Why Does Zero Trust Security Work?

Zero trust security is a cyber security model that requires strict identity verification for each

individual and device attempting to access resources on a company’s network, irrespective

of whether they are sitting inside or outside of the network perimeter. No one is trusted by

default.


Back in the day, security was modelled around the principle of trusting everyone and

everything that was inside the network. Traditional security was based on the sentinel at

the gate approach, meaning it was hard to gain access from outside the network, but

everybody who was inside the network was trusted by default. However, with this

approach, should a bad actor get a foot in the door, they would be able to move laterally

and have access to everything inside.


This system was highly vulnerable by nature, which was compounded by the fact that

organisations no longer have their data residing in one place, but rather spread across a

slew of systems and clouds, making it infinitely more tricky to manage and secure with a

single security control.


Zero trust security principles


With zero trust, verification is required from everybody who is trying to gain access to

resources on the network, and has proved highly effective at preventing data breaches.

There are several principles behind zero trust. Firstly, there’s continuous monitoring and

validation. Zero trust assumes that there are bad actors both outside and inside the

network, so no people or devices should be automatically trusted. With zero trust, every

single user identity, privileges, device identity and security are verified, and both

connections and logins time-out every so often, meaning users and devices must be

periodically re-verified.


Another principle of zero trust security is enforcing the principle of least privilege access,

which means giving users the bare minimum access, and only to stuff they strictly need to

do their jobs effectively. This lessens every individual’s exposure to privileged or

confidential information.


Then there’s device access control, which monitors how many different devices are

attempting to access the network, assesses all devices to make sure they are not

compromised in any way, and ensures that each and every device is authorised. Once

again, this shrinks the possible attack surface.


Zero trust also makes use of microsegmentation, or the practice of dividing security

perimeters into smaller, separate ‘zones’ to ensure separate access for separate parts of

the network is maintained. In this way, separate authorisation is needed to access each

different zone, to bolster security, and limit any damage should one zone be breached.


Finally, zero trust relies on multi-factor authentication, meaning more than just one means

of authentication is needed to access the network. In this way, a password isn’t enough on

its own, nor is a biometric or a token. A combination of two or more of these is needed to

get in.


Zero trust might sound complex...


But it really isn’t. Adopting this security model can be

pretty straightforward with the right knowledge and training.