In the last couple of years, “zero trust” has gained significant traction in the cybersecurity realm as a
means to protect networks and increase security across organizations. In part, the growing popularity
of this security model can be attributed to the shift to hybrid working practices that call for a more secure
work environment whether on- or off-premises. As organizations across industries including the
oil and gas sector start to design and deploy this security concept, what zero trust is in practice is a
matter of some confusion. In addition to the various overlapping and at times contradictory definitions
of zero trust, the recurrent overuse of the term for marketing purposes adds to the confusion. This
Community Paper aims to demystify zero trust.
In contrast to the perimeter-based security model that considers anything from inside the corporate
network to be secure and trustworthy, zero trust assumes that no user or device can be inherently
trusted. Threats can be both external and internal. That said, zero trust is not a silver-bullet solution to
all the cybersecurity challenges within organizations.