Zero Trust has come a long way since it was first coined by Stephen Paul Marsh in his 1994 doctoral thesis “Formalizing Trust as a Computational Concept”. The main Zero Trust concept of "never trust, always verify" basically means that every user or endpoint in a system should not be trusted unless verified. It’s a good way to achieve end-to-end trust instead of relying on security perimeters that are no longer effective in today's complex systems. Nowadays, most Zero Trust architectures are focusing on the obvious endpoints of user identity and machine/device identity. Unfortunately, this does not cover applications, which are critically endpoints in themselves. I would argue that a Zero Trust is incomplete without considering Application Identity (or app identity).

The widely reported Trust Gap issue V-Key had discovered demonstrated that security architectures that seem to be very secure in the past are no longer as safe. Most cybersecurity practitioners have generally assumed that as long as an app can make use of a secure element or Trusted Execution Environment (TEE) for critical operations, it would be protected. But the Trust Gap attack shows that this can no longer be taken for granted, as both the app and TEE must be treated as separate endpoints that require mutual verification of trust. Read more