What Is the Concept of the Zero Trust Model?
The Zero Trust approach is based on three basic principles:
- Verify explicitly (Trust nothing)
- Grant least privileged access
- Assume a breach
In the Zero Trust model, every access request needs to be authenticated, authorized, and encrypted
before it can be granted. Identity authentication and authorization are based on all available data
points, which include such things as user identity, data classification, location, and health of the
device and application. No matter if the user connects from the office space, home office, or a
coffee shop – the approach remains the same: always verify, grant least privileged access, and
assume that a breach can happen at any time. Strong security policies are at the core of Zero Trust.
They enable security teams to secure the workforce (no matter where the employees connect from)
while maintaining productivity.
Why Do We Need Zero Trust?
The Zero Trust model was created in 2010 by John Kindervag, at the time a principal analyst at
Forrester Research Inc, but the idea was being discussed even before that. In 2003, the issue came
up that cybersecurity teams were not really validating what they should be validating, and users
within the company network were being given special, undue privileges. The three fundamental pillars
of verifying devices and user identity were then established. As a result, applications replaced
networks in the center of cybersecurity.
‘Never Trust, Always Verify’
Traditionally, cybersecurity was based on tools such as a VPN. Whenever someone wanted to connect to
a virtual private network, they had to sign in. Most companies still use VPNs as a standard, some
adding an extra security layer by validating the device used to connect.
However, once the user has signed in, there is no further verification and, therefore, no more
layers of control. So, if a criminal manages to infiltrate into the VPN, they can compromise company
Apart from securing network perimeters and validating devices used to log in, cybersecurity must
consider and address many other aspects of online user activity. For example, should employees only
be able to view CRM records, or should they be able to edit them as well? Should the latter only be
possible with a company device? Any action can and should be permitted only when certain criteria
are recognized as fulfilled. That is the basis of Zero Trust.