Technology: Zero Trust
No access is trusted until it is verified
Zero Trust is a security model based on the principle "Never trust, always verify": no user, device, or service is granted trust automatically just because it sits inside the internal network. Authentication and authorisation happen explicitly and context-based before a session to a resource is established (NIST SP 800-207).
The classic perimeter model ("castle and moat") has become obsolete with cloud computing, remote work, and SaaS: there is no longer a perimeter worth defending.
Core Principles
- Verify Explicitly: Every access request is authenticated based on identity, device state, location, and behaviour.
- Least Privilege Access: Users and services receive only the minimum rights required for their current task.
- Assume Breach: System design assumes that an attacker is already inside. Lateral movement is prevented.
- Micro-Segmentation: Network segments are kept as small as possible to minimise the blast radius of an attack.
Technical Building Blocks
- Identity Provider (IdP): Central authentication (e.g. Keycloak, Azure AD) as the single trust anchor.
- MFA (Multi-Factor Authentication): Mandatory for all access, especially privileged accounts.
- Device Posture Check: Devices must prove they are currently patched and compliant.
- Network Micro-Segmentation: Service-to-service communication is explicitly allowed; everything else is blocked.
- Continuous Monitoring: Anomaly detection and behaviour analytics for all access.
Focus: Identity as a Central Signal
In a Zero Trust architecture, identity (user, service, device) is a central signal for access decisions, but not the only one: the policy additionally evaluates device state, asset, resource, entitlement, and context.
FAQ
Is Zero Trust not too complex for smaller organisations?
Zero Trust is not a product but a principle. Smaller organisations can start with basic steps: strong authentication (MFA), least privilege for admin accounts, and network segmentation for critical systems.
How does Zero Trust relate to existing VPNs?
Traditional broad-access VPNs often grant full network access after login ("all or nothing"). VPNs can be combined with segmentation, device posture, and conditional access; Zero Trust, however, gradually replaces broad access with application-level access: access is granted per application and context.
References
- NIST SP 800-207: Zero Trust Architecture. US standards body framework for Zero Trust architectures. (2020). www.nist.gov/publications/zero-trust-architecture
- CISA Zero Trust Maturity Model. Maturity model for incremental Zero Trust adoption. (2023). www.cisa.gov/zero-trust-maturity-model
- Google BeyondCorp. Pioneering implementation of the Zero Trust model. (2014). cloud.google.com/beyondcorp
Related topics
- Technology: Security Strategy, the security frame for Zero Trust.
- Technology: Offensive Security, the test context for security assumptions in Zero Trust.
- Technology, the technology section that frames Zero Trust.
Ask AI
These links open external AI services, the conversation and its content are sent to their providers.