The zero trust model is a security model used by IT professionals that requires strict identity and device verification regardless of the user’s location in relation to the network perimeter. The model is based on the assumption that all users, devices and transactions are already compromised, regardless of whether they're inside or outside of the firewall. By limiting which parties have privileged access to each segment of a network, or each machine in a secure organization, the number of opportunities for a hacker to gain access to secure content is greatly reduced. A network that implements the zero trust model is referred to as a zero trust network.
The main tenet of zero trust security is that vulnerabilities often appear when companies are too trusting to individuals or outsiders. Therefore, the model suggests that no user, whether inside or outside the network, should be trusted by default.
Importance of the zero trust model
The traditional approach to network security is known as the castle-and-moat model. The focus of this concept is that gaining access to a network from the outside is difficult, but once inside, users are automatically trusted. This becomes harder to manage as organizations keep their data distributed across multiple locations, applications and cloud services.
The zero trust model acknowledges that focusing only on perimeter security is not effective. Most data breaches occur when hackers successfully bypass an organization’s firewall and are then granted authentication into internal systems. Therefore, the zero trust model is a stronger approach to protecting important resources.
Fundamentals of the zero trust model
While there are various technologies and principles that can be used to enforce zero trust security, the basic fundamentals include:
- Eliminated trust- No user or device should be trusted by default.
- Least-privileged access- Users should receive the minimum amount of access necessary.
- Microsegmentation- Security perimeters and network components are broken into smaller segments with individual access requirements.
- Risk management analytics- All network traffic should be logged and inspected for suspicious activity.
How to implement the zero trust model
Some best practices for introducing zero trust security to an organization include:
- Keep network security policies updated, review them for vulnerabilities and test their effectiveness periodically.
- Implement multi-factor authentication (MFA) for all users without exception.
- Validate all devices that try to log into the network and only allow access to those that meet security standards.
- Rely on network segmentation, microsegmentation and perimeter segmentation to secure individual aspects of the network.
- Maintain as much visibility as possible throughout the organization to avoid abuse of access that could lead to a data breach.
- Review the list of user accesses and administrators frequently.