People get into all sorts of trouble trying to reason axiomatically about "Zero Trust". It's definitely a problem with the term, and a strength of "BeyondCorp"; BeyondCorp can only mean the one set of things, because it's meaningless outside of Google's branding. But everyone feels like they can work out what "Zero Trust" should mean. So the first thing you have to do is, you have to rewire your brain to read "Zero Trust" as the marketing term of art that it is.
The OMB ZT stuff is a reaction to USG breaches, and I think in particular the OMB hack. There's a "before" state and a desired "after" state.
In the "before" state, you're one of the 2.1 million federal employees, and you start your day by inserting a PIV card into a reader, and with that, you're given access to an intranet that in turn gives you access to a bananas number of different things that nobody can keep track of or secure.
In the "after" state, each service is responsible for establishing its own tight trust boundaries, and instead of providing a network dial tone that people mistakenly assume is a proxy for trust, the USG infrastructure provides you with end-to-end authentication for requests regardless of the network you're using.
As far as OMB and NIST talking about ZT goes, the major problem you're trying to solve is that there are a zillion federal agencies --- way more than you think there are, like you know that there's a Department of the Interior, but also under Interior there's a Susquehannah River Basin Commission with 100 employees, and there are other agencies that have like 4-5 employees. And what you're trying to do is provide a security strategy and a toolbox and a set of best/worst practices that you can apply across all of these organizations, to replace what I understand to be the status quo ante strategy of "stick it on the VPN, pretend we've kept it off the Internet, and call it a day".
The other important subtext to all of this is that there's a huge give and take between USG and industry, where USG tends to take its lead from what's happening in industry, but it also participates in the industry in that it is one of the largest customers for technology products, so the industry is intensely interested in what it does. So when USG decides to demand "Zero Trust" for its agencies, and sets out a standard set of requirements for ZT, industry goes nuts making sure their products are responsive to that standard.
The good thing here is that the OMB memo is smart, and ZT as construed by the current administration's IT people is a pretty good baseline security strategy, so in this one instance the USG is being a force for good, in that it's aligning a lot of industry work around a strategy that people should be seriously considering adopting anyways. And I think there's pretty broad recognition/agreement about that in the "security community" (hate that term), so when USG (here: NIST) does some big new thing about ZT, it gets a lot of positive attention.
The OMB ZT stuff is a reaction to USG breaches, and I think in particular the OMB hack. There's a "before" state and a desired "after" state.
In the "before" state, you're one of the 2.1 million federal employees, and you start your day by inserting a PIV card into a reader, and with that, you're given access to an intranet that in turn gives you access to a bananas number of different things that nobody can keep track of or secure.
In the "after" state, each service is responsible for establishing its own tight trust boundaries, and instead of providing a network dial tone that people mistakenly assume is a proxy for trust, the USG infrastructure provides you with end-to-end authentication for requests regardless of the network you're using.
As far as OMB and NIST talking about ZT goes, the major problem you're trying to solve is that there are a zillion federal agencies --- way more than you think there are, like you know that there's a Department of the Interior, but also under Interior there's a Susquehannah River Basin Commission with 100 employees, and there are other agencies that have like 4-5 employees. And what you're trying to do is provide a security strategy and a toolbox and a set of best/worst practices that you can apply across all of these organizations, to replace what I understand to be the status quo ante strategy of "stick it on the VPN, pretend we've kept it off the Internet, and call it a day".
The other important subtext to all of this is that there's a huge give and take between USG and industry, where USG tends to take its lead from what's happening in industry, but it also participates in the industry in that it is one of the largest customers for technology products, so the industry is intensely interested in what it does. So when USG decides to demand "Zero Trust" for its agencies, and sets out a standard set of requirements for ZT, industry goes nuts making sure their products are responsive to that standard.
The good thing here is that the OMB memo is smart, and ZT as construed by the current administration's IT people is a pretty good baseline security strategy, so in this one instance the USG is being a force for good, in that it's aligning a lot of industry work around a strategy that people should be seriously considering adopting anyways. And I think there's pretty broad recognition/agreement about that in the "security community" (hate that term), so when USG (here: NIST) does some big new thing about ZT, it gets a lot of positive attention.
... is how I understand all of this.