Open in app

Sign in

Write

Sign in

What is Zero Trust Security?

Security Enthusiast
AVM Consulting Blog
Published in
4 min readFeb 21, 2022

Zero Trust has become one of cybersecurity’s most used buzzwords and it’s being misused as a marketing term. As per Gartner, vendors are applying the term ‘Zero Trust’ to market everything in security, creating significant marketing confusion. That’s why It’s imperative to understand what Zero Trust is, as well as what Zero Trust isn’t.

What is Zero Trust?

Modern workforce becoming increasingly on the go. Users, devices, applications, and data are moving outside of the enterprise perimeter and zone of control. Users are working from anywhere, accessing applications from multiple devices, inside & outside of the business perimeter which creates a new set of challenge for security teams. Older approach of “Trust but verify” is no longer an option. If someone has the correct user credentials, they are admitted to whichever site, app, or device they are requesting. This resulted in an increasing risk of exposure, dissolving what was once the trusted enterprise zone of control and leaving many organisations exposed to data breaches, malware, and ransomware attacks.

“Never Trust, Always Verify” is the basic principle behind Zero Trust. One important point to note is that Zero Trust is a security concept and not a security product. It’s a model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

Who coined the term Zero Trust?

John Kindervag, an industry analyst at Forrester popularised the term “Zero Trust” but it was coined in April 1994 by Stephen Paul Marsh for his doctoral thesis on computational security at the University of Stirling. John Kindervag, follows the motto, “never trust, always verify” and his point of view was based on the assumption that risk is an inherent factor both inside and outside the network.

Why do we need Zero Trust?

The COVID-19 pandemic has changed the way we work and shifted people to working from anywhere model. Businesses have increased their use of cloud platforms supporting a variety of devices and networks, and bad actors are taking advantage of the upheaval to significantly increase account infiltrations. With Zero Trust security in place, organisations can provide security to anywhere and everywhere on whatever device people choose by, continuously validating for security configuration and posture before granting them the access to applications and data.

Is there an industry standard for Zero Trust?

Yes, NIST 800–207 is the most vendor neutral, comprehensive standards, not just for government entities, but for any organisation. It also encompasses other elements from organisations like Forrester’s ZTX and Gartner’s CARTA. Finally, the NIST standard ensures compatibility and protection against modern attacks for a cloud-first, work from anywhere model most enterprise need to achieve.

As a response to the increasing number of high-profile security breaches, in May 2021 the Biden administration issued an executive order mandating U.S. Federal Agencies adhere to NIST 800–207 as a required step for Zero Trust implementation and it’s also viewed as the defacto standard for private enterprises as well.

The principles of Zero Trust architecture

The principles of Zero Trust architecture as established by the National Institute of Standards & Technology (NIST) are:

  • All data sources and computing services are considered resources.
  • All communication is secure regardless of network location; network location does not imply trust.
  • Access to individual enterprise resources is granted on a per-connection basis; trust in the requester is evaluated before the access is granted.
  • Access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioural attributes.
  • The enterprise ensures all owned and associated systems are in the most secure state possible and monitors systems to ensure that they remain in the most secure state possible.
  • User authentication is dynamic and strictly enforced before access is allowed; this is a constant cycle of access, scanning and assessing threats, adapting, and continually authenticating.

Is Zero Trust possible?

Yes, with zero trust implemented correctly and supported with data security solutions (like DLP), data breaches can be eliminated or minimised to small datasets. Security controls needs to apply to any file type and any application.

What Zero Trust is not?

Zero Trust is not a security a product, it’s a framework which you can refer to create Zero Trust Architecture as per your specific needs. Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organisation’s network architecture.

👋 Join us today !!

️Follow us on LinkedIn, Twitter, Facebook, and Instagram

Zero Trust
Zero Trust Security
Zero Trust Model
Zero Trust Security Model
For Dummies

--

--

Security Enthusiast
AVM Consulting Blog

Written by Security Enthusiast

67 Followers
Writer for

One of the security enthusiast in the world of cyber security trying to simplify cyber security through “for dummies” series blogs.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams