Trust No One (Internet Security)
   HOME

TheInfoList



OR:

The zero trust security model, also known as zero trust architecture (ZTA), zero trust network architecture or zero trust network access (ZTNA), and sometimes known as perimeterless security, describes an approach to the design and implementation of
IT system Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of Data (computing), data . and information. IT forms part of information and communications technology (ICT). An information te ...
s. The main concept behind the zero trust security model is "never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified. ZTNA is implemented by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorized resources. Most modern corporate networks consist of many interconnected zones,
cloud services Cloud computing is the on-demand availability of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the user. Large clouds often have functions distributed computing, ...
and infrastructure, connections to remote and mobile environments, and connections to non-conventional IT, such as IoT devices. The reasoning for zero trust is that the traditional approach — trusting devices within a notional "corporate perimeter", or devices connected via a
VPN A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...
— is not relevant in the complex environment of a corporate network. The zero trust approach advocates
mutual authentication Mutual authentication or two-way authentication (not to be confused with two-factor authentication) refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some prot ...
, including checking the identity and integrity of devices without respect to location, and providing access to applications and services based on the confidence of device identity and device health in combination with user
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
. The zero trust architecture has been proposed for use in specific areas such as supply chains The principles of zero trust can be applied to data access, and to the management of data. This brings about zero trust
data security Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach. Technologies Disk encryption Disk encryption refe ...
where every request to access the data needs to be authenticated dynamically and ensure least privileged access to resources. In order to determine if access can be granted, policies can be applied based on the attributes of the data, who the user is, and the type of environment using Attribute-Based Access Control (ABAC). This zero-trust data security approach can protect access to the data.


History

In April 1994, the term "zero trust" was coined by Stephen Paul Marsh in his doctoral thesis on computer security at the
University of Stirling The University of Stirling (, gd, Oilthigh Shruighlea (abbreviated as Stir or Shruiglea, in post-nominals) is a public university in Stirling, Scotland, founded by royal charter in 1967. It is located in the Central Belt of Scotland, built w ...
. Marsh's work studied trust as something finite that can be described mathematically, asserting that the concept of trust transcends human factors such as morality, ethics, lawfulness, justice, and judgement. In 2003 the challenges of defining the perimeter to an organisation's IT systems was highlighted by the
Jericho Forum The Jericho Forum was an international group working to define and promote de-perimeterisation. It was initiated by David Lacey from the Royal Mail, and grew out of a loose affiliation of interested corporate CISOs (Chief Information Security Offic ...
of this year, discussing the trend of what was then coined "de-perimeterisation". In 2009,
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
implemented a zero trust architecture referred to as
BeyondCorp BeyondCorp is an implementation, by Google, of zero-trust computer security concepts creating a zero trust network. It was created in response to the 2009 Operation Aurora. An open source implementation inspired by Google's research paper on an ...
. In 2010 the term zero trust model was used by analyst John Kindervag of
Forrester Research Forrester is a research and advisory company that offers a variety of services including research, consulting, and events. Forrester has nine North America locations: Cambridge, Massachusetts; New York, New York; San Francisco, California; McL ...
to denote stricter cybersecurity programs and access control within corporations. However, it would take almost a decade for zero trust architectures to become prevalent, driven in part by increased adoption of mobile and cloud services. In 2018, work undertaken in the
United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...
by cybersecurity researchers at
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
and NCCoE led to the publication of ''SP 800-207, Zero Trust Architecture''. The publication defines zero trust (ZT) as a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised. A zero trust architecture (ZTA) is an enterprise's cyber security plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan. There are several ways to implement all the tenets of ZT; a full ZTA solution will include elements of all three: * Using enhanced identity governance and policy-based access controls. * Using micro-segmentation * Using overlay networks and software-defined perimeters In 2019 the United Kingdom National Cyber Security Centre (NCSC) recommended that network architects consider a zero trust approach for new IT deployments, particularly where significant use of cloud services is planned.{{Cite web, title=Network architectures, url=https://www.ncsc.gov.uk/collection/mobile-device-guidance/infrastructure/network-architectures-for-remote-access, access-date=2020-08-25, website=www.ncsc.gov.uk, language=en An alternative but consistent approach is taken by NCSC, in identifying the key principles behind zero trust architectures: * Single strong source of user identity * User authentication * Machine authentication * Additional context, such as policy compliance and device health * Authorization policies to access an application * Access control policies within an application


See also

*
Trust, but verify Trust, but verify ( rus, links=no, Доверяй, но проверяй, r=Doveryay, no proveryay, p=dəvʲɪˈrʲæj no prəvʲɪˈrʲæj) is a rhyming Russian proverb. The phrase became internationally known in English after Suzanne Massie, an ...
''(Russian proverb)'' * Trust no one (Internet security) *
Blast radius A blast radius is the distance from the source that will be affected when an explosion occurs. A blast radius is often associated with bombs, mines, explosive projectiles ( propelled grenades), and other weapons with an explosive charge. Use in ...
*
Password fatigue Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automat ...


References

Information technology Computer network security