Zero Trust Access
Zero Trust, or Zero Trust Access, is the term applied to the strategy which assumes that you cannot trust the individual or device until verified. The good guys, the bad guys, and all devices are the same and should not be trusted automatically. Proof of trust is verified with credentials.
The term was first coined in 1994 by Stephan Paul Marsh at the University of Stirling as part of his doctoral thesis that focused on trust. Over the next ten years, it became part of the tech vernacular as it relates to defining the perimeter of security access.
Three Principles
While implementing a zero trust strategy can happen in different ways, a zero trust architecture will always have similar elements.
User/Application authentication – grouped together since some actions are automated
Device authentication – consideration of access scenarios, will access be granted through a mobile phone, IoT device, different locations, etc
Trust layers – evaluation of access based on application layers rather than overall network access
Interaction – a way of duplicating verification through interactivity
Working together, these principles are modeled on the “never trust, always verify” foundation. And that means that even if they are connected to a corporate LAN, they need to be verified. The complexity of today’s technology landscape means that we cannot operate on any assumptions. Just because a device or login exists on a network, verification or validation should not be automatic.