Zero Trust is a security paradigm that combines strict identity verification and explicit permission for every person or entity attempting to access or use network resources, regardless of whether the person or entity is in “inside” an enterprise’s network perimeter or accessing that network remotely.
First introduced by analyst firm Forrester Research in 2010, the Zero Trust model doesn't rely on one single technology. Instead, Zero Trust is a framework that can include a range of different technologies and best practices all centered around reliably knowing who is trying to access or use data and whether they have explicit permission to do so. The philosophy behind it is often boiled down to, "never trust, always verify" whereas most traditional models can be described as "trust but verify."
Benefits of a Zero Trust Model
The key benefit of using a Zero Trust approach is protection from all sides, particularly from within. Traditional security models such as defense-in-depth have historically focused protection on the network perimeter. These approaches are failing organizations where many of today’s breaches occur from within, whether explicitly by employees or by threats that have infiltrated the network through email, browsers, VPN connections, and other means. Data exfiltration can be easy for someone who already has access to the network. To combat this, Zero Trust takes away access from anyone and everyone until the network can be certain who you are. Then, it continuously monitors how you’re using data and potentially revoking permissions to copy that data elsewhere.
The Main Principles of a Zero Trust Network
Zero Trust, as its name suggests works on the principle that nothing should be trusted and should always be verified. Within this idea there are several technologies and best practices that make up a Zero Trust approach. Here are a few of the main principles:
Continuous monitoring examines how users and entities are interacting with data and even other systems. This help verify that people are who they claim to be and enables risk-adaptive security controls to automatically tailor enforcement based on people’s actions.
How to Implement Zero Trust
There can be multiple approaches to the model but there are a few considerations almost everyone will need to include in order to implement an efficient Zero Trust architecture: