What Exactly is Zero Trust Anyway?

July 27, 2023 CyberCecurity Leave a comment

Zero Trust is a buzzword these days. People say that it is a key tool in the security practitioner’s arsenal, but what is it anyway. Here is what the core elements are, according to NIST’s zero trust framework.

All data sources and computing services are resources

That means those “software functions” in the cloud. Each of them. Each of them is a resource. Each resource has a unique identity and specific permissions. Every server; every endpoint; every everything.

2. All communication is secured, no matter where it is

Historically, once a user authenticates him or her self, they are home free. No more checks. In a zero trust network, the default is to deny access and to make resources invisible if the system, service or user doesn’t have access. What you can’t even see is much harder to hack.

3. Access to each resource is granted on a per-session basis

You can’t assume that just because you trusted that resource once you should trust it forever. Each access is new. If there has been a change in the user’s behavior the system may have detected it and revoked some permissions.

4. Access policies are dynamic, based on real time observations and may include non traditional factors like behavioral and environmental attributes

Think of Microsoft’s conditional access. If a user is in New York at 12:15 PM and in San Francisco at 1:00 PM, that should be a cause for concern. There are potentially hundreds or more factors that can come into play.

5. Real time monitoring of the integrity and security of all assets drives the process

Nothing is inherently trusted. This could mean deploying patches in real time if monitoring detects an attempt to exploit a vulnerability or dropping a session. Real time and continuous.

6. All resource authentication and authorization are dynamic and strictly enforced

Granting access and trust is dynamic and ongoing. This means continuous scanning and using those signals to dynamically adjust the security rules. And the process iterates forever.

7. Organizations need to collect as much information as possible about the current state of their assts, infrastructure and communications

This has been, historically, a challenge for organizations. It is hard to manage risk if you don’t know what is happening. Many times organizations do not collect the right information. If you don’t have the right data you can’t make the correct decisions.

Here are a few resources to get more information: