I have seen so many different definitions thrown around for the zero trust model. You usually will always hear words like tenants, pillars, or even fundamentals used when talking about this model. While those may apply in some situations, I have noticed there is no single definition of the zero trust model – but it helps that everyone has a shared understanding of the concept. In fact, the National Institute of Standards and Technology (NIST) published the NIST SP 800-207 Zero Trust Architecture for this exact issue.
Data and Computing Services
The idealism of considering only the endpoints of user devices or servers as resources is now officially over. Networks now contain a larger variety of devices from the traditional items to more dynamic cloud computing services. A good example of this is function-as-a-service (FaaS), which may execute with specific permissions to other resources in your environment.
With Data and Computing Resources in your environment, you must make sure that you have basic and good advanced authentication controls in place. This also includes assigning as little as permissions possible for access control.
Secure All Communications
In environments that heavily follows the zero trust model, the concept of zero trust network access (ZTNA) is implemented. This is where a user would usually authenticate over a VPN, and then have total access within or across a network., which also contrasts with the traditional remote access paradigms.
In the ZTNA environment, the access policy instead is a default-to-deny policy. Explicit access must be granted to specific resources, and ideally, users who are operating in ZTNA environments won’t even know about of applications and services within environments without those explicit grants of access existing.
Monitor the Integrity and Security
By following the zero trust model, you ensure that no device or asset is ever trusted by default. Every request must trigger a security evaluation. This includes continuously monitoring the state of devices that have access to the environment – either if they are owned by the organization or another entity. This includes quickly applying patches and vulnerability remediation based on insight gained from the ongoing monitoring and reporting.
Authentication and Authorization
As I talked about in the last point, the concept of granting access and trust is occurring in a dynamic and ongoing fashion. This also means that there should be a constant cycle of scanning devices, then using those signals for additional insight and evaluating trust decisions. This is an ongoing dynamic process, it doesn't merely consist of creating an account with associated permissions to resources.
A highly common mistake that I have seen many organizations make is thinking of zero trust as a long road that they try to walk. If they can buy or create the right tools, they will have implemented zero trust within their environments. This is a highly incorrect belief that people will have. Tools can help give us aspects of zero trust and move your organization closer to the zero trust model, but ultimately it always consists of a combination of people, processes, and technology.
As laid out in the National Security Agency (NSA) publication Embracing a Zero Trust Security Model, the leading recommendations include approaching zero trust from a maturity perspective. This includes initial preparation and basic, intermediate, and advanced stages of maturity, as described by the NSA.
Remember that the first step is preparation. You will need to identify where the gaps are, how your architecture, practices, and processes align with the zero trust tenets laid out above, and finally to create a plan to address all of them. Only then, will you be ready to fully implement a zero-trust model.