Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.
The main concept behind the zero trust security model is “never trust, always verify,” which means that devices should not be trusted by default.
Principles of Zero Trust Security
There are three basic principles that form the foundation of the ZT security model.
1. Continuously Verification
Continuous verification means no trusted zones, credentials, or devices at any time. Hence the concept is “Never Trust, Always Verify.” Zero Trust verifies user identity and privileges as well as device identity and security. Logins and connections time out periodically once established, forcing users and devices to be continuously re-verified.
2. Least Privilege
Least privilege access means giving users only as much access as they need. This minimizes each user’s exposure to sensitive parts of the network.
3. Device Access Control
Zero Trust requires strict controls on device access. Zero Trust systems need to monitor how many different devices are trying to access their network, ensure that every device is authorized, and assess all devices to make sure they have not been compromised. This further minimizes the attack surface of the network.
Zero Trust Frameworks
These are widely used Zero Trust frameworks we can use as guidelines in implementing Zero Trust
- Forrester’s The Definition Of Modern Zero Trust
- Gartner CARTA
- Google’s BeyondCorp
- Identity Defined Security Alliance (IDSA) Framework
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207 Zero Trust Architecture (ZTA)
Summary:
Zero Trust involves a new approach that denies access to applications and data by default. And it relies on least privilege access and comprehensive security monitoring to maximize defense against security threats.