See if your information has been exposed in a data breach with our latest free tool Check Now
Finance glossary

What is zero trust? Definition, examples and tips.

Bristol James
10 Min

Zero trust security helps protect networks from attacks, working on the basis of never trust, always verify. Here’s everything you need to know.

What is zero trust security?

Zero trust is an approach to cyber security that operates on the principle of denying access by default. This means that strict identity verification and authorisation is required for every person and device that is attempting to access a network, application or software, regardless of whether they are inside or outside of the network.

Effectively, zero trust security means authorisation is required to enter the network, and then continuously throughout the network, rather than once on the perimeter.

Think of it as visiting a huge storage facility with hundreds of rooms containing different items.

Rather than just showing ID at the door to get into the facility, a zero trust approach means you also need to verify who you are and why you need access at every door – with some doors not being visible at all.

How does a zero trust approach differ from more traditional cyber security methods?

Traditionally, IT security has often worked on the basis that everything and everyone within an organisation network should be implicitly trusted, and has focused on keeping people out at the perimeter. Firewalls are often heavily relied upon, depending on the organisation’s cyber security maturity.

These models were created when on-premises networks were commonplace and there was a more traditional ‘perimeter’ to guard. While from there, more mature organisations have implemented internal controls and data segmentation, for others, the perimeter may have been the extent of protection.

The perimeter approach, however, doesn’t account for user credentials being compromised, such as falling into the wrong hands or passwords being hacked. It also doesn’t account for people within an organisation not being trustworthy. Insider threats, for example, are increasingly common and increasingly difficult to stop.

The traditional cyber security models also have potential weaknesses when protecting a network that comprises multiple clouds and data centres.

How long have zero trust models been around?

Zero trust models, which were first referred to in academia in the 1990s, have been increasingly used since John Kindervag, a principal analyst at Forrester Research, coined the phrase “never trust, always verify” in 2010.

Since then, an increasing number of organisations have established a zero trust approach, with Gartner Research showing more than 60% of organisations will embrace a zero trust solution as their security foundation by 2025. In 2021, an executive order from the White House called on executive agencies to implement zero trust models.

Why are more and more businesses looking to implement zero trust access?

Before hybrid working became the norm, few users required remote access. However, with hybrid working becoming the norm, remote access at scale has become paramount.

VPNs (virtual private networks) have been used to grant off-site users remote access to a network, however, this can present its own risks.

In addition, increases in the scale, frequency, sophistication, and severity of cyber attacks, the risk of insider threats, and the continual challenge of human error mean a different approach to cyber security is required.

What are the key zero trust principles?

The National Institute of Standards and Technology (NIST) in the US defines the key zero trust principles as follows:

All data sources and computing services are considered resources

Networks today are comprised of multiple classes of devices, software as a service (SaaS) platforms and applications, and all need to be accounted for. This list of devices needs to include personally owned devices, if they can access enterprise-owned resources.

All communication is secured regardless of network location

Network location alone does not imply trust. Access requests from assets located on enterprise-owned network infrastructure must meet the same security requirements as access requests and communication from any other non-enterprise-owned network.

Access to individual enterprise resources is granted on a per-session basis

Trust is evaluated before access is granted, and access should only be granted with the least privileges needed to complete the task. Authentication and authorisation to one resource will not automatically grant access to a different resource.

Access to resources is determined by dynamic policy

These rules and attributes are based on the needs of the business and the acceptable level of risk, and can vary based on the sensitivity of the resource/data. Least privilege principles are applied to restrict both visibility and accessibility.

The criteria used to establish trust include the observable state of client identity, application/service, the requesting asset and other behavioural and environmental attributes.

Client identity

User account (or service identity) and any associated attributes assigned by the enterprise that can be used to identify the account or artefacts in order to authenticate automated tasks.

Requesting asset state

Device characteristics such as software versions installed, network location, time/date of request, previously observed behaviour, and installed credentials.

Behavioural attributes

Automated subject analytics, device analytics, and measured deviations from observed usage patterns.

Environmental attributes

For example, requestor network location, time, reported active attacks, etc.

The enterprise monitors and measures the integrity and security posture of all owned and associated assets

No asset is inherently trusted. An enterprise implementing a zero trust architecture should establish a continuous diagnostics and mitigation (CDM) or similar system to monitor the state of devices and applications and should apply patches/fixes as needed. Assets that are discovered to be subverted, have known vulnerabilities, and/or are not managed by the enterprise may be treated differently (including denial of all connections to enterprise resources) than devices owned by or associated with the enterprise that are deemed to be in their most secure state.

All resource authentication and authorisations are dynamic and strictly enforced before access is allowed

This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually re-evaluating trust in ongoing communication.

The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture

An enterprise should collect data about asset security posture, network traffic and access requests, process that data, and use any insight gained to improve policy creation and enforcement.

How does zero trust security work in practice?

Effectively, zero trust security requires each user and device to be verified and continually re-verified, regardless of who they are and where they are accessing the network from. All traffic is considered a threat until it’s verified.

Strict, individual user permissions are carefully monitored and granted, only allowing users access to information and data they absolutely need to access.

Multi-factor authentication (MFA) and conditional access policies are hugely important parts of a zero trust model, creating layered defences and preventing lateral movement.

What is an example of zero trust security in action?

An employee may be attempting to access their employer’s CRM. They’re overseas and using an unfamiliar device. After inputting their username, password, and MFA token, the system would recognise an unfamiliar device and location, and undertake further tests to verify identity.

Depending on the parameters set, such as unfamiliar devices, locations, and time of access, access may be denied. If access is permitted, it would only be in line with the user permissions for that specific user.

How to begin a zero trust journey

Deciding to undertake a zero trust journey is a significant undertaking for any organisation, both from a technology and cultural perspective, and it involves several key steps.

Understand what you’re protecting

Conduct an initial assessment in which you Identify the data, assets, applications and services that you need to protect – the ‘protect surface’. Understanding your most valuable assets will help an organisation prioritise its assets, and define what it is you’re protecting.

Detail budget considerations

In order to transition to a zero trust solution, it’s essential to understand the costs of new technology involved, the staffing required and the business cost of training staff and any productivity impact.

Map information and transaction flows

To build an effective zero trust network, it’s vital to understand how users, devices, and applications interact so critical data flows can be secured while business functions are supported.

Plan a zero trust network

Get clear on how your zero trust network is best designed. This should include microsegmentation – in which your network is sectioned off into small, secure zones – and least privileged access, meaning users only have access to perform their current task.

Create a zero trust security policy

Define the criteria for making access decisions. This will include who (identity), what (data/resources/applications), where (locations), when (time constraints), how (under specified conditions) and why (purpose).

Implement security safeguards

Multi-factor authentication should be used across the organisation, while security policies should be automated using SOAR tools (security orchestration, automation, and response) to apply rules and policies.

Pilot schemes and phased rollouts

Identify a pilot scheme to test zero trust security implementation, and use learnings to roll out the initiative more widely across prioritised assets.

Educate and train employees

Zero trust security is a big change in the way employees access networks, so training and education are critical components in successfully implementing a zero trust network.

Monitor, evaluate and adapt

Continual monitoring of your zero trust network is important to understand usage, and any behaviour that may indicate a security threat. Your zero trust policies will need to evolve as business needs change and new threats emerge.

How does a zero trust approach to cyber security help reduce cybercrime?

Zero trust security can be highly effective in reducing cybercrime as it can minimise and restrict unauthorised access. However, it’s important to remember that this is not a silver bullet,and no approach to cyber security is foolproof. Zero trust networks rely on monitoring, education and continual evolution.

The key ways zero trust models help combat cyber threats include:

Minimising attack surfaces

Strict access controls and microsegmentation means that attackers’ lateral movement within a network can be limited as they need to authenticate and receive authorisation at every point

Enhanced user verification

MFA is a key part of zero trust security, meaning that even if passwords are stolen, biometric authentication or a security token is required to access the network. Hardware-based tokens are more secure than soft tokens such as one-time passwords sent via email or text message.

Access restrictions limit damage

By operating on the principle of least privilege, zero trust security restricts the potential access an attacker can gain.

Adapting to new threats

Zero trust security architecture is flexible, meaning organisations can respond quickly to new threats.

Reducing and preventing data breaches

By encrypting data transmissions and controlling data access, data breaches can be reduced. Even if an attacker does access the network, critical and more sensitive data is safeguarded, requiring further credentials and permissions.

Reducing insider threats

By treating users inside and outside the network in the same way, insider threats can be reduced, as even the most trusted insiders need to undergo strict verification.

Additional benefits of a zero trust network

As well as the cyber security outcomes discussed above, a zero trust framework can also help organisations gain valuable insights from across their business and network, understanding user pathways, security threats and weaknesses.

Threats can be identified early and contained thanks to the granular approach of microsegmentation, which also enables a simpler logging and monitoring process.

In addition, enhanced network performance may be experienced due to reduced subnet traffic.

How zero trust solutions can help businesses meet compliance requirements

Businesses are rightly held to high standards when it comes to data protection, privacy and compliance, and a zero trust solution can help organisations meet compliance requirements.

With strict access controls and data encryption, organisations can safeguard sensitive information and make it far more challenging for a bad actor to access.

Microsegmentation, meanwhile, can isolate sensitive environments – for example, payment details – while continuous monitoring can lead to early identification and containment of unauthorised access.

In addition, zero trust solutions create detailed access logs, and frameworks align with the risk management processes required by ISO 27001.

Potential challenges of implementing a zero trust network

While implementing a zero trust network has numerous advantages, it’s important to be aware of the challenges that may lie ahead.

It’s not straightforward

Zero trust is a philosophy and strategy, not a single piece of technology – because of this, adoption can be complex.

Staggered adoption may leave gaps in your security

The traditional approach of assumed trust once in the network is fundamental in many IT environments, meaning a full transition in one go is difficult, while a staggered approach may leave gaps. As discussed, it’s smart to prioritise the protection of valuable assets, and strategically implement a zero trust model with that in mind.

Zero trust technologies may not work with older platforms 

This can create technical and workflow issues, with mainframes and older software not capable of handling dynamic access. The decision to go with a zero trust approach may mean new technology platforms are needed to replace legacy systems.

…And may hinder productivity

There’s a fine line between restricting access and slowing productivity. By thoroughly identifying access permissions, this can be navigated; however, productivity may slow in the early stages of adoption.

Summary

  • Zero trust security is an approach that works on the basis of denying access to networks, applications and software by default.
  • Identify verification and device authentication are key, as is location data.
  • Microsegmentation means that information is heavily restricted, and employees or other legitimate users can only access information they need to access.
  • Introducing a zero trust security approach is a huge task, and pilot schemes involving valuable digital assets are a good way of beginning an implementation process.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.