Of all the cybersecurity buzz words, few are as nebulous as zero trust. Every vendor is talking about it, and every vendor has a different opinion about what it means, Palo Alto Networks’ founder and CTO Nir Zuk opined during his Ignite keynote this week.

Zero trust, according to Zuk, is “a strategy. It’s a way to make the enterprise more secure, make the cybersecurity infrastructure simpler, easier to manage, and cheaper.”

And embracing this strategy means doing away with the decades-old tradition of trusting people “just because the user swiped a magnetic badge when they entered the office,” he explained.

“Zero trust is about eliminating all implicit trust,” Zuk said. And that means applying consistent security policy to everyone regardless of who they are, where they’re working, and the device they’re using.

Of course this isn’t going to happen overnight, Zuk admitted. Embracing a zero-trust strategy will require a change in mindset. “When I talk to customers, it takes a while to make that switch, because they have been preconditioned for the last 20-something years to buy different things in different use cases,” he said.

Zuk refers to this mindset as the "whack-a-mole" approach.

“Going back 27 years ago, life was simple,” he said. “There were five network security vendors, and three endpoint security vendors, and you had to choose one from here and one from here, deploy it, and you were happy,” he said.

However, in the years since then, network security has grown more complex as enterprises confront new security challenges.

“We did it in a whack-a-mole way,” he said. “Every time there was a new challenge, a new mole popped up, and we hit it with a new tool that we bought from a new vendor.”

And while this has worked to a certain degree, it’s also created a “mess” of point products that Zuk argues have only made enterprises more vulnerable to attack.

“Yes, the adversaries are becoming more sophisticated, but that’s not the main reason we’re seeing an explosion in data breaches,” he said. “I actually think that it’s more about them becoming persistent, more about them becoming more motivated, and more importantly, our infrastructure has become much more complex and easier to exploit.”

By simplifying enterprise infrastructure and ending the game of whack-a-mole, “I think we’ll be more secure, and zero trust — as I’ve said before — is a way to do that.”

This means applying zero trust to users, applications, and infrastructure equally, something Zuk argues few can actually claim.

In general, the same basic rules apply. These include verifying the user or application's identity, the device or server being used, whether the user or app should have access to the workload, and that the content of the transaction isn’t malicious.

Just because a user is able to access an application and upload a file doesn’t mean the file is free of exploits, Zuk said.

And that logic isn’t limited to users and applications. As strange as it might sound, enterprises need to apply this same logic to their hardware and software infrastructure, Zuk said, referencing the high-profile SolarWinds breach from late last year.

“The fact that we bought a router from a reputable vendor and deployed it and updated the software doesn’t mean we can trust it,” he said. “We have to apply zero trust to it.”

While adopting zero trust may require a change in mindset, Zuk argues there are several compelling reasons to start that journey now.

“I think the time is right to change that mindset,” he said, explaining that technologies like SD-WAN, the cloud, and hybrid-work models are already forcing enterprises to rethink the way they architect their networks.

If enterprises can make zero trust a part of their existing WAN transformation or cloud migration, they’ll ultimately have a “much more secure infrastructure,” Zuk said.