What is Zero Trust?

Traditional security models assume you can define a perimeter around an organization – and protect it perfectly – and that everything within it can then be trusted. However, the idea of a perfect perimeter, that all users act responsibly, and that their identities can be trusted is outdated and downright dangerous. Within that perimeter – the corporate network – users, and so malicious actors, can move laterally and access data. In any case, the corporate perimeter is an outmoded concept in a world in which users need to work from anywhere.

Never trust, always verify

Zero Trust is a response to this realization and was created by John Kindervag in 2010, then an analyst for Forrester Research. The principle of “never trust, always verify” is at the heart of the Zero Trust idea. In the Zero Trust model, trust itself is considered a vulnerability. Instead of considering an overall corporate perimeter, the critical (i.e. valuable, sensitive) assets are seen as being behind micro-perimeters. A “protect surface” around critical assets can be properly protected because it is so much smaller than the “attack surface”.

A simple example of this kind of thinking is implemented by Microsoft Entra Conditional Access.

A user gains access to their email from a café. They then go to access more sensitive company data and – based on signals from various sources about the user, the IP address, and knowledge of the device they are using – they could be required to provide some additional authentication, or blocked from accessing.

The attentive reader will note that Zero Trust doesn’t literally mean that there is never any trust, but rather that there are levels of trust – our example user was able to get on with some work, while a critical asset was protected.

Zero Trust is not a product, it’s a principle

To be quite clear, Zero Trust is not associated with any vendor – there are no “zero trust” products. However, organizations that wish to embrace Zero Trust principles might choose to align themselves with vendors who also embrace them. A typical Zero Trust strategy will involve identifying your unique ‘protect surface’, and then looking at the part that can be played by tools and technologies from all incumbent (and potentially, new) IT vendors.

Examples include conditional access (described above), multi-factor authentication (e.g. Microsoft Entra MFA), identity and access management (MIM, Microsoft Entra Connect, SoftwareIDM’s Identity Panel Suite), device management (Intune, Windows Autopilot), role-based access controls (Saviynt, Microsoft Entra ID, Identity Panel Suite), risk assessment and mitigation(Saviynt, Microsoft Entra ID Protection), just in time/just enough privilege management (Identity Panel Suite, Microsoft Entra ID PIM), passwordless authentication (Windows Hello and death of the password), encryption etc.

This need not be prohibitively expensive – there may well be no need to rip and replace. Implementation can be incremental – but the overall strategy must be holistic.


Want to know more?

The Future State of Identity and Security: Virtual Event Recorded Sessions – available here!

View this Zero Trust webinar recording, broadcast by our sister company in the US in May 2020.

If you’d like to know more about how your organization can move to a Zero Trust model call us! Our global group of companies has particular expertise in identity and security.