Zero Trust Architecture (ZTA) is an emerging security concept that aims to minimize the risks of data breaches and cyber attacks by eliminating implicit trust commonly granted between entities on an internal network. Conventional network security strategies rely on defenses at the perimeter such as firewalls to protect private networks. However, with the rise of cloud computing and mobility, it has become more difficult to define clear boundaries and control access between trusted internal and untrusted external entities on networks.

ZTA takes a fundamentally different approach to security by removing all implicit trust from the network. Instead of trusting all entities inside the perimeter it extends security across the entire information space using techniques such as zero-trust networking and least privileged access. This article will explore the key principles and concepts behind ZTA, analyze its advantages over traditional perimeter-based security models, and examine some practical considerations for organizations looking to adopt a zero trust architecture.

Key principles of Zero Trust Architecture

The core principles behind Zero Trust Architecture center around eliminating implicit trust on networks and assuming a default position of “never trust, always verify.” Some key defining principles include:

- Verify explicitly: Access to applications and services should be granted on a need-to-know basis after verifying attributes about the user, device, application, network location and time. Implicit access from being on the network or in a group is not sufficient.

- Least privilege access: Only grant employees or systems the minimum necessary access required to perform their jobs to minimize potential harm from breaches. Privileged access should be metered and audited.

- Never trust, always verify: Strong authentication is required across the board on networks and continuous verification should be performed as users move between resources. Static credentials or untracked devices are not allowed.

- Visibility and logging: Achieving visibility into all activity on the network and logging it extensively to detect anomalies or threats. End-to-end visibility from device to application and back is important.

- Microsegmentation: ZTA enforces the principle of “least privilege” at the application, system and network levels through additional fine-grained segmentation that restricts lateral movement of threats even if one system is compromised.