Zero trust is the new standard in network security that strictly limits user access based on a dynamic authorization policy. This security framework requires all users–whether inside or outside the organization’s network–to be authenticated, authorized, and continuously validated for security configuration and posture before accessing applications and data.
Because nothing connected to the network is assumed to be safe, a zero trust security framework involves constant monitoring and assessment of all users and network resources, such as devices, data stores, and applications, for security risks.
For user security, this means implementing a dynamic authentication and authorization policy to assess risk both before they are granted access to the network, and during their session. For network resource security, this means monitoring usage and security postures, keeping up with updates and patches, and adjusting configurations.
The three basic principles of a zero trust security framework are:
Explicit verification: Authenticate and authorize every user and device on every session, using as much data as possible to determine their risk level.
Principle of least privilege: Only grants the user access to the resources they are using at the time, and only for as long as they need it during that session.
Assume a breach: Act as though your network has been breached. Limit access to resources, verify end-to-end encryption, and use analytics to monitor network activity, detect threats, and adjust access policies.
Tenets of zero trust security
According to the National Institute of Standards and Technology’s 800-207 standard, the tenets of a zero trust security framework are as follows:
All data sources and computing services are considered resources. This includes different resource classes like SaaS applications, APIs, Internet of Things (IoT) devices, and personally-owned devices if they have access to network assets.
All communication is secured, regardless of network location. Whether a resource is accessing from on-site, in a VPN, or remotely, it should meet the same security requirements. Trust should not be granted based on network location.
Access to individual resources is granted on a per-session basis, according to the following principles:
Trust in the requester is evaluated before granting access to any resource.
Access should be granted with the least privilege possible to accomplish the task.
Access to one resource does not automatically grant access to other resources.
Access to resources is determined by a dynamic policy. Access policy is a set of rules that determine what resources a user can access. A dynamic access policy accounts not only for static attributes such as group membership, but also for variables like time of day, session duration, device location, and user behavior.
Good dynamic access policies also consider environmental variables like traffic levels and anomalous behavior patterns.
The organization measures and monitors the security posture of all network resources. No resources are inherently trusted. All applications, APIs, and devices are monitored for known vulnerabilities and potential compromises. Resources are updated and patched regularly and reconfigured when necessary.
The organization collects data and uses it to improve access policies. The organization should collect data about resource security posture, traffic patterns, and access requests and review it regularly to assess and adjust access policies.
How zero trust works
The system evaluates attributes like device ID, geolocation, time of day, and user role to assess authorization requests for access to resources, such as data stores and applications. The system assesses each authentication request and each authorization request separately, using dynamic access policies, taking into account user and device attributes, network type, and current environmental conditions.
Requests that fit the policy are granted. Unusual or suspicious requests are escalated for additional authentication or rejected and flagged for later review.
Risk evaluation engines build profiles of how users and user classes typically interact with applications and data stores. As they monitor and authenticate users, they will detect and flag anomalous behaviors.
With complex access policies evaluating every request both outside and inside the network, zero trust security systems require both automation and well-designed policies informed by constant monitoring.
What are the alternatives to zero trust?
Previous network security frameworks relied on perimeter defense to secure network resources. Applications and data were secured by firewalls, VPNs, and other static defenses. After a user had been authenticated, they had access to federated resources inside the network. More sensitive resources might be protected by multiple layers of security or heightened requirements, such as multi-factor authentication (MFA).
Another strategy is for an organization to issue trusted devices to their users. These devices are secured and managed by the organization, and regularly updated with security patches and new policies.
The drawback of these security approaches is that when a malicious actor has made it past the barrier, they have essentially unchallenged access to every resource within that barrier. Because most security breaches involve bad actors using valid credentials to access a network, this kind of passive security framework isn't sufficient to protect most systems.
Why choose zero trust?
Zero trust is a dynamic, active security framework that scales to accommodate large numbers of users, network resources, and transactions.
Zero trust secures each of your network resources individually, limiting their exposure in case of a breach.
Because zero trust doesn't privilege network location, it allows your organization to enhance the security of existing infrastructure such as VPNs by integrating them into dynamic security policies. Zero trust can also streamline your user experience by eliminating the necessity for MFA for routine, low-risk transactions.