What is Zero Trust anyway? Like a friend of mine said in one of our recent conversations, “Okay, we will buy 100 licenses of this Zero Trust for our company and will start on Monday.”

Zero Trust is not a product, you don’t buy a license for Zero Trust and, you don’t install “Zero Trust” IaaS, PaaS or SaaS product. 
Zero Trust is a security model, it is a journey, it is a philosophy. It is a strategic approach to security or, even better, to cybersecurity. Zero Trust is often referred to as Zero Trust Security Model, or Zero Trust Architecture (ZTA) or Zero Trust Network Access (ZTNA). 

“Zero Trust” concept has gained popularity and visibility after the tectonic shift brought by mobile workforce and cloud computing, as they redefined security perimeter and cybersecurity approach from the ground. But the term itself is not as young as the cloud computing is. It was mentioned and established for the first time in April 1994, when Stephen Paul Marsh, as a part of his doctoral studies at University of Stirling, wrote his thesis “Formalising Trust as a Computational Concept”[1]. In the following years, the term “Zero Trust” was brought up increasingly frequent at the beginning of the new, 21st century when, finally, gained traction some eighteen years later when National Institute of Standards and Technology[2] (NIST) and National Cybersecurity Center of Excellence[3] (NCCoE) published “Zero Trust Architecture”[4] paper.

“Implementing a Zero Trust Architecture:

Conventional network security has focused on perimeter defences, but many organizations no longer have a clearly-defined perimeter. To protect a modern digital enterprise, organizations need a comprehensive strategy for secure “anytime, anywhere” access to their corporate resources (e.g., applications, legacy systems, data, and devices) regardless of where they are located.”[5]

As the new security perimeter is not defined by physical boundaries anymore, but it extends to every organizational resource and service, modern cybersecurity needed new security model that provides adequate protection and “new”, “Zero Trust Security Model” was established. In the past, organization focused their defences on safeguarding their digital assets protecting network access using firewalls and VPNs and assumed everything inside this network is safe. Today, this approach is not good anymore. Today, organizations need different approach based on the core principles of Zero Trust:

 

1. Verify explicitly. You should always authenticate and authorize access to resources based on all available data points, including user and device identity and behaviour, device health, service or workload, location, data classification and possible anomalies.
2. Use or apply least privileged access. Limit user access and the amount of information and length of time people can access something with Just-In-Time (JIT) and Just-Enough-Access) JEA, risk-based adaptive policies, conditional access policies and data protection policies.
3. Always assume breach. Minimise or prevent lateral movement by segmenting access by network, devices, user, and application recognition, using end-to-end encryption, as well as using advanced analytics to detect threats, improve defences and get comprehensive defence visibility.
   
   This is the first article in the series about Zero Trust, where you have been introduced to the history of it, and we set the ground for the next articles where I will cover Zero Trust implementation in Azure, Microsoft 365, business environments and more.
   

   -----------

[1] Stephen Paul Marsh , “Formalising Trust as a Computational Concept”, 1994/4, University of Stirling (https://dspace.stir.ac.uk/bitstream/1893/2010/1/Formalising trust as a computational concept.pdf)

[2] National Institute of Standards and Technology, NIST, https://www.nist.gov/

[3] National Cybersecurity Center of Excellence, NCCoE, http://nccoe.nist.gov/

[4] “Zero Trust Architecture” SP 800-207, https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture, and

Rose, Scott; Borchert, Oliver; Mitchell, Stu; Connelly, Sean. "Zero Trust Architecture", nvlpubs.nist.gov. NIST, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf, and

https://doi.org/10.6028/NIST.SP.800-207

[5] https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture