Zero trust is a cyber-security model based on the principle that no one is to be trusted by default, even those already inside the network perimeter.
The Zero trust model was developed in 2010, by analysts at Forrester Research Inc., and states that organizations should regard all network traffic as untrusted by default. Today large companies such as Google have implemented zero trust security into their network and platforms. The Zero trust philosophy has been growing in popularity within the tech community as the volume and sophistication of attacks has increased. Zero trust networks assume that there are attackers both within and outside of the network, so no users are trusted by default. This added layer of security is proactive and aims to prevent data breaches.
The traditional idea of trusting the internal perimeter by default leaves the organization at risk if that perimeter is compromised or if someone with access to it, has malicious intentions. You cannot assume that data is secure or that someone should be trusted, simply because a credential checks out. Authorized and unauthorized access can look identical, resulting in data breaches. Devices attempting to access data or networks are untrusted by default. Accurately assigning privileges and closely monitoring what is done with those privileges, is crucial to ensuring security. Once a device is granted access, it’s important to pay attention both to where access is being gained from and to what is being done with that access.
Zero trust security requires strict identity verification for every person in and outside the network and for devices trying to access resources on the network. In traditional IT network security, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default. With this approach, once an attacker gains access to the network, they have access to everything inside. Many companies duplicate their datasets across various cloud vendors, making it more difficult to keep track of data assets or put in place a single security control for the entire network.
Zero trust networks utilize micro-segmentation to break up security perimeters into smaller segments, requiring separate access for each part. Another principle of zero trust is giving users only as much access as they need, this minimizes each user’s exposure to sensitive parts of the network.
Zero trust also utilizes multi-factor authentication (MFA), typically 2-factor authorization (2FA), to secure information. MFA requires more than one piece of evidence to authenticate a user. A password does not grant access, you must prove your identity with not something you know, but also with something you have, something you are, or something you do. This practice is commonly used on social media platforms such as Facebook. In addition to entering a password, users who enable 2FA must also enter a code sent to another device, providing two pieces of evidence, proving identity.
Zero trust systems monitor how many different devices have access to a network and ensure the authorization of each device. Zero trust aims to minimize and prevent possible cyber-attacks and may be the guiding security principle of the future as its adoption grows.