Published: Last updated:

Technology: Zero Trust

No access is trusted until it is verified

Zero Trust is a security model based on the principle "Never trust, always verify": no user, device, or service is granted trust automatically just because it sits inside the internal network. Authentication and authorisation happen explicitly and context-based before a session to a resource is established (NIST SP 800-207).

The classic perimeter model ("castle and moat") has become obsolete with cloud computing, remote work, and SaaS: there is no longer a perimeter worth defending.

Core Principles

  • Verify Explicitly: Every access request is authenticated based on identity, device state, location, and behaviour.
  • Least Privilege Access: Users and services receive only the minimum rights required for their current task.
  • Assume Breach: System design assumes that an attacker is already inside. Lateral movement is prevented.
  • Micro-Segmentation: Network segments are kept as small as possible to minimise the blast radius of an attack.

Technical Building Blocks

  1. Identity Provider (IdP): Central authentication (e.g. Keycloak, Azure AD) as the single trust anchor.
  2. MFA (Multi-Factor Authentication): Mandatory for all access, especially privileged accounts.
  3. Device Posture Check: Devices must prove they are currently patched and compliant.
  4. Network Micro-Segmentation: Service-to-service communication is explicitly allowed; everything else is blocked.
  5. Continuous Monitoring: Anomaly detection and behaviour analytics for all access.

Focus: Identity as a Central Signal

In a Zero Trust architecture, identity (user, service, device) is a central signal for access decisions, but not the only one: the policy additionally evaluates device state, asset, resource, entitlement, and context.

FAQ

Is Zero Trust not too complex for smaller organisations?

Zero Trust is not a product but a principle. Smaller organisations can start with basic steps: strong authentication (MFA), least privilege for admin accounts, and network segmentation for critical systems.

How does Zero Trust relate to existing VPNs?

Traditional broad-access VPNs often grant full network access after login ("all or nothing"). VPNs can be combined with segmentation, device posture, and conditional access; Zero Trust, however, gradually replaces broad access with application-level access: access is granted per application and context.

References


Related topics

Ask AI

These links open external AI services, the conversation and its content are sent to their providers.