Zero Trust is an approach to the design and implementation of IT systems based on the principle of “never trusting, always verifying” every device. In this security model, inherent trust in the network is removed; no matter whether a device is within a corporate LAN or whether it has already been verified before. Every request-response communication must be authenticated, authorized and encrypted. The Zero Trust model is also known as “Perimeterless Security”.
Zero Trust or Perimeterless Security model
The Zero Trust security model aims to remove the outdated assumption that everything inside an organization’s network should be trusted. As opposed to the traditional security model, which assumes all users act responsibly and can be trusted, Zero Trust is based on the premise that trust is a vulnerability. By eliminating the concept of trust from the network architecture, this approach helps prevent data breaches.
The term “Zero Trust” was coined by Stephen Paul Marsh in April 1994, for his doctoral thesis on computational security at the University of Stirling (UK). He defined Zero Trust as a concept beyond distrust. However, it is worth mentioning that Zero Trust was popularized by John Kindervag while he was vice president and principal analyst for Forrester Research.
Never trust, always verify
IT teams must always verify requests based on an access policy. The trustworthiness of a request is established based on different aspects:
- Device health
- User identity and behaviour
- The value of the data which is being accessed
- The impact of the action which is being requested
In a Zero Trust Architecture (ZTA), as in any other security approach, all implemented measures should be assessed periodically to adjust them to new best practices. The trustworthiness of all connections and endpoints should be continuously reevaluated, because Zero Trust Architectures build trust in each request. This applies to all devices, no matter if they are already connected within a corporate LAN or if they have been verified before.
Moreover, the fact that a user is connected to a network does not mean that he should be able to access everything within that network. That is why each access request, either to data or a service, should be verified, authenticated and authorised against an access policy. This way all connections that do not satisfy the organization’s permissible policies will be dropped. Zero Trust goes beyond other security measures such as VPNs or SSH.
Security regardless of the location
Zero Trust is highly recommended for organizations relying on cloud solutions and working from different locations. Simply because users can access critical data and applications from anywhere. That is why defining a Zero Trust perimeter is useful to secure data, applications and workloads regardless of the location. The growing adoption of mobile and cloud services is actually boosting the implementation of the Zero Trust network architecture approach.
Advantages of the Zero Trust approach
The Zero Trust security approach has many advantages if adopted correctly. For instance:
- Zero Trust makes it harder for cyber attackers to compromise the organization’s data. Even though a cyber criminal breaks the first barrier to access the private network, he will not be able to compromise all data because there will be additional barriers.
- It also ensures data, resources and applications are inaccessible by default. By creating a perimeter around their critical and most valuable data and assets, organisations prevent access to unauthorized users. Each user only can access the data, resources and applications he has privileged access to.
- It enables detecting vulnerabilities faster and managing them proactively. Zero Trust improves verification processes, monitors users and compartmentalizes data to make the access to the company’s information harder for unauthorized users. This also allows IT security teams to enforce security policies consistently.
- It enhances network performance by reducing traffic on subnets.