Zero Trust is an information security concept within which no corporate IT infrastructure object — user, device, or program — is trusted.
Zero Trust seeks to protect corporate resources both within the internal network and externally (such as with cloud applications and data storage) from unauthorized access. Although often attributed to IS analyst John Kindervag, Zero Trust and its principles existed before Kindervag defined the concept.
Zero Trust model principles
The Zero Trust concept incorporates several key principles:
- Authentication and authorization at each access attempt. Every time a user, device, or program requests access to any resource, they are required to authenticate and to confirm their access rights. Authentication involves a variety of information such as user login and password, device location and type, active processes, and more;
- Minimum privilege policy. Each infrastructure object receives access only to those resources it needs to carry out its tasks. Organizations regularly revise the rights granted to users, devices, and applications, revoking them as appropriate;
- MicrosegmentationThe corporate IT infrastructure is divided into segments with different access levels to prevent lateral movement. The fewer the resources in a given segment, the less damage an attacker can inflict by gaining access to it;
- Continuous monitoring and telemetry collection. The company continuously monitors the state of infrastructure objects, collecting all available data about them to locate and upgrade vulnerable applications and devices in a timely manner, or to detect an attack as early as possible.
Zero Trust concept implementation
An organization can implement Zero Trust on existing corporate infrastructure, or use specialized tools. However, an obsolete infrastructure is unlikely to satisfy Zero Trust standards. Most cloud services enable the implementation of the necessary verifications and practices, for example; computers running Windows 7 or XP cannot.
The specific steps to implement Zero Trust in an organization depend on factors such as a company’s size, complexity, and IT infrastructure state; employee awareness about information threats; and so forth. Required actions may include:
- Surveying IT resources,
- Defining the defense surface (which resources to protect first),
- Establishing security policies,
- Setting up protective technologies that comply with security policies.