> several pillars are missing from their “Zero Trust” marketing materials.

TBH several pillars are missing from their entire security posture.

why bother when not a single vulnerability has resulted in any appreciable fines or loss of market share? it's absurd how untouchable their ubiquity has become.

They’re the Boeing of software. They go down with the ship, but, critically, it means they also can’t go down until and unless the ship also does.

It’s a symbiotic relationship that allows them to stop having to spend resources to compete in the market on merit.

That's pretty accurate, if you want modern practice and product quality you go to Google or Amazon, if you want compliance and reassuring the board, you go to Microsoft.

> Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.

What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?

There are four different micro-segmentation variations in the NIST reference guide: device-agent/gateway, enclaves, resource portals, and application sandboxing.

Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.

So the policy evaluation point has the keys to the kingdom and is the single point of failure, vs standard distributed authorisation declaration that would be up to each component of the system to implement.

How is this PEP better?