What is a zero-trust approach?
A standard network security posture is focused on stopping threats that come from outside the network perimeter, but can leave data vulnerable to theft inside the network. This approach utilizes firewalls, VPNs, access controls, IDS, IPS, SIEMs, and email gateways with security on the perimeter that cyber criminals now know how to breach. This means someone with the correct credentials could be admitted to any network’s sites, apps, or devices. With zero-trust security, no one is trusted by default from inside or outside the network. Zero trust operates from the start by requiring verification from every user trying to gain access to resources, thereby authenticating users and regulating access to systems, networks, and data. This process involves validating user identities, associated access rights to a particular system, and enables organizations to manage the digital identities of users ensuring the appropriate access. To strengthen authentication, zero trust also uses several layers of advanced access control for access to network devices and the servers that support resources. This approach also enables the ability to track user activities, create reports on those activities, and enforce policies to ensure compliance.
The principles of zero-trust architecture as established by the National Institute of Standards & Technology (NIST) are:
- All data sources and computing services are considered resources.
- All communication is secure regardless of network location; network location does not imply trust.
- Access to individual enterprise resources is granted on a per-connection basis; trust in the requester is evaluated before the access is granted.
- Access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioral attributes.
- The enterprise ensures all owned and associated systems are in the most secure state possible and monitors systems to ensure that they remain in the most secure state possible.
- User authentication is dynamic and strictly enforced before access is allowed; this is a constant cycle of access, scanning and assessing threats, adapting, and continually authenticating.