I just finished reading O'Reilly's
Zero Trust Networks: Building Secure Systems in Untrusted Networks by Evan Gilman and Doug Barth.
The term "zero trust" has been thrown around so much by companies eager to sell you the latest $cybersecurity that it's basically become meaningless. Contrary to the marketing hype, zero trust isn't something you can just go out and buy.
This book takes a technology-agnostic look a the principles of zero trust network design, and explains that actually implementing zero trust will require significant changes to the current perimeter-based security model. As networks and attackers become more and more sophisticated, simply assuming that everything inside the organization's (extraordinarily tall-and-thick) walls is "safe" just won't cut it; we have to increasingly assume that the users, devices, and network itself are compromised and operate in a way to minimize the threat without negatively impacting the ability to Do Work. Pulling this off means employing automation to continually validate devices, users, configurations, connections, and access. It's hard to overstate the significance of this undertaking.
Reading this book won't immediately prepare you for implementing a zero trust architecture in your network, but it will arm you with the concepts necessary for intelligently discussing how to do this within your organization. And getting more people in the org to read this book will help ensure everyone is on the same page and not just going based on the latest marketing shenanigans.
