It seems as if everyone is playing \u201cbuzzword bingo\u201d when it comes to zero trust and its implementation, and it starts with government guidance.\u00a0The White House\u2019s comments in January on the Office of Management and Budget\u2019s (OMB\u2019s) Federal Zero Trust Strategy for all federal agencies and departments were both pragmatic and aspirational. Their observation, citing the Log4j vulnerability as an example, sums it up nicely: \u201cThe zero-trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats.\u201dFor a zero-trust strategy to be successful, however, those implementing it must understand what it is and the basic principles it\u2019s based on.Is zero trust new? In a one-on-one discussion on the topic of zero trust, at Black Hat, Trellix\u2019s principal engineer and director of vulnerability research, Douglas McKee, noted how the reality is that \u201cdefense in depth\u201d and \u201cprinciple of least-privileged access\u201d are the nuts and bolts behind the new buzzword, zero trust.CISOs working with business operations must collaborate and coordinate access to needed information so that colleagues may be successful in their piece of the overall mission. What they don\u2019t need is unencumbered and continuous access to information when it is not necessary. This requires continuous and dynamic monitoring of needs across the corporate ecosystem. When individuals change roles their needs will adjust, so should their permitted access. When individuals depart, their access must be terminated. Easily said, yet seemingly so difficult to accomplish for so many entities.As Joe Payne CEO of Code42 has said, \u201cEnable your personnel to do their job in a trusted manner with an umbrella surrounding them so that if they venture away from the processes and procedures\u2014for example, load to web-based storage\u2014they are corrected in the moment.\u201dZero trust can't exist without least-privileged accessTherein lays the rub. If CISOs aren\u2019t exercising the doctrine of least-privileged access, then there is no venturing out of bounds, as the access is both permitted and authorized. As an old counterintelligence silverback, I must observe: Detecting information theft by an individual who stays within their swim lane is a heavy lift. By that I mean, the individual follows all the corporate processes and procedures, accessing only that to which they have natural access, they may harvest with near impunity.Zero trust's perception problemZero trust is more complex than a buzzword. Egress Vice President of Product Management Steve Malone observes, \u201cZero trust, unfortunately, has a bit of a perception problem: It is often mis-represented by vendors, which causes buyers to misunderstand it. The most important thing to understand about zero trust is that it is not a product! It\u2019s not something you can buy from a single vendor. Zero trust is a security methodology, a framework of technologies and best practices that an organization needs to define and adopt across their IT environments over time. Think of it as healthy and ongoing paranoia!\u201dMalone is right. Healthy and ongoing paranoia keeps everyone on their toes and focused on how information is accessed, moved and stored. This manner of thinking needs to be embraced from the C-suite to the individual contributor, as the security implementation may be supported by the CISO and their team of infosec gurus, the rubber hits the road in operations and production.Zero trust can't be implemented with a single productMalone continues, \u201cSome organizations have a difficult time implementing a zero-trust strategy. The biggest mistake I see is security teams misunderstanding what a true \u2018zero trust approach\u2019 means. Some organizations believe that zero trust can be achieved using individual security solutions here and there to provide a \u2018quick fix\u2019 to the problem. However, zero trust is about more than deploying individual solutions.\u201dMalone concludes, \u201cDon\u2019t be fooled by the snazzy name. Zero trust is not just another buzzword nor a single product. It\u2019s a critical security initiative.\u201dThe importance of people, processes and technology can\u2019t be over-emphasized. They are core to the principles of least-privileged access and the strategic implementation of defense in depth. While the universal, textbook implementation of zero trust simply doesn\u2019t exist, the principles of zero trust do, and as trust is key to the success of the strategy of zero trust. Without trust, we are, as the navy would say, sunk.