Zero trust is a security concept where access to systems — both internally and externally — should demand authentication.
With Zero-trust architecture, organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to each system before granting access.Â
Zero-trust is a network architecture designed to cope with the fact that the traditional network perimeter is disappearing and with it, the value of conventional defenses.
You reduce the likelihood of disruption in the event of a data breach.
Many existing security teams will be uncomfortable with a shift to zero-trust; some will lack the necessary skills.
Zero-trust architecture has been established at large internet firms, such as Google and CloudFlare. It’s starting to gain ground in more traditional enterprises.
What is it?
Key to adopting zero-trust architecture is the notion that inherent trust is removed from the internal network. Simply because people are connected to a network doesn't mean you should be able access everything on that network.
It’s common in breaches to see an attacker gain access to a network and then move through the rest of the system because everything, from that point on the network, is trusted. If you remove trust from the network, you must gain confidence in your users, device, and services. To achieve this, you must build trust in the users’ identity (through authentication), device health, and the services they access (authorization).
For zero trust to be effective, each person connected to a service is authenticated, and the device, user, and connection authorized against rules and policies. These policies assess the amount of confidence you have in a user and their device, regardless of where the connection request comes from, and grant access to resources accordingly.
What’s in for you?
Zero-trust architecture has two chief benefits.
Firstly, if we assume that hacking is a reality that most of us are yet to face, limiting that breach’s blast effect to the smallest possible attack surface is vital. This can happen when we drop the idea of a strong perimeter and a trusted interior. And as a result, you can minimize disruption to your organization.
Secondly, as the world moves to distributed cloud systems and edge computing, the notion of having a perimeter to secure dissolves. Zero-trust architecture provides a mechanism that enables you to operate securely in this new world.
What are the trade offs?
This is a change in approach that some security professionals feel uncomfortable with. Rather than a policy-making and product selection role, the job now requires software component security knowledge and more complex policy rollout.
How is it being used?
Companies such as Google, with their BeyondCorp model, Cloudflare and others are using this approach to build agile, secure zones and regions throughout their organizations and serve as examples to others.
Zero-trust architecture is also being used by some government and public service organizations.
Related topics
Would you like to suggest a topic to be decoded?
Just leave your email address and we'll be in touch the moment it's ready.