Zero Trust Security Model

From GM-RKB
Jump to navigation Jump to search

A Zero Trust Security Model is an security model that operates on the principle of never trust, always verify.

  • Context:
    • It can (typically) assume that no user, system, or service—whether inside or outside of the network—should be trusted by default.
    • It can (typically) requires continuous validation of every access request based on multiple attributes, including identity, device state, and context.
    • It can (typically) incorporate Least Privilege Access policies, ensuring users only access resources necessary for their roles.
    • It can (often) be used in conjunction with Attribute-Based Access Control (ABAC) to create fine-grained policies based on multiple user and device attributes.
    • It can (often) enforce Mutual Authentication to verify both the user's identity and the accessing device's integrity before granting any resource access.
    • ...
    • It can secure Cloud Computing environments where traditional perimeter security is less effective due to the distributed nature of cloud services.
    • It can be applied to complex IT environments, including Internet of Things (IoT) networks, ensuring secure communication between diverse connected devices.
    • It can use Microsegmentation to isolate different network zones and minimize lateral movement in the case of a breach.
    • It can enforce continuous Monitoring and Analytics to track and validate user and device behavior in real-time, helping to detect and respond to anomalous activities.
    • It can range from a simple Perimeter-Less Security implementation for small businesses to comprehensive Zero Trust Architecture deployments across large, multi-cloud organizations.
    • It can deploy Data Security policies that focus on ensuring secure data access, data masking, and encryption based on the Zero Trust principles.
    • It can provide secure remote access by replacing traditional Virtual Private Networks with identity-based authentication and granular resource policies.
    • It can integrate Endpoint Detection and Response (EDR) to continuously monitor the security posture of connected devices.
    • It can leverage Software-Defined Perimeter (SDP) technologies to create dynamic access controls and micro-perimeters around individual resources.
    • ...
  • Example(s):
    • The National Institute of Standards and Technology (NIST) published Special Publication 800-207 in 2020, outlining the core components and principles of Zero Trust Architecture for federal agencies.
    • In 2019, Google implemented its internal "BeyondCorp" Zero Trust model, eliminating traditional network-based access controls and shifting to identity-based policies for secure remote access.
    • In 2016, Forrester Research introduced the term "Zero Trust" to describe a new security model that shifts away from trusting users inside a network perimeter.
    • In 2022, Microsoft released its Zero Trust Security framework, focusing on identity, device health, and continuous monitoring to secure remote and hybrid workforces.
    • as followed by Cloudflare Zero Trust.
    • ...
  • Counter-Example(s):
  • See: Attribute-Based Access Control, IT System, Local Area Network, Cloud Computing, Internet of Things, Virtual Private Network, Mutual Authentication, Authentication, Data Security, Principle of Least Privilege.

References

2023

  • (Wikipedia, 2023) ⇒ https://en.wikipedia.org/wiki/zero_trust_security_model Retrieved:2023-11-30.
    • The zero trust security model, also known as zero trust architecture (ZTA), and sometimes known as perimeterless security, describes an approach to the strategy, design and implementation of IT systems. The main concept behind the zero trust security model is "never trust, always verify," which means that users and devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified. ZTA is implemented by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorized resources. Most modern corporate networks consist of many interconnected zones, cloud services and infrastructure, connections to remote and mobile environments, and connections to non-conventional IT, such as IoT devices. The reasoning for zero trust is that the traditional approach — trusting users and devices within a notional "corporate perimeter", or users and devices connected via a VPN — is not relevant in the complex environment of a corporate network. The zero trust approach advocates mutual authentication, including checking the identity and integrity of users and devices without respect to location, and providing access to applications and services based on the confidence of user and device identity and device health in combination with user authentication. The zero trust architecture has been proposed for use in specific areas such as supply chains. The principles of zero trust can be applied to data access, and to the management of data. This brings about zero trust data security where every request to access the data needs to be authenticated dynamically and ensure least privileged access to resources. In order to determine if access can be granted, policies can be applied based on the attributes of the data, who the user is, and the type of environment using Attribute-Based Access Control (ABAC). This zero-trust data security approach can protect access to the data.
Retrieved from "http://www.gabormelli.com/RKB/index.php?title=Zero_Trust_Security_Model&oldid=909352"