Definition: A zero trust security model, by default, considers every person, device, and application to be a possible threat to a company. When a company implements a zero trust model, a core set of principles are deployed and adhered to, based on NIST 800-207.
Core Principles explained
The main core principles of a Zero Trust model include the following and serve as an introduction to the concepts of zero trust:
1. Resource Definition - Know your architecture including users, devices, and services
All data sources and computing services are considered as resources.
2. Secure Communication
All information is secured regardless of network location.
3. Create a strong device identity
Access to individual enterprise resources is granted on a ‘per-session’ basis.
4. Authenticate everywhere
Access to resources is determined by dynamic policy. This includes customer identity, application/service, and the requesting asset - and may include other behavioral and environmental attributes.
5. Know the health of your devices and services
The company monitors and measures the integrity and security posture of all owned and associated assets.
6. Authentication and authorization enforcement
All resources authentication and authorization are dynamic and strictly enforced before access is allowed.
7. Set policies according to the value of the service or data
The company gathers as much information about its assets, network infrastructure, and communications as possible and utilizes it to strengthen its security posture.
The zero-trust security approach aims to strike a balance between security and business productivity. On the one hand, zero trust is intended to allow employees to carry out their responsibilities without interference. Any unlawful access or use of company resources, on the other hand, should be prevented by the organization's zero trust security protocols.
It is critical that all of the elements of the Core Principles fit within the business strategy and the organizational culture.
Utimaco provides a range of solutions and services that help set up zero trust architectures even in decentralized and geographically distributed structures.