Zero-trust security is a network security architecture that limits which users, devices, and individual packets have access to each segment of a network. It comes from the security concept of “never trust, always verify.”
Zero trust is an architectural approach to security. Each segment of the network is protected by its own tiny perimeter (called a “microperimeter”). This allows a security administrator to add an extra layer of security around the company’s most important data, assets, applications and services. To access any individual segment in a zero-trust architecture, users must pass strict identity and device verification procedures.
Cloud computing, remote workers, and BYOD policies make enterprise firewalls increasingly difficult to defend.The zero-trust security model is much more effective than the old “defend the castle” model in the modern workplace. Contractors, vendors, customers, and remote workers who are outside of the “castle,” or trusted network, may need the same access usually reserved for those inside the network. Conversely, cyber criminals who penetrate the network or users who do not need access to sensitive content or applications should be confined to as little range as possible if they are inside the network. A zero-trust network is the solution to both challenges. Zero-trust security controls grant access to small segments of the network at a time only to users who confirm through multi-factor authentication that they are authorized to access each network segment.
In a traditional network security model, once a cybercriminal gets through the perimeter network defenses, they have access to all parts of the network. The zero-trust model effectively stops criminals even after they have broken through initial defenses, because a zero-trust network blocks users each time they attempt to access a different part of the network. This model results in greater web application security, since applications and workloads have an additional level of protection within the network.
In addition, a zero-trust network does not automatically grant access to a user or device simply because that user or device has previously accessed the network. Each user and device must prove that they are authorized to access each segment of a zero-trust network every time they want access. Keeping a close eye on changing access privileges also eliminates security vulnerabilities that could be exploited by hackers.
Building a zero-trust network is a significant undertaking and cultural shift for many organizations. Some may want to start small, building the network around specific devices or applications that they want to protect and then incrementally expanding it. Enterprises that want to implement any kind of zero-trust network should consider the following security controls: