Lately, we've seen a good number of charlatans on Internet promoting a concept which at first blush sounds appealing. They call it "Zero Trust." Allegedly, one can be completely safe by buying into one or another whiz-bang new technology or collection of technologies that will make the purchaser safe from fraud, malware, phishing, and whatnot. In reality, "zero trust" is one of the most obnoxious marketing terms ever developed. Let's examine the term to see just what it implies and why that can never, ever be true.
Let's go back to one of the most important concepts I learned in high school geometry. You may have heard me mention this elsewhere, but what is less important than geometry itself is the set of logical principles on which it is founded. Those of you who have made it through high school will remember how one produces proofs of theorems. This is done via a series of assertions that begin with certain postulates that are accepted without proof; any other assertions must be accompanied by proof or perhaps be self-evident by way of definition (e. g. "A triangle has three sides of equal length.").
One might ask why the postulates are accepted without proof instead of needing proof like the other assertions. The basis for this is simple: Proving the postulates would put us into the fire and brimstone of circular reasoning. We'd never be able to assemble a logical proof if we had to prove the postulates. One could always question something in the proof and have to start over. Thus, we have to begin with statements that we trust implicitly because they reasonate with our life experience-- because we "just know" that they are true.
In the computer world, another example of this appears with SSL certificates. When evaluating the validity of a certificate, a computer goes through a chain of certificates (a sort of reversal of the process of proving a geometric theorem) and eventually gets to a certificate that is in its trusted "root certificates" store, what essentially amounts to the computer's list of postulates requiring no further proof. Note that altering this store of trusted certificates is one efficient way to compromise a computer as it can cause an end user to wind up at a web site other than the one he wanted to visit.
This begins to illustrate why "zero trust" will never, ever be a valid concept. In order to execute any function at all, one has to trust something or someone. Suppose you were to implement the concept of "zero trust" in your life. You become thirsty, but you are understandably concerned that the water in your tap is poisoned or otherwise unsafe. What do you do? Well, you could call the water department and ask if the water is safe to drink-- if you trust the person at the other end of the line to tell the truth and be competent to provide correct information. Otherwise, you might purchase a test kit-- if you trust the manufacturer to produce an instrument that can reliably test the water and trust that the kit is functioning correctly. If that isn't good enough, you might test the test kit somehow, and then test the test kit tester, and then you have to trust that your eyes are functioning correctly... you may be starting to see where we're going with this. Even if you purchase bottled water, you're trusting the manufacturer to provide you with pure water-- or you have to go through the futile gyrations I just described with test kits.
If you purchase some service or other that claims it will protect your computers and their data with some form of "zero trust," what you are really doing is not zero trust at all. You're trusting the vendor! Well, that isn't zero trust at all, and it's hardly even one or two trust. Just like with our example of water testing, where if you don't trust anything you have to validate everyting ad infinitum and will likely die of thirst first, and just as in geometry where one has to start with a trusted set of postulates, in computing you have to trust
If you don't trust the vendor, you'll need to trust its tools or its methods, and everything upon which the vendor's solution is built. In fact, when you're trusting a black box solution that you don't necessarily even understand, you're placing a whole lot of trust in that solution. It's hardly zero-trust at all. Even if you could get under the hood of the solution, you'd find that the solution has many layers of trust involved, and it even has to trust itself, just as you have to trust your eyeballs when reading the results of your water test kit.
If you really want to see "zero trust" in action, check out the episode of The Prisoner entitled, "Checkmate." There you'll see how people who really trust no one behave. In fact, a recurring theme throughout the whole series is that no one can be trusted. You'll also see trust betrayed time and again, which is why ultimately those in the Village learn to trust no one.
That leads to our conclusion: why should we trust the incompetent leaders of Big Tech to provide us with trustworthy solutions when time and again they betray us with junk that doesn't meet minimum requirements of functionality, safety, and security? When are they going to stop using insultingly misleading terms to market their products? I'd trust a used car salesman or a politician before I trust someone who misuses the term "zero trust." When are they going to start to deliver solutions that have safety and security baked into the product instead of constantly patching things they should have done right in the first place? If they want us to buy into these so-called "zero trust" programs, let them prove that they work instead of trying to get us to trust them. "Zero trust" in my book starts with those who use the term.