Zero Trust and Its Core Principles.

Zero trust is a term that has quickly built prominence across technology communities but has had several ‘definitions’ and not all of them are truthful. Unfortunately, some networking vendors have been jumping at the opportunity to repackage old technology like classic VPNs and market them as ‘zero trust’, creating a fair bit of confusion.

The definition of zero trust security couldn’t be simpler. It is not any single product or service but an approach to security that is built around a sole concept: “never trust, always verify”. This is achieved by providing the least-privileged access when users and applications are communicating with data and other applications. The networking tech that is being pushed as ‘zero trust’ by telcos still fundamentally provides users with access to networks. In a true zero trust environment, a user should have direct access to the data and applications they are authorised to access, and not a network.

The Core Principles of Zero Trust

Verify every access request

Zero trust is based on verifying every access request, regardless of the user or application it has originated from, before allowing it to reach its destination. It doesn’t matter who the user is or whether they are on the corporate network or at home. Every request is treated as untrusted and validated against identity and context-based criteria.

Provide the least privileged access possible

Zero trust relies on providing the least privileged access possible by restricting access to just the applications and data the user or application making the request is authorised to access, and not a network. This approach significantly reduces your attack surface as it essentially hides users and applications from the internet and limits the damage a malicious attack can cause.

Use granular, adaptive context-based policies

Access requests should be validated against a comprehensive list of policies that verify criteria such as identity, location, type of device, and even the application that is being requested. The policies should also be adaptive and trigger each time any context of the user or application making the request is changed.

Assume a breach has already occurred

To enable the above approach, effective zero trust security is built upon the concept that a security breach might have already occurred and so all traffic needs to be terminated and inspected before being allowed to reach its destination. This approach provides exceptional protection and assurance against attacks that attempt to infect as many devices and systems as possible, like ransomware and malware.

Zero trust is not a specific product or service, and it is not old networking technology that applies a set of controls to allow ‘trusted’ users remote access to a network. In fact, zero trust and VPNs have several crucial differences that set them apart.

To summarise, zero trust is an approach to security that is built on the foundation that all traffic, regardless of where it is coming from, should be treated as untrusted and validated before being allowed to reach its destination. That foundation can be achieved by following four key principles:

• Verify every request
• Provide least-privileged access
• Use granular, context-based validation policies
• Assume a breach has occurred

Read More Blog