Zero Trust Networks
Building Secure Systems in Untrusted Networks
Evan Gilman and Doug Barth's pre-marketing-bubble treatment of zero-trust architecture — what it is when you actually implement it (trust evaluation, device identity, dynamic policy) versus what the vendor pitch turned it into.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Evan Gilman,Doug Barth
- Published
- 2017
- Publisher
- O'Reilly Media
- Pages
- 240
- Language
- English
Read this if
Architects and platform engineers tasked with implementing zero-trust without buying a product called Zero Trust. The book is the rare resource that walks through the engineering substrate — service identity, attestation, policy decision points — instead of the marketing.
Skip this if
Readers wanting current vendor-comparison or specific cloud-native zero-trust (BeyondCorp, Tailscale, Cloudflare Access, Tetragon) detail. The 2017 publication pre-dates almost all of the productized zero-trust marketplace; the principles are durable, the products are not.
Key takeaways
- Zero trust is a property of the architecture, not a product; the book makes this case convincingly enough that it should be the first read for anyone leading a ZT initiative.
- Device and workload identity are the load-bearing layer most ZT deployments under-invest in.
- Migration is the project — most organizations cannot adopt zero trust without a multi-year incremental plan, and the book's chapters on incremental rollout are the most useful in practice.
Notes
Pair with Google's BeyondCorp papers (still the best primary-source case study), with NIST SP 800-207 (the ZT reference architecture), and with Building Secure and Reliable Systems (Adkins et al.) for the operational chapters. The book's pre-2018 framing is what makes it useful — once 'zero trust' became a sales motion, most subsequent literature became unreliable. Read this first, vendor literature last.
What to read before
What to read before Zero Trust Networks →Beginner · 2017
Practical Packet Analysis
Chris Sanders' working manual for Wireshark, geared at troubleshooting and incident response rather than abstract protocol theory. Updated for Wireshark 2.x.
Beginner · 2019
Foundations of Information Security
Jason Andress' compact tour of the field: confidentiality / integrity / availability, identification and authentication, network and OS controls, written for newcomers and adjacent disciplines.
Beginner · 2021
How Cybersecurity Really Works
Sam Grubb's gentle, exercise-driven introduction for non-specialists who need a working mental model of attacker behaviour and basic defence.
What to read next
What to read after Zero Trust Networks →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2007
Linux Firewalls
Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.
Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Explore similar books
Alternatives to Zero Trust Networks →Intermediate · 2013
The Practice of Network Security Monitoring
Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.
Intermediate · 2017
Network Security Through Data Analysis
Michael Collins on building situational awareness from network telemetry: collection architecture, statistical baseline-setting, and the analytic patterns that turn raw flows into detection.
Intermediate · 2007
Linux Firewalls
Michael Rash, author of psad and fwsnort, on building and operating Linux-native packet filtering and intrusion-response tooling. Pre-nftables in detail but conceptually durable.