Close

A great introduction to Zero Trust

“Project Zero Trust” is a business novel by George Finney. It talks about an emerging approach to IT and Cybersecurity that attempts to reduce cyberrisk in a more fundamental way. 

Zero Trust is a bit of a hype in IT these days, and both product companies and knowledge agencies are dropping lots of papers on this. But this book is in another game.

What I like about it is that it paints a reasonably realistic picture of a modern enterprise, including the information technology choices that it makes. This serves as a good backdrop to a variety of Zero Trust initiatives, which are described in a bit of detail.

As an instructor I find that most of the vendor neutral training material out there lacks specific examples. This makes it hard for students to anchor the abstract concepts that they are fed to a realistic environment with some resemblance to their job situation.

Fills a need

This book feels like it will fill that need for a lot of my students, which is why I am recommending it to them. It combines a compelling story with enough examples that can be related by anybody who has a basic understanding of information technology, while suggesting enough deeper dives for the so inclined (DNS, DHCP, anyone?).

“Project Zero Trust” has most of the elements of the business novel genre, to the point that some feel like a cliché. There is the protagonist who has a new job, and runs into problems on day one, a real hero story. There is the CEO who steps down, the bar scene with insights from unexpected coworkers, and naturally the happy ending with the promotion. And there is appropriate ‘couleur locale’ from conference rooms to office dungeons. 

It works most of the time. 

What I think the book could use some more off is a bit of drama. I mean that in the technical sense. The only serious conflict in this book is between the organisation and the hacker. In contrast, the “Phoenix Project” and “Unicorn Project” (the archetypical IT business novels) show at length what internal conflicts in its protagonist organisation can develop. To me this is relevant because no strategic IT innovation will be successful if it does not go through significant internal conflict and its resolution. More examples in spelling out the existing conflict and pathologies of an organisation would therefore add significantly to the educational value for my students.

By the way, I also liked the overt and covert movie references, and the shoutouts to a variety of industry organisations such as the Cloud Security Alliance and NIST.

And if you are interested in applying Zero Trust principles, have a look at this page here: https://cczt.clubcloudcomputing.com.