Zero Trust


Zero Trust is a data-centric architecture and Access Control Models that puts micro-perimeters around specific data or resources so that more-granular Access Control Policy rules can be enforced and implemented.

Zero Trust model, or ZT was first in 2010 by John Kindervag of Forrester Research in the document No More Chewy Centers: Introducing The Zero Trust Model Of Information Security

Zero Trust core principle is to not allow any access to network resources, internal IP Address, or servers until the entity properly authenticated and their Access Request to the specified resource is authorized.

Digitally Trust is a Binary True or False decision. Zero Trust implies there is no Trust.

Never Trust, Always Verify [1] [2]#

NIST.SP.800-207 Zero Trust Model clearly states that the goal of Zero Trust is to focus security on a small group of resources (zones) in lieu of wide network perimeters or environments with large quantities of resources interacting "freely". This is a strategy where there is no implicit trust granted to systems based on their physical or network location (Local Area Networks, Wide Area Networks, and the Cloud), but rather access is granted by a trusted source for either a UserId or application (i.e. Digital Identity).


BeyondCorp is an implementation by Google for a Zero Trust Architecture.

The Zero Trust Architecture is simple: cybersecurity professionals must stop trusting packets as if they were people. Instead, they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted.

Forrester’s Zero Trust Model has three key concepts: [3]#

In short, Zero Trust flips the mantra "trust but verify" into "verify and never trust." Zero Trust advocates two methods of gaining network traffic visibility: monitoring and logging. Many security professionals do log internal network traffic, but that approach is passive and does not provide the real-time protection capabilities necessary in this new threat environment.

Zero Trust promotes the idea that you must be monitoring traffic as well as logging it. In order to do so, Network Analysis and visibility (NAV) tools are required to provide scalable and non-disruptive situational awareness. NAV is not a single tool, but a collection of tools that have similar functionality. These NAV tools include network discovery tools for finding and tracking assets, flow data analysis tools to analyze traffic patterns and user behavior, packet capture and analysis tools that function like a network DVR, network metadata analysis tools to provide streamlined packet analysis, and network forensics tools to assist with incident response and criminal investigations.

Forrester says there are only two Data Classifications that exist in your organization:

The first type is sensitive or toxic data, which can be easily identified with the equation 3P + IP = TD. The three P's stand for

Forrester breaks the problem of securing and controlling data down into three areas:

  • Defining the data - This involves Data Discovery and Data Classification. Security and risk professionals, together with their counterparts in legal and privacy, should define Data Classification levels based on data sensitivity. This allows security to protect properly data based on its Data Classification once it knows where that data is located in the enterprise.
  • Dissecting and analyzing the data - This involves data intelligence (extracting information about the data from the data, and using that information to protect the data) and data analytics (analyzing data in near real time to protect proactively toxic data). Look for security information management (SIM) and network analysis and visibility (NAV) solutions to intersect with big data to enhance security decision-making.
  • Defending and protecting the data - Data Protection is the fundamental purpose of cybersecurity, and is the area where organizations focus most today. To defend your data, there are only four levers you can pull:

Zero Trust is:

  • applicable across all industries and organizations – It is an easy to implement way to improve safety that any organizations can implement.
  • not dependent on a specific technology or vendor – Zero Trust is a vendor neutral design philosophy that allows maximum flexibility to create architectures that meet specific demands.
  • scalable – Vital information is protected while public facing data travels freely.
  • focuses on keeping internal data safe and would not result in any foreseeable encroachment on Civil Liberties.

Zero Trust promotes Access Control around each resource

More Information#

There might be more information for this subject on one of the following: