Zero trust security guide: What is zero trust?

Understanding zero trust security

Zero trust security is a cybersecurity model that requires all identities (people, devices, or any other entity designated as a user) to be authenticated, authorized, and continuously verified, whether the user is inside or outside the enterprise's network, prior to and while accessing data and applications. The zero trust security model applies to an organization's network, whether it is local, in the cloud, or hybrid, and regardless of where its users are located.

The zero trust security model provides a more effective alternative to conventional IT network security approaches that trust all identities once they are inside the network. Traditional security approaches leave the enterprise vulnerable due to the inherent risks associated with these environments, including:

• remote, hybrid, and non-employee (contractors and other third parties) access
• diverse data, application, and network devices and locations
• migration to the cloud
• data breaches and ransomware attacks

Once a malicious insider is inside the network, they have easy lateral access to resources. With zero trust security, even users inside the network are not trusted and are being continually verified to ensure they should still have access to the applications and data as originally granted.

Zero trust security presumes that the enterprise is always endangered by internal and external threats. It enables an intentional and methodical approach to mitigating those threats. Because it trusts no one, even users with existing access to organizational resources, the zero trust security model provides foundational security for the modern enterprise.

Zero trust security and NIST

The National Institute of Standards and Technology (NIST) Special Publication 800-207 on zero trust architecture “provide[s] a road map to migrate and deploy zero trust security concepts to an enterprise environment (p. iii).” It offers a standard to which organizations can align but “is not intended to be a single deployment plan for [zero trust architecture] (p. iii).”

At the time of this writing, NIST Special Publication 1800-35 is available in draft form and open to comments. This publication is intended to support readers who are generating strategies for transitioning to a zero trust security model. Sections of the guide are designed to appeal to various organizational roles, from IT leadership to managers and specialists.

NIST standards are ever-evolving, partially based on feedback from professionals who follow their manuals. They are vendor-neutral and expansive, though not meant to be comprehensive as they cannot address every use case. NIST zero trust security standards can be used to support any organization, not just government agencies.

The NIST National Cybersecurity Center of Excellence (NCCoE)’s goal is to alleviate difficulties around understanding zero trust and implementing a supporting zero trust architecture for typical business cases. Aspects of zero trust security that the NCCoE focuses on include:

1. Transitioning from the traditional security approach on network perimeters, which provided access to anyone inside, to limited, changeable, risk-based access control, no matter where resources are located
2. Understanding and managing challenges associated with executing on a zero trust architecture, such as evaluating organizational priorities for investments and assessing the impact on user experience
3. Realizing benefits to the enterprise from implementing zero trust, including supporting remote teams, mitigating insider threats and data breaches, and enhancing visibility

How zero trust security works

The underlying model of zero trust security is straightforward: Trust no one. As mentioned above, it is a fundamental shift from the traditional model built around a network perimeter that assumes users are safe if they have the credentials to be granted access. The zero trust security model considers all identities, including those inside the network, to be a threat. Security that is enabled everywhere – on-premises, in a public cloud, or in a hybrid environment – is stronger when it is based on verifying identities.

With zero trust security, applications and services can securely communicate across networks, and identities, whether those entities are humans, devices, or applications, can be granted access to the data and applications they need based on business policies. A zero trust security model prevents unapproved access and lateral activity by applying access policies depending on context, including the:

• user’s role and location
• user’s device
• data being requested by the user

Implementing the zero trust security framework requires a combination of sophisticated tools such as multi-factor authentication, identity security, endpoint security, and dynamic cloud-based services to protect the enterprise’s users, data, and systems at every point of access.

Zero trust security architecture

A zero trust security architecture is a general framework that safeguards the enterprise’s most significant resources. Since all connections and endpoints are assumed to be threats, a zero trust security architecture:

• Manages and restricts network access
• Makes applications and data inaccessible by default
• Validates and authorizes every connection, based on whether granting access conforms with the enterprise’s security policies
• Terminates each connection to allow evaluation of files prior to delivery instead of utilizing an inspection-upon-delivery approach like that with firewalls, which can result in late detection of infected files
• Records, reviews, and monitors all organizational network traffic, utilizing context from as many data sources as available
• Validates and secures network assets

A zero trust security architecture relies on least-privilege access, which limits user access only to what is required for their job function. For example, an employee who works in marketing does not necessarily need access to sensitive customer data in the enterprise’s customer relationship management (CRM) software.

Zero trust security use cases

Zero trust, a recommended model for years, is being evolved and formalized due to increased cyber threats and the growing need for the enterprise to enable secure digital transformation. Significant use cases for zero trust include:

• addressing organizational concerns such as regulatory compliance and associated audit challenges, difficulty in maintaining cyber insurance, security operations center (SOC) issues, and/or muti-factor authentication effects on users
• reducing organizational risk for enterprises that lack robust authentication and authorization protocols, have poor visibility into the network and how resources communicate, or suffer from overprovisioned software and services
• safeguarding infrastructure models that are multi-identity, cloud, multi-cloud, or hybrid and/or include SaaS applications, legacy systems, or unmanaged devices
• quickly and securely onboarding and offboarding new employees, as well as seamlessly grant and revoke access when users change roles
• securely supporting remote work, as well as non-employees like contractors and other third parties using computers that are not managed by organizational IT teams
• addressing existing threats, such as data breaches, ransomware, insider threats, shadow IT, or supply chain attacks
• creating boundaries around sensitive information such as data backups, credit card information, and personal data with zero trust microsegmentation, which not only enables proper categorization of data types, but offers better visibility and management during audits, or if a data breach occurs

Core principles of the zero trust security model

Continuous monitoring and validation

A key concept in zero trust security is that applications cannot be assumed to be trustworthy and continuous monitoring at runtime is required to validate their behavior. Continuous validation means that the enterprise must constantly authenticate access for all resources; “trusted” credentials, zones, and devices do not exist.

Continuously validating such extensive resources requires risk-based conditional access to ensure the workflow is only disrupted when risk levels change, enabling that continual verification without compromising user experience. Also, since users, information, and workloads frequently move, the enterprise must deploy a scalable dynamic policy model that incorporates risk, compliance, and IT considerations.

Microsegmentation

Microsegmentation, a core aspect of zero trust security, is the process of separating security perimeters into smaller sectors, creating distinct access to each network zone. With zero trust, a user or application granted access to one zone will be unable to access any others without receiving additional permissions.

Preventing lateral movement

An important aspect of zero trust security is preventing lateral movement, which occurs when a cyber attacker repositions within a network after gaining entry to it. It can be challenging to identify even if the entry point is detected, since the cyber attacker will already have progressed to infiltrating other areas in the network.

By microsegmenting access to the network, zero trust security keeps cyber attackers from gaining access to one area and then moving laterally across a network.

Pinned into a particular zone, the attacker is easier to locate, and the offending user, application, or device can be isolated so that access to additional zones is impossible.

Device access control

To limit the organization’s network attack surface, zero trust security calls for rigorous management of device access to:

• document the number of devices attempting to access the network
• confirm that each device is authorized
• ensure that devices have not been compromised

Principle of least privilege access

According to the principle of least privilege, another core part of zero trust security, users are only granted the minimum access permissions required. This drives judicious administration of user permissions and reduces network segments' exposure to user-related vulnerabilities to the absolute minimum. Along with microsegmentation, least-privilege access principles are utilized to minimize lateral movement.

Least privilege access limits user access through just-in-time (JIT) provisioning, just-enough-administration (JEA), risk-based adaptive policies, and data protection to facilitate secure information and superior efficiencies. Monitoring access under least-privilege constraints provides analytics and reporting that enable the enterprise to identify and react to inconsistencies immediately.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is also a core principle of the zero trust security model. MFA combines two or more security mechanisms for accessing IT resources.

MFA is similar to two-factor authentication (2FA), which requires a password plus a secondary mechanism such as a security token, an authenticator application on a mobile device, or a fingerprint scan. The primary difference between the two is that MFA may require more than one secondary mechanism of verifying identity to increase the level of security.

Implementing zero trust security

To execute a zero trust security architecture, the enterprise must:

• commit to zero trust security and devise a well-organized strategy and roadmap
• document the IT infrastructure and information resources
• analyze the organization’s vulnerabilities, including potential attack paths
• select and implement security tools to accomplish the required business results
• align security teams on priorities, policies for assigning attributes and privileges, and policy enforcement
• consider data encryption, email security, and validating resources and endpoints before they connect to applications
• examine and validate traffic between parts of the environment
• connect data across each security domain

Connections to secure include:

• User and user segments
• Accounts
• Data
• Devices and device segments
• Applications
• Workloads
• Networks and network segments

As the enterprise transitions to a zero trust security architecture, microsegmentation, rather than traditional network segmentation, safeguards information, workflow, and services. This enables security regardless of network location, whether resources are in a data center or in distributed hybrid and multi-cloud environments. Additional components for implementing a zero trust security architecture solution include overlay networks, software-defined perimeters (SDP), policy-based access controls (PBAC), and identity governance.

Implementing a zero trust security architecture may appear to be somewhat obstructive, but it can enable visibility into and greater understanding of an ever-evolving attack surface, as well as enhance user experience, decrease security complexity, and reduce operational overhead.

Automating context collection and response, another element of a zero trust security model, enables fast, high-quality decision-making based on data compiled from sources like human and non-human users, workloads, endpoints (physical devices), networks, identity providers, security and event management (SIEM), single sign-on (SSO), threat intelligence, and data.

Why zero trust security is important

Zero trust security offers a cybersecurity approach for the modern enterprise that is amenable to and reflective of today’s threat landscape and the need to protect users, data, and systems at every point of access. Zero trust security supports the hybrid workplace by ensuring that users have access to the resources they need, when they need them, on their preferred devices, while enabling the organization to keep security up-to-date and adapt when new threats are detected and as digital transformations occur.

Zero trust security supports the enterprise’s evolving business needs, such as:

• customer preferences and expectations for innovative digital experiences
• resources accessed by increasing numbers of devices that are outside the IT team’s control
• managing time spent by IT teams on manual tasks due to outdated security solutions, evolving cyber threats, and escalating global regulations
• providing visibility and insights for leadership teams regarding security policies and threat response

Benefits of zero trust security

Benefits that enterprises realize when successfully implementing zero trust security include:

• highly effective cloud security, which is vital due to the level of cloud, endpoint, and data sprawl in the modern IT ecosystem, with increased visibility and efficiencies for security teams
• decreasing the organization’s attack surface and limiting the severity and associated recovery expenses when an attack does happen by confining the breach to a single microsegment
• improved network performance because of decreased subnet traffic, streamlined logging and monitoring, and enhanced capability to focus on network errors
• reducing the impact of user credential theft and phishing attacks due to MFA requirements and mitigating threats that typically circumvent conventional perimeter-based safeguards
• lowering the risk associated with devices, including Internet of Things (IoT) devices that may be challenging to safeguard and update, by authenticating all access requests

A brief history of zero trust security

John Kindervag, a Forrester Research analyst, introduced the term “zero trust” in 2010 during a presentation on the model. NIST Special Publication 800-207, discussed above, was published in 2018.

In 2019, Gartner included zero trust security in their secure access service edge (SASE) solutions, and the National Cyber Security Centre (NCSC) in the United Kingdom advised that network architects consider a zero trust security model for new IT deployments, especially when the deployment involves cloud services.

As also mentioned above, NIST Special Publication 1800-35 is available in draft form and open to comments as of this writing as zero trust security continues to evolve to meet the needs of various use cases and industries.

What is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access (ZTNA) is the primary technology that empowers the enterprise to employ the zero trust security model. ZTNA establishes one-to-one encrypted connections between devices and the resources they require based on specified access control policies, preventing access by default, and only permitting access to services once unequivocally granted. Users are authenticated via an encrypted tunnel before ZTNA provides secure access.

Getting started with zero trust security

Zero trust security technology and processes should be based on the enterprise’s strategic objectives: What must the organization safeguard, and from whom? Once this is determined and zero trust security is successfully implemented, the enterprise will reap the benefits of a more streamlined network infrastructure, an enhanced user experience, and robust cyber defenses.

All organizations experience challenges depending on industry, maturity, existing security strategy, and business objectives. An identity-based zero trust security model adds control and oversight into user access and movement across your IT infrastructure.

Zero trust security FAQ

What is zero trust?

Zero trust is often mistakenly referred to as a product or service. Zero trust is a strategic approach to security that encompasses designs and processes for restricting access control. At its core, zero trust security principles dictate that no user, service, app, or device should be trusted to have ongoing access. Even after initial access is granted, each entity should be continuously validated and access revoked if validations fail.

What are the three main concepts of zero trust security?

Zero trust security revolves around three core concepts. Used in concert, the three main zero trust security concepts improve an organization's security posture and increase cyber resilience.

1. Assume breach
   The concept of assumed breach is essentially the risk mitigation component of zero trust security. By assuming that threats are always present inside and outside the network perimeter, IT and security teams are driven to take a proactive approach to prevent and mitigate the impact of a breach. One tactic used to respond to the assumption of breach is microsegmentation to limit what can be accessed if networks are compromised.
2. Follow the principle of least privilege access
   Least privilege access reduces exposure vulnerabilities by granting the minimum level of access that each user needs to perform their specific job functions. This approach replaces unrestricted and broad access privileges with granular permissions that restrict users' access to just-in-time and just-enough access (JIT/JEA). This is often coupled with risk-based adaptive access policies to provide dynamic access privileges in core categories.
3. Verify continuously and explicitly
   Every user attempt to access resources or data must be explicitly verified and authenticated before access is granted. This must be a continuous authentication and authorize identity, device posture, and application integrity through various means based on all available data points, such as multi-factor authentication, data classification, device health checks, workload or service, and application whitelisting. Users must be reauthenticated and reauthorized whenever they try to access a resource. This also requires continuous monitoring to detect and quickly respond to anomalies.

What are the 5 pillars of zero trust?

Zero trust security is based on the continuous assessments and updates of five key pillars that work together.

1. Identities
   Digital identities are a collection of data that represent an entity online, including human and non-human users (e.g., systems, devices, and applications). With zero trust security, digital identities of all users must be verified before they are granted access to networks.
2. Devices
   Zero trust security requires that all devices be checked before they can connect with resources. To enable this, it is necessary to have a complete inventory of every device that connects to networks to check the health and compliance of these devices to ensure they are secure and only running approved programs.
3. Networks
   With a zero trust security model, networks must be segmented to restrict lateral movement to gain additional access to system resources and sensitive information. Zero trust security network segmentation is based on the type of sensitive data and the users who need access to them. This isolation minimizes the damage that can occur if unauthorized access is gained.
4. Applications and workloads
   Following the zero trust security model, all applications should have access to sensitive data and systems restricted to the minimum needed to perform their functions. This access control should mirror that applied to human users. In addition, applications should be tested and audited regularly to identify anomalies and ensure they have the latest security updates.
5. Data
   To follow zero trust security practices, data needs to be categorized to facilitate the monitoring and management of sensitive data based on its value and risk of compromise. In addition, access to data should be restricted according to the principle of least privilege.

What is zero trust in physical security?

The core principles of zero trust for cybersecurity can be extended to physical security. Applied to physical environments, zero trust security assumes that no individual should be implicitly trusted just because they have gained access to a physical environment. The systems, buildings, and associated infrastructure can be better protected when zero trust security is used.

An example of zero trust security for physical environments is requiring additional identity authentication to enter specific spaces within a building after being authenticated at the initial point of entry. Another example is requiring users to authenticate when reentering spaces within a building (e.g., returning to their work areas after leaving to go to the cafeteria).

Zero trust security systems also help with monitoring for suspicious behavior. For instance, if someone attempts and fails to enter a space, the action is recorded. It can then be tracked and correlated with other activities to identify patterns that could indicate malicious intent.

What is zero trust architecture?

A zero trust architecture is a system and process design that operationalizes the zero trust fundamentals, such as strict access management, device and user authentication validation systems, and microsegmentation to reduce a network's attack surface. It is used to protect cloud, on-premises, and hybrid enterprise environments.

Using a zero trust security architecture helps organizations not only meet internal security requirements but also maintain compliance with many regulations, standards, and best practices. Implementing a zero trust security architecture delivers a number of benefits, including enabling secure remote work environments, enhancing overall security posture, increasing visibility, mitigating risk, improving device access controls, and facilitating secure cloud adoption.