for information security in 2018.

For those looking to increase their enterprise security to deal with the realities of the threats of 2018, *Zero Trust Networks: Building Secure Systems in Untrusted Networks* is a title worthy to be in the Cybersecurity Canon.

*** ** * ** ***

## Related Blogs

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "InSecurity"](https://www.paloaltonetworks.com.au/blog/2020/03/cyber-canon-insecurity/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: How America Lost Its Secrets](https://www.paloaltonetworks.com.au/blog/2020/03/book-review-how-america-lost-its-secrets/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "The Perfect Weapon"](https://www.paloaltonetworks.com.au/blog/2020/03/cyber-canon-the-perfect-weapon/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "No Place to Hide"](https://www.paloaltonetworks.com.au/blog/2020/03/cyber-canon-no-place-to-hide/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "CISO Compass"](https://www.paloaltonetworks.com.au/blog/2020/02/cyber-canon-ciso-compass/)

### [Cybersecurity Canon](https://www.paloaltonetworks.com/blog/category/canon/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Book Review: "Digital Resilience"](https://www.paloaltonetworks.com.au/blog/2020/02/cyber-canon-digital-resilience/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language