zero-trust model (zero trust network)

Contributor(s): Laura Fitzgibbons

The zero trust model is a security model used by IT professionals that requires strict identity and device verification regardless of the user’s location in relation to the network perimeter. The model is based on the assumption that all users, devices and transactions are already compromised, regardless of whether they're inside or outside of the firewall.  By limiting which parties have privileged access to each segment of a network, or each machine in a secure organization, the number of opportunities for a hacker to gain access to secure content is greatly reduced. A network that implements the zero trust model is referred to as a zero trust network.

The main tenet of zero trust security is that vulnerabilities often appear when companies are too trusting to individuals or outsiders. Therefore, the model suggests that no user, whether inside or outside the network, should be trusted by default.

The term zero trust was introduced by an analyst at Forrester Research in 2010, with vendors like Google and Cisco adopting the model shortly after.

Importance of the zero trust model

The traditional approach to network security is known as the castle-and-moat model. The focus of this concept is that gaining access to a network from the outside is difficult, but once inside, users are automatically trusted. This becomes harder to manage as organizations keep their data distributed across multiple locations, applications and cloud services.

The zero trust model acknowledges that focusing only on perimeter security is not effective. Most data breaches occur when hackers successfully bypass an organization’s firewall and are then granted authentication into internal systems. Therefore, the zero trust model is a stronger approach to protecting important resources.

Fundamentals of the zero trust model

While there are various technologies and principles that can be used to enforce zero trust security, the basic fundamentals include:

  • Eliminated trust- No user or device should be trusted by default.
  • Least-privileged access- Users should receive the minimum amount of access necessary.
  • Microsegmentation- Security perimeters and network components are broken into smaller segments with individual access requirements.
  • Risk management analytics- All network traffic should be logged and inspected for suspicious activity.
Diagram that shows how to build zero trust network.
Learn the steps you should take to build a zero-trust network and which tools you can use to accomplish them.

How to implement the zero trust model

Some best practices for introducing zero trust security to an organization include:

  • Keep network security policies updated, review them for vulnerabilities and test their effectiveness periodically.
  • Implement multi-factor authentication (MFA) for all users without exception.
  • Validate all devices that try to log into the network and only allow access to those that meet security standards.
  • Rely on network segmentation, microsegmentation and perimeter segmentation to secure individual aspects of the network.
  • Maintain as much visibility as possible throughout the organization to avoid abuse of access that could lead to a data breach.
  • Review the list of user accesses and administrators frequently.
This was last updated in April 2019

Continue Reading About zero-trust model (zero trust network)

Dig Deeper on Enterprise identity and access management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Does your organization prefer the zero trust model over other network security models?