Can anyone explain how this "zero trust" concept is supposed to work? From my admittedly comfy work from home chair it seems that one has to trust:
...the device hardware / firmware / OS (closed source, hardware vendor controlled)
...the service provider and its software (closed source, provider controlled with a smattering of hardware vendor control underneath)
...the distribution system for updates to above closed components
...governments not to require backdoors in any of the above
...all over a public WAN, where any flaw in any of this could compromise the entire network / organization
Compare to the relatively small, known border of a traditional VPN solution (especially one built on open source software), where there is at least a tiny bit of defense-in-depth, and I see a ton of additional risk flags. In fact something smells distinctly snaky and feels oily about this...