My Primer on Zero-Trust Architecture

Zero-Trust Architecture

The idea of Zero-Trust was mooted by John Kindervag in a Forrester report back in 2010 and Google shared their successful implementation (i.e. BeyondCorp) in recent years. So ZTA is not exactly a new idea but implementating it correctly is.

What zero trust model does is that access to resources is withheld until a user, device or even an individual packet has been thoroughly inspected and authenticated. Even then, only the least amount of necessary access is granted. An adage commonly used to describe zero-trust is “never trust, always verify” which is an evolution from the old “trust but verify” approach to security.

Zero Trust is based on three (3) core principles:

  1. All resources are accessed in a secure manner regardless of location (i.e. internal, external)
  2. Adopt a least-privileged strategy and strictly enforce access control
  3. Inspect and log all traffic – from any source to any destination

Why ZTA got popular in recent years could also be attributed to advancement in technologies like microsegmentation, step-up multi-factor authentication, machine learning (ML), user and entity behavior analytics (UEBA), unified logging, virtual network functions (VNF), etc.. All these makes ZTA implementation a whole lot more easier than in the past.

While researching on this topic, you might come across similar sounding terms from various product vendors like software defined perimeter (SDP), identity perimeter, etc. Well, they pretty much mean the same thing but with different approaches.