Zero trust security model

The zero trust security model (also zero trust architecture (ZTA) and perimeterless security) describes an approach to the strategy, design and implementation of IT systems. The main concept behind the zero trust security model is "never trust, always verify", which means that users and devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.

ZTA is implemented by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly-authorized resources. Most modern corporate networks consist of many interconnected zones, cloud services and infrastructure, connections to remote and mobile environments, and connections to non-conventional IT, such as IoT devices.

The reasoning for zero trust is that the traditional approach – trusting users and devices within a notional "corporate perimeter", or users and devices connected via a VPN – is not sufficient in the complex environment of a corporate network. The zero trust approach advocates mutual authentication, including checking the identity and integrity of users and devices without respect to location, and providing access to applications and services based on the confidence of user and device identity and device health in combination with user authentication.[1] The zero trust architecture has been proposed for use in specific areas such as supply chains.[2][3]

The principles of zero trust can be applied to data access, and to the management of data. This brings about zero trust data security where every request to access the data needs to be authenticated dynamically and ensure least privileged access to resources. In order to determine if access can be granted, policies can be applied based on the attributes of the data, who the user is, and the type of environment using Attribute-Based Access Control (ABAC). This zero-trust data security approach can protect access to the data.[4]

Zero trust network access (ZTNA) is not a synonym for the zero trust security model or zero trust architecture. Instead, it's a market that consists of remote access products built with zero trust principles, largely derived from the software-defined perimeter specification developed by the Cloud Security Alliance (CSA).[5][6]

  1. ^ "Mutual TLS: Securing Microservices in Service Mesh". The New Stack. 2021-02-01. Retrieved 2021-02-20.
  2. ^ Collier, Zachary A.; Sarkis, Joseph (2021-06-03). "The zero trust supply chain: Managing supply chain risk in the absence of trust". International Journal of Production Research. 59 (11): 3430–3445. doi:10.1080/00207543.2021.1884311. ISSN 0020-7543. S2CID 233965375.
  3. ^ do Amaral, Thiago Melo Stuckert; Gondim, João José Costa (November 2021). "Integrating Zero Trust in the cyber supply chain security". 2021 Workshop on Communication Networks and Power Systems (WCNPS). pp. 1–6. doi:10.1109/WCNPS53648.2021.9626299. ISBN 978-1-6654-1078-6. S2CID 244864841.
  4. ^ Yao, Qigui; Wang, Qi; Zhang, Xiaojian; Fei, Jiaxuan (2021-01-04). "Dynamic Access Control and Authorization System based on Zero-trust architecture". 2020 International Conference on Control, Robotics and Intelligent System. CCRIS '20. New York, NY, USA: Association for Computing Machinery. pp. 123–127. doi:10.1145/3437802.3437824. ISBN 978-1-4503-8805-4. S2CID 230507437.
  5. ^ "Definition of Zero Trust Network Access (ZTNA)". Gartner. Retrieved 2024-07-30.
  6. ^ "Market Guide for Zero Trust Network Access". Gartner, subscription required. Retrieved 2024-07-30.