What is Zero Trust?
In a nutshell, Zero Trust assumes that every user, device and service that attempts to connect to a network or application is hostile until proven otherwise. The fundamental principle of Zero Trust is to secure an organization’s data wherever it resides. Only legitimate users, devices and entities are granted access to relevant data sources and assets.
Zero Trust addresses security issues an organization faces when it stores data in multiple locations, both within its own network and in private and public cloud environments, and allows broad access to that data by employees, contractors, partners, vendors and other authorized users, who use their own devices over which the organization has no direct control. Zero Trust itself is not a specific security architecture, product or software solution, but rather a methodology for secure access that requires an organization to rethink its security strategy and network architecture. The key to zero trust is understanding who is requesting access, what device the request is coming from, and then linking that request to an access policy by application or asset.
Essentially, Zero Trust is a whitelist method for granting access to specific enterprise applications based on the identity of the user, the device being used and the behavior or context within which it occurs.
What are the basic principles of the zero trust model?
The network is always hostile: before zero trust, it was assumed that if you connect to a known network, you could be fairly certain that the network is secure. From the zero trust principle, a known network is inherently insecure.
Accept that external and internal threats are always on the network: traditional cybersecurity assumed that the network was secure until a threat was detected. Zero trust turns this model on its head.
Knowing the location of the corporate network or cloud provider is not enough to trust a network: traditional security rules based on IP addresses are no longer secure.
Authenticate and authorize every device, user and network flow: a zero trust model authorizes and authenticates user access through per-session least-privilege access.
Implement a security policy that is dynamic and holistic: data analytics should be based on as many data sources as possible. These provide monitoring and proactive threat detection across the architecture.
Zero Trust Network Access
Zero Trust Network Access is a concrete implementation of the Zero Trust Security model:
- User identity gets even better In addition to traditional login credentials and multi-factor authentication, now the device is also part of the identity.
- The security status of the device is checked before access can be granted to the requested resources. A distinction can also be made between corporate and private devices. Some solutions mandate the use of Mobile Device Management.
- Access is granted only to those applications and resources to which you are authorized, and this according to the ‘least privilege’.