Skip to main content


2010: Too Many "Chewy Centers"

Insofar as zero trust is a buzzword, it originates with Forrester, a research and advisory committee headquartered in Cambridge, MA.

John Kindervag was the senior analyst at Forrester who first pushed for a "Zero Trust" model of security in 2010.

He argued that there were too many "chewy centers" in information security. This metaphor describes a traditional perimeter-based security architecture, which has a "hardy crunch outside and a soft chewy center."

Kindervag's 2010 model has three pillars:

  • Eliminate network trust

    • Assume all traffic, regardless of location, is threat traffic until it is verified that it is authorized, inspected, and secured.
  • Segment network access

    • Adopt a least privilege strategy and strictly enforce access control to only the resources users need to perform their job.
  • Gain network visibility and analytics

    • Continuously inspect and log all traffic internally as well as externally for malicious activity with real-time protection capabilities.

You can watch Kindervag present his model here.

2017: Zero Trust eXtended (ZTX)

In 2017, Forrester refreshed their original model, out of concern that it was too abstract for security professionals tasked with implementing a zero trust architecture in their organizations.

To this end, Forrester extended their original model with three additional pillars:

  • Zero-trust people

    • Authenticate users and continuously monitor and govern their access and privileges. Secure users as they interact with the internet.
  • Zero-trust workloads

    • Enforce controls across the entire app stack, especially connections between containers or hypervisors in the public cloud.
  • Zero-trust data

    • Secure and manage data, categorize and develop data classification schemas, and encrypt data both at rest and in transit.