Zero trust is a term that has quickly built prominence across technology communities but has had several ‘definitions’ and not all of them are truthful. Unfortunately, some networking vendors have been jumping at the opportunity to repackage old technology like classic VPNs and market them as ‘zero trust’, creating a fair bit of confusion.
The definition of zero trust security couldn’t be simpler. It is not any single product or service but an approach to security that is built around a sole concept: “never trust, always verify”. This is achieved by providing the least-privileged access when users and applications are communicating with data and other applications. The networking tech that is being pushed as ‘zero trust’ by telcos still fundamentally provides users with access to networks. In a true zero trust environment, a user should have direct access to the data and applications they are authorised to access, and not a network.
The Core Principles of Zero Trust
Verify every access request
Zero trust is based on verifying every access request, regardless of the user or application it has originated from, before allowing it to reach its destination. It doesn’t matter who the user is or whether they are on the corporate network or at home. Every request is treated as untrusted and validated against identity and context-based criteria.
Provide the least privileged access possible
Zero trust relies on providing the least privileged access possible by restricting access to just the applications and data the user or application making the request is authorised to access, and not a network. This approach significantly reduces your attack surface as it essentially hides users and applications from the internet and limits the damage a malicious attack can cause.
Use granular, adaptive context-based policies
Access requests should be validated against a comprehensive list of policies that verify criteria such as identity, location, type of device, and even the application that is being requested. The policies should also be adaptive and trigger each time any context of the user or application making the request is changed.
Assume a breach has already occurred
To enable the above approach, effective zero trust security is built upon the concept that a security breach might have already occurred and so all traffic needs to be terminated and inspected before being allowed to reach its destination. This approach provides exceptional protection and assurance against attacks that attempt to infect as many devices and systems as possible, like ransomware and malware.
Zero trust is not a specific product or service, and it is not old networking technology that applies a set of controls to allow ‘trusted’ users remote access to a network. In fact, zero trust and VPNs have several crucial differences that set them apart.
To summarise, zero trust is an approach to security that is built on the foundation that all traffic, regardless of where it is coming from, should be treated as untrusted and validated before being allowed to reach its destination. That foundation can be achieved by following four key principles:
- Verify every request
- Provide least-privileged access
- Use granular, context-based validation policies
- Assume a breach has occurred
Free IT Audit
We’re here to help you get the most from your technology - our free IT audit
will help you build the right foundations for your future growth and success.