What Is Zero Trust Security?

Security professionals who’ve been in the game a while have seen a lot. The aughts were all about strong passwords, firewalls and antivirus, and keeping software patched. Then requirements such as the Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS) shifted focus to data-specific protection measures, including identity-based access controls and encryption. Cloud and mobile devices brought more new tools, processes, and training.

Of course, attackers evolved their strategies, too. In response, proactive organizations are increasingly using zero trust principles to strengthen their security postures and protect assets from unauthorized access and manipulation—they’re hewing to a “never trust, always verify” stance that uses granular segmentation to limit the attack surface and makes the assumption that the enemy is already inside the gate.

Now it’s about reducing the scope of harm.

What Is Zero Trust Security?

A zero trust security model uses frequent user authentication and authorization to protect assets while continuously monitoring for signs of breaches. Segmentation is used to limit the data and assets that an entity can access without reauthenticating. Because zero trust presumes the network has been penetrated by a threat agent, security measures are implemented in depth, rather than simply at the perimeter—the “castle and moat” model.

Zero trust security, also known as a zero trust architecture or perimeterless security, assumes no one and no device or application is universally trusted, whether inside or outside the network. Continuous verification is required. That access is granted based on the context of the request, the level of trust, and the sensitivity of the asset. A zero trust architecture is especially effective for organizations that use cloud applications and have lots of remote workers and locations.

A zero trust architecture uses a security model that verifies every user, service, and device before granting access to a limited segment of the network, for a limited time.

Key Takeaways

• Zero trust security moves cyber defenses from static, network-based perimeters to a focus on users, assets, and resources.
• Most organizations today are subject to data privacy regulations that emphasize granular access controls, a tenet of zero trust.
• Zero trust means just that: Frequent and strong verification is required for every user, device, and application.
• Microsegmentation—dividing the network into contained zones and controlling movement between them—is key to success with zero trust security.

Zero Trust Security Explained

NIST, the National Institute of Standards and Technology, defines zero trust as an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to a focus on users, assets, and resources. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on the physical or network location—local area networks versus the internet—or on whether an asset is enterprise or personally owned.

Zero trust security removes implicit trust and instead depends on strong identity and access management (IAM) controls that let organizations allow only authorized people, devices, and applications to access their systems and data. A zero trust security approach has some key tenets:

• The expectation is that threat actors are already operating in the network, so IT should presume breaches.
• A zero trust environment denies access by default; all technical and human resources are queried to provide authorization/authentication at the transaction level.
• The level of asset protection is based on value. Resources may be accessed only after authentication and with the required authorization. Further, continuous verification of permissions should take place, and unneeded access should be revoked.
• The network is segmented, and there is no asset or space that does not need security.
• Advanced analysis, often using AI, is used to spot anomalous behavior and act immediately to lock out intruders.

Zero trust also takes a defense in depth approach. Defense in depth, sometimes called layered security, involves implementing various security controls at different points within a system to safeguard an organization’s network, systems, and data. It’s analogous to a castle with multiple defensive measures, where getting past the moat doesn’t get you the crown jewels. There are also gates, strong locked doors, and archers in turrets.

Defense in depth controls can be physical, technical, or administrative. Physical security measures include fences, access control systems, and security guards to protect data centers. Technical controls include firewalls, intrusion detection/prevention systems (IDS/IPS), data encryption, and anti-malware software to provide technical barriers. Administrative measures, such as policies, procedures, security awareness training, and access controls aim to address the human element of security.

Why Is a Zero Trust Model Important?

A zero trust model is important because the traditional approach of giving free rein to users and devices within an implicit trust zone or when connected via a VPN is simply not working. These outdated perimeter defense models are failing to secure our data because organizational boundaries are no longer limited to on-premises systems. Remote workers and mobile devices are external to the network perimeter, and adoption of cloud technologies further expands the security boundary. Meanwhile, cyberattacks continue to become more complex and impactful. A successful ransomware attack can cripple an organization, resulting in the loss of critical functionality and exposing sensitive information. No organization is immune—attackers have successfully ransomed large companies, municipalities, and even hospitals.

It’s crucial to adopt a more aggressive approach to securing our systems and data.

As the use of cloud services rapidly expands, it also creates new targets for cybercriminals. A popular exploit is to steal or guess the credentials of a privileged administrator or application, then move freely throughout the network. A zero trust implementation makes it possible to granularly regulate access to systems, networks, and data. That’s why an increasing number of organizations are moving to a zero trust security model to reduce the risk of data breach, detect cybersecurity incidents, and prevent damage from cyberattacks.

Federal Government Zero Trust Security Frameworks

The topic of zero trust is a major focus for the United States Department of Defense (DoD), and the US government overall. In May 2021, the White House issued Executive Order 14028, which directs federal agencies to protect and secure their computer systems by adopting security best practices and advancing toward a zero trust architecture, which officials see as a major tool toward accomplishing this security strategy.

There are several models and frameworks available to help teams develop a zero trust architecture. NIST has devised a model based on six tenets, published in Special Publication 800-207. The Cybersecurity and Infrastructure Security Agency (CISA) recently published Version 2.0 of its Zero Trust Maturity Model, which comprises five pillars.

Finally, the Defense Information Systems Agency (DISA) published a reference architecture aligning enterprise technology with seven pillars.

All these agencies aim to help organizations adopt a zero trust strategy. These models and their associated architectures bring structure and help to define the budget and effort needed for success.

How Does Zero Trust Work?

Zero trust works by simply never implicitly trusting a request for data, applications, or resources and assuming the requester could be a bad actor. When you look at security through that lens, the result is new levels of granularity in tools and policies. Developing a zero trust security architecture starts with identifying sensitive data and critical applications as well as authorized users and data flows. There is a control plane, consisting of a policy controller, and automation and orchestration are critical. There’s no way IT teams alone can achieve the needed level of vigilance. That takes an integrated approach as well as AI/ML.

A zero trust architecture follows six tenets as laid out by NIST.

• All data sources and computing services are considered resources that require security considerations. Nothing is to be left unsecured.
• All communication must be secure regardless of network location; network location does not imply trust.
• Access to individual enterprise resources is granted on a per-connection basis; trust in the requester is evaluated before the access is granted.
• Access to resources is determined by policy, including the observable state of user identity and the requesting system. Evaluation may include other behavioral attributes.
• The organization ensures all owned and associated systems are in the most secure state possible and will monitor systems to ensure that they remain that way.
• User authentication is dynamic and strictly enforced before access is allowed; this is a constant cycle of access, scanning and assessing threats, adapting, and authenticating.

A zero trust architecture uses a security model that verifies every user, service, and device before granting access to a limited segment of the network for a limited time.

Core Principles of Zero Trust

The core principles of zero trust can be seen through the lens of the Eight Zero Trust Principles developed by the UK government’s National Cyber Security Centre (NCSC). These tenets comprise a useful framework for organizations to consider as they embark on the journey to build a zero trust architecture.

In addition, implementing zero trust security can involve a significant cultural adjustment for organizations.

1. Know your architecture, including users, devices, services, and data

Designing any security architecture requires a good understanding of existing assets. Most organizations periodically work to document and assess the users, devices, services, and data they need to protect. For a zero security implementation, undertaking an asset discovery activity will most likely not be a purely technical exercise, but instead involve tasks such as reviewing project documentation and procurement records and having conversations with colleagues. In many cases, departments and lines of business have implemented their own systems.

2. Know your user, service, and device identities

Identity can be associated with a human, an application, or a device. All need to be identified to determine whether someone or something should be given access to data or services. As discussed, the gradual movement to cloud has accelerated the erosion of the traditional network perimeter. With that, identity is being recognized as the new perimeter. Identity platforms provide the capabilities to manage user identities, attributes, and access privileges. Although your identity platform can serve as a main identity repository, many organizations will have multiple identity management systems in place. All of these systems need to be discovered and managed as an organization aims to build a zero trust architecture.

3. Assess user behavior and service and device health

The NCSC recommends continually monitoring “health signals” from users and devices. These signals are behavioral and system indicators that let a policy engine evaluate trustworthiness and cyber hygiene, so it can make access decisions with a degree of confidence. For example, you may want to know the geographic location from which a laptop is trying to log in. For a user on the US East Coast, a login attempt when it’s 3 a.m. in New York might raise a flag.

4. Use policies to authorize requests

One beauty of a zero trust architecture is that you define access policies, which are executed by your policy engine. Policy decisions should consider those health signals we mentioned, including historical and real-time connection information to offer confidence that the requester is genuine and the device is in good cyber health. The NCSC advises that a high-impact action, such as creating a new admin-level user or downloading a customer list, would have to meet stringent policy requirements versus a relatively low-impact action, such as checking the work schedule. When choosing technologies for your zero trust architecture, evaluate how vendors collect signals and factor them into their access control. They should include, at minimum, the user’s role and physical location, authentication factors, device health, time of day, value of the service to be accessed, and risk of the action requested.

5. Authenticate and authorize everywhere

If we assume the network is hostile and an attacker is in the system, we clearly need to have strong authentication methods and build applications to accept access decisions from a policy engine. You’ll see better cultural acceptance across the organization if that strong authentication doesn’t hinder the usability of a service. The NCSC suggests prompting for additional authentication factors only when requests have a higher impact, such as for sensitive data or privileged actions, including the creation of new users. Consider single sign-on, multifactor authentication, and passwordless authentication methods for a strong, consistent, and positive user experience across all of your services.

6. Focus your monitoring on users, devices, and services

Monitoring software should be installed on devices, and data generated by those systems should be exported via a secure transport mechanism, such as a VPN, to a central location for analysis. If you allow personal or guest devices in your environment, you may decide not to trust these devices to the same degree as ones that you can fully monitor.

7. Don’t trust any network, including your own

Zero trust sees the network as hostile, says the NCSC, and advises to not trust any connection between the device and the service it’s accessing—including LANs. Communications to access data or services should use a secure transport, such as a Transport Layer Security (TLS) protocol that encrypts data. The NCSC also recommends monitoring for attacks like DNS spoofing and man-in-the-middle, rejecting unsolicited inbound connections, and using encryption and encapsulation.

8. Choose services that have been designed for zero trust

In a zero trust architecture, you can’t trust the network, so services need to be designed to protect themselves from potential sources of attack. Some legacy systems will need significant, expensive retrofitting and may still have issues with usability. The NCSC advises against “reinventing the wheel,” favoring products and services that have been designed and built for a zero trust architecture. Whenever possible, use standards-based technologies that allow interoperability, such as OpenID Connect, OAuth 2.0, or SAML, and ask cloud service providers about their support for zero trust.

Benefits of Zero Trust

A common network security posture is focused on stopping threats that come from outside the network perimeter but can leave data vulnerable to theft from inside the wall. Perimeter security depends on firewalls, VPNs, intrusion detection systems, and other technologies that cybercriminals may know how to breach. This means someone with the correct credentials could be admitted to any network’s sites, apps, or devices. With zero trust security, no one is trusted by default from inside or outside the network.

Other key benefits include the following:

• Reduced attack surface. Since zero trust enforces the principle of least privilege, you actually have a smaller active attack surface. Yes, everyone and everything is suspect. However, users and devices are granted only the minimum level of access necessary to perform their tasks. This limits the potential damage from a breach. Imagine a boutique that gives customers access only to only one product at a time instead of letting them browse freely and then monitors them closely—that’s the essence of least privilege. Yes, every asset is an attack surface, but access is significantly restricted.
• Minimized impact of attacks. By strategically partitioning the network into microsegments and thereby cutting off lateral movement, a successful attack is limited to a small set of assets that were compromised. And since you’re now applying more stringent access requirements to higher-value data and systems, the expectation is that an attacker ends up with something of trivial value, not your customer list.
• Lower time and cost of recovery. A zero trust architecture should lead to fewer and more contained attacks that require less time and money to clean up. Limiting lateral movement keeps an attacker from parlaying lower-level access to further explore your network, and zero trust principles mesh well with data loss prevention (DLP) solutions to prevent sensitive data from being exfiltrated from the network. Zero trust also helps minimize the need for costly breach notification efforts.
• Control access. With zero trust, only authorized users and devices based on policy rather than physical location can even attempt access, reducing the number of potential entry points. This approach makes it easier to map controls and minimizes the potential damage if a bad actor gains access through compromised credentials or a vulnerable device.
• Improve compliance. Many compliance regulations, such as GDPR and HIPAA, emphasize the importance of robust access control mechanisms. Because zero trust enforces least privilege access, granting users only the minimum permissions needed for their tasks, the architecture aligns well with compliance requirements to restrict access to sensitive data.
• Increase visibility and monitoring. Zero trust eliminates the concept of inherently trusting an individual or device within the network perimeter. Everyone and everything requesting access, regardless of location, needs to be continuously verified. By logging these interactions, you maximize visibility and give monitoring systems the data needed to quickly notify IT of anomalies that could indicate a breach.

Zero Trust Use Cases

The concept of zero trust security has gained significant traction in recent years, especially among organizations that are prime targets for cyberattacks, such as banks, investment firms, and other financial institutions that handle sensitive financial data, and healthcare organizations, which hold a wealth of patient data subject to privacy regulations. As mentioned, government agencies are also using zero trust to protect data and critical infrastructure. Organizations with modern IT environments—that is, those that rely heavily on cloud applications and services, have remote workforces, and/or maintain large and complex digital infrastructures—are also fan.

On a granular level, there are some areas where zero trust comes into play.

• Application access. At one time, applications generally resided within a defined network perimeter, such as on a server in a local office. Employees gained access based on their location, such as on the company’s local Wi-Fi network. Today, people can work remotely and applications can live anywhere. To more easily manage access, IT may deploy a central control system, often called a trust broker, to authenticate the user requesting access to an application, check the device’s security, and grant access to only the specific resources the user needs following the principle of least privilege.
• Cloud security. Zero trust is an excellent strategy for any organization that uses cloud resources. Employees can get access no matter where they are via a strong authentication process, often using multifactor authentication. The system then considers factors such as user role, device, location, and the specific cloud resource to determine if access should be granted. This minimizes the potential damage if cloud credentials are compromised.
• Data protection. Data is vulnerable in a network-centric security model that uses only basic protections, such as username and password. Attackers have shown they can circumvent these measures. A zero trust framework with a focus on data-centric policies and protections will add, for example, additional layers of encryption for data in transit. IT can also set dynamic policies using attribute-based access control (ABAC). Where traditional access control often relies on predefined roles, such as administrator or editor, ABAC instead focuses on attributes, such as department, location, job title, security clearance, data type, document owner, access method, and the device’s physical location and type. This allows for very precise definitions of access permissions based on attributes the organization defines. It’s potentially very granular protection and often will require application code changes.
• Endpoint security. A zero trust platform helps protect assets by proactively communicating with the endpoint security software on a user’s device to assess its security posture. Is the operating system up to date? Is any malware detected? Is it personal or owned by the company? Based on the data collected, the zero trust platform grants or denies access. Both the user’s activity and the device’s health are continuously monitored by the zero trust platform for any suspicious behavior.
• Identity and access management. IAM is a pillar of CISA’s zero trust model—it lays the foundation for the architecture by defining who can access what resources. IAM involves strong authentication methods, including multifactor authentication, as well as user provisioning and access control mechanisms, such as role-based access control (RBAC) and privileged access management to safeguard sensitive data.
• Internet of Things (IoT) security. Companies with IoT programs often find zero trust security invaluable to protect a large number of devices, frequently in far-flung locations and gathering sensitive data. Traditional perimeter-based security technologies simply aren’t effective for IoT devices, which may have limited user interfaces and rely on automated processes, making older authentication methods challenging. Because zero trust continually verifies all entities requesting access, it ensures that only authorized IoT devices can connect to the network. And the principle of least privilege means IoT devices get the minimum level of access needed to function. This reduces the potential damage in case of device compromise. And a zero trust approach can scale to accommodate large-scale IoT environments.
• Network segmentation. While traditional network security focused on securing the network perimeter, zero trust takes a more granular approach, segmenting the network into small zones and controlling traffic flow between them. Newer zero trust strategies use microsegmentation techniques that reduce zone size even further. This is done using firewalls rather than routers between segments. While security is improved, performance may suffer. How small segments become is a function of both security need and firewall performance.
• Privileged access management (PAM). Zero trust and PAM are distinct security concepts that work together well. PAM systems focus specifically on securing privileged accounts—that is, user accounts with elevated permissions that grant access to critical systems and data. These accounts are prime targets for attackers. Think about a CFO with access to all financial and banking records, or a high-level system administrator. PAM depends on three pillars: multifactor authentication; just-in-time tools that grant privileged access only for the time it’s absolutely needed; and session monitoring and journaling to record exactly what privileged users are doing at any given moment, to hopefully pick up on suspicious behavior.
• Remote access. The rise of work from anywhere is an argument in favor of zero trust, since there is no longer a network perimeter, and VPNs bring their own set of issues. A zero trust strategy makes granting remote access safer because it constantly verifies users without their intervention through strong authentication methods, then grants remote users only the minimum level of access needed to perform their tasks. Organizations can write policies that define what that minimum access looks like. Zero trust is also context aware; that is, it considers factors including user identity, device security posture, location, and the specific resource being accessed when determining access permissions.
• Third-party access. Granting access to third parties in a zero trust environment requires a shift from the traditional approach to “never trust, always verify.” Besides the remote access principles outlined above, companies may wish to set up their IAM systems to manage third-party user identities and access. Develop a policy for creation, provisioning, and termination of accounts based on the individual partner. Consider a zero trust network access (ZTNA) system to provision secure tunnels to specific resources without granting access to the entire network. The just-in-time and session monitoring tools used for privileged internal users are also handy for partners.

7 Stages of Zero Trust Implementation

Achieving zero trust is a continuous journey, not a one-time project. You don’t have to reinvent the wheel, either—consider using one of the models from NIST, CISA, DISA, or NCSC as a technical roadmap. From a project level, plan to implement zero trust in a phased manner to minimize disruption and allow for employees, partners, and IT staff to adjust. Clearly communicate the rationale behind the effort to stakeholders, and address any concerns transparently. And carefully choose security products that can scale to accommodate growth and adapt to changing security realities.

More steps for success:

1. Identify and prioritize your assets. A zero trust security approach is about protecting sensitive and valuable data. To do that, you need to know what you have. This map will serve as the basis for your zero trust plan.

2.Identify your users and their requirements. A zero trust model requires capturing user information, managing user identities, and organizing access privileges. Map out all people and systems accessing your assets, looking for unneeded privileges.

3. Map out your zero trust strategy. Plan how you’ll architect to mitigate risk based on your assets and users. Factor in your budget, IT resources, and the complexity of your infrastructure when determining the timeline for each phase.

4. Take a data dive. When systems identify anomalies in data access and detect attempts to access systems outside of policy, take a hard look at that data. Almost all activity is repetitive, so anomalies are frequently an early indicator of attempted data theft. Make that information work for your mitigation efforts.

5. Map your traffic flows. Zero in on dependencies here. Does every person and system that’s able to access a database containing sensitive data need that information?

6. Automate where possible. Fill in gaps with process improvements and tools. Without automated monitoring of resources and activity, for example, organizations are unlikely to succeed with zero trust. Doing the job right demands modern security tools, including a robust IAM system to centrally manage user identities and access rights and multifactor authentication (MFA) to vet all access attempts. Encryption of data at rest and in motion is key to protecting sensitive data against unauthorized access.

7. Put metrics in place. Define how you’ll measure the success of your zero trust implementation. Key performance indicators could include a reduction in access privileges, an increase in multifactor authentication use, and buy-in from executives and line-of-business leaders.

11 Zero Trust Best Practices

CISA in its zero trust model points out that most large enterprises—including the federal government—face common challenges. Legacy systems often rely on “implicit trust,” in which access and authorization are infrequently assessed based on fixed attributes. Changing that may require significant investments along with buy-in from a wide range of stakeholders, including executives, partners, and suppliers. Best practices include the following:

1. Verify and authenticate. The basis of zero trust is requiring verified authentication of every user and device, every time they request access to systems, networks, and data. This process involves validating identities and associated access rights to a particular system. As an example, an employee might authenticate in the morning for a set time period using an authorization service, such as OAuth, which issues tokens that are valid for a limited period of time. When he needs to access a database, his entitlements for that system are confirmed by the token. Zero trust also advises advanced controls, such as behavior analytics, for devices. This as well as logs and journals help IT track activities, create reports, and enforce policies.

2. Use microsegmentation. The more granularly you can limit lateral movement without degrading performance, the better. CISA recommends distributed ingress/egress microperimeters and extensive microsegmentation based on application architectures, with dynamic just-in-time and just-enough connectivity. This doesn’t mean firewalls everywhere. Microsegmentation techniques include virtual machines for each application, east/west traffic encryption, and creating software-defined networks within the physical network to effectively isolate and secure individual segments. Intelligent routing algorithms can help optimize traffic flows and reduce latency. Regular monitoring and fine-tuning of the segmentation strategy is also crucial to balance network performance and security.

3. Continuous monitoring. Zero trust involves implementing systems that monitor and log user activity and system health. Base network monitoring on known indicators of compromise and understand that you’ll refine your processes over time to address gaps in visibility. A system that makes use of AI will learn what normal behavior looks like and then watch for and alert on anomalies.

4. Context-aware logging. Log entries contain access attempts and contextual information, such as user identity, device details, and the specific resource accessed. This data allows for comprehensive analysis and helps identify potential security incidents or suspicious activity. Monitoring systems create a detailed audit log that can be helpful for demonstrating compliance with regulations that require data access tracking. Again, AI-enabled tools can improve detection.

5. Pervasive encryption. Data is the most critical asset for most organizations, and protecting data at rest, in transit, and in use demands pervasive encryption and activity monitoring to detect unauthorized access attempts.

6. Least privilege access. In the context of zero trust, least privilege access is a core—and pretty self-explanatory—principle. It requires granting users, applications, and devices only the bare minimum access necessary to perform their tasks. This isn’t to indicate a lack of trust in employees but rather to minimize the potential damage if a bad actor gains access through stolen credentials, a compromised device, or a vulnerability.

7. Focus on device trustworthiness. A network based on zero trust principles doesn't inherently trust any device, regardless of whether it’s inside the perimeter, company owned, or previously granted access. This seeks to ensure that only authorized and compliant devices are granted access. In this case, compliance might involve meeting security posture requirements like having updated software, antivirus protection, and other monitoring software in place.

8. Secure access controls. Zero trust extends to the cloud-based applications and workspaces in use by many organizations today. The architecture demands that these applications have a known and approved security posture and that access to them is controlled.

9. Zero trust network access. ZTNA, also known as software-defined perimeter, is a security approach that controls access to internal applications and resources in a much more granular way than a traditional VPN, which grants access to an entire network once a user is verified. ZTNA evaluates security credentials every single time access to a resource is requested. The system considers context and may grant only partial access. If access is granted, it’s via a secure session between the requesting entity and the specific asset. Then, activity and device health are continuously monitored for anomalous behavior that might indicate a threat.

10. Endpoint security. Got users who tend to lag behind on making software version or malware signature updates or resist installing security software in their personal devices? Zero trust will force their hands because an endpoint without the security profile defined by your policy will simply not be granted access. IT should manage endpoint security on company-owned devices, and compliance should be verified when new sessions are initiated.

11. User education and awareness. It’s natural for employees to chafe at zero trust principles, at least at first. It may help to provide education sessions and give concrete examples of how the architecture could save the company money and reputational damage.

Strategies for a Smooth Cultural Transition

Traditional network security models often assume a certain level of trust once users are inside the network perimeter. Zero trust challenges this, and it can be a significant mindset shift for both IT staff and people accustomed to unfettered access within the network.

In addition, zero trust emphasizes strong identity and access management practices—think stricter password policies, multifactor authentication, and a more centralized approach to managing user identities and access privileges. Again, people accustomed to less stringent access controls may find these changes inconvenient. Zero trust involves more scrutiny of user activity and device health, which may raise privacy concerns among some employees who feel their actions are being monitored too closely. Some employees will refuse to install mandated software on their personal devices. What’s your response? And, security, network operations, and application development pros are not immune from resentment.

You get the gist. It’s a cultural shift, and success hinges on user buy-in. Strategies for a smooth transition include:

Clear communication of the reasons behind adopting zero trust, emphasizing the benefits of improved security and compliance. Openly address privacy concerns employees might have and explain how zero trust actually protects their data.

A phased rollout, allowing employees, partners, and IT staff the time to gradually adjust to the new security measures. Prioritize implementing zero trust in a way that minimizes disruption to workflows and maintains a positive user experience. Cloud-based technologies can help a lot here.

Comprehensive training on zero trust principles, access control procedures, and best practices for using resources securely in the new environment.

Acknowledging the cultural shift involved and thanking people for their efforts can go a long way toward successfully adopting zero trust and creating a more secure and resilient IT environment.

History of Zero Trust Security

In 2004, the concept of zero trust originated from a presentation at a Jericho Forum event given by Paul Simmonds. Simmonds coined the term “deperimeterization” and proposed a new model that fundamentally accepts that most exploits will easily transit perimeter security. Further, he added that intrusion detection technologies have little to no benefit at the perimeter, it’s easier to protect data the closer we get to it, and a hardened perimeter strategy is unsustainable.

In 2011, Google created BeyondCorp, which is the company’s attempt at implementing zero trust. Initially developed to enable remote work and eliminate the use of a VPN, BeyondCorp is not a single product, but rather a set of tools and best practices. Google Cloud offers various services that can be implemented to achieve a BeyondCorp security posture.

Then, in August 2020, NIST published the Zero Trust Architecture document which contained an abstract definition of zero trust architecture, or ZTA, and provided deployment models and use cases where zero trust could improve information technology security posture. In May of 2021 the White House issued an Executive Order on Improving the Nation’s Cybersecurity that codified zero trust, and that September CISA’s Zero Trust Maturity Model Version 1.0 was published to complement the Office of Management and Budget’s Federal Zero Trust Strategy. CISA’s model provides US federal agencies with a roadmap and resources to build a zero trust environment and is available to companies, too.

In January 2022 the Office of Management and Budget issued memo M-22-09 to federal agencies with the subject line, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” By July the Department of Defense (DoD) Zero Trust Reference Architecture was published as prepared by DISA and the National Security Agency (NSA) Zero Trust Engineering Team. The architecture provided an end-state vision, strategy, and framework for strengthening cybersecurity and guiding the evolution of existing capabilities to focus on a data-centric strategy. The DISA architecture is an excellent model for organizations moving to the cloud to follow.

Adopt Zero Trust with Oracle Cloud Infrastructure

To help implement zero trust principles, Oracle’s security-first approach requires explicit policies to allow access to Oracle Cloud Infrastructure (OCI). This means each component is considered a resource within OCI, and access must be explicitly granted. All communications within OCI are encrypted, and access rights are checked against existing policies. Those policies can be structured to grant extremely fine-grained access control for each resource, including implementing dynamic access.

OCI implements monitoring and auditing on cloud resources, allowing you to use existing object storage to conduct analysis, or you can employ your security information and event management (SIEM) tool of choice. Oracle Cloud Guard Instance Security provides automated responses to triggered events, helping speed reaction time to potential threats.

Organizations implement zero trust because they recognize that traditional security strategies aren’t keeping up with today’s threats. When all stakeholders are educated to understand that attackers may already be inside the network, they tend to accept more stringent controls that can reduce the risk of a successful attack, better protect sensitive information, and build trust with partners and customers.

Zero Trust Security FAQs

What are the five pillars of zero trust?

The five pillars of zero trust, based on the Cybersecurity and Infrastructure Security Agency’s recently published Zero Trust Maturity Model Version 2, are identity, devices, networks, applications and workloads, and data. These five pillars work together to create a comprehensive security strategy predicated on continuously verifying all users, devices, applications, and access requests. This layered approach is meant to make it much harder for attackers to gain a foothold.

What are the four goals of zero trust?

The four main goals of zero trust security are to limit the attack surface; enhance an organization’s security posture via strong authentication, least privilege access control, and continuous monitoring; safely provide employees and partners with the tools they need, including cloud services, from any device; and improve compliance.