What is Zero Trust?

Traditional security models assume that you can define a perimeter around an organization – and protect it more or less perfectly – and that everything within it can then be trusted. However, the idea of a perfect perimeter, and that all users act responsibly and that their identities can be trusted is outdated and downright dangerous. Within that perimeter – really the corporate network – users, and so malicious actors, are able to move laterally and access data. And in any case, the corporate perimeter is an outmoded concept in a world in which users need to work from anywhere.

Never trust, always verify

Zero Trust is a response to this realization, and was created by John Kindervag in 2010, then an analyst for Forrester Research. At the heart of the Zero Trust idea is the principle of “never trust, always verify”. In the Zero Trust model, trust itself is thought of as a vulnerability, and instead of thinking in terms of an overall corporate perimeter, the critical (i.e. valuable, sensitive) assets are seen as being behind micro-perimeters. A “protect surface” around our critical assets can be properly protected, because it is so much smaller than the “attack surface”.

A very simple example of this kind of thinking is given by Azure AD Conditional Access. Perhaps a user gains access to their email from a café. They then go to access some more sensitive company data and – based on signals from various sources about the user, the IP address, knowledge of the device they are using – they could be required to provide some additional authentication, or blocked from that access altogether. The attentive reader will note that Zero Trust doesn’t literally mean that there is never any trust, but rather that there are levels of trust – our example user was able to get on with some work, while a critical asset was protected.

Zero Trust is not a product, it’s a principle

To be quite clear, Zero Trust is not associated with any particular vendor – there are no “zero trust” products. However, organizations that wish to embrace Zero Trust principles might choose to align themselves with vendors who also embrace them. A typical Zero Trust strategy will involve identifying your unique protect surface, and then looking at the part that can be played by tools and technologies from all incumbent (and potentially, new) IT vendors. Examples include conditional access (described above), multi-factor authentication (e.g. Azure MFA), identity and access management (MIM, Azure AD Connect), device management (Intune, Windows AutoPilot), role-based access controls (Saviynt, Azure AD), risk assessment and mitigation(Saviynt, Azure Identity Protection), just in time/just enough privilege management (Azure AD PIM), passwordless authentication (Windows Hello and death of the password), encryption etc. This need not be prohibitively expensive – there may well be no need to rip and replace. Implementation can be incremental – but the overall strategy must be holistic.

Want to know more?

The Future State of Identity and Security: Virtual Event Recorded Sessions – available here!

View this Zero Trust webinar recording, broadcast by our sister company in the US in May 2020.

If you’d like to know more about how your organization can move to a Zero Trust model call us! Our global group of companies has particular expertise in identity and security.

Updated September 2020