Zero Trust is a cybersecurity model built on a simple idea. Zero Trust assumes no user, device or system should be inherently trusted, whether inside or outside the network. This moves away from the more traditional method of intense security controls at the network edge, while implicitly trusting traffic already inside.
The concept is widely adopted across government and enterprise environments, with initiatives led by the Cybersecurity & Infrastructure Security Agency (CISA) and other federal Zero Trust campaigns.
The core principles are pretty straightforward, but implementation is where the real challenge lies. Let\u2019s get into the core ideas behind Zero Trust.<\/p>\n\n\n\n
Core Principals<\/strong>:<\/p>\n\n\n\n Never Trust, Always Verify<\/strong><\/em><\/p>\n\n\n\n In a Zero Trust environment every access request whether human or system is authenticated, authorized, and encrypted before being granted. Doesn\u2019t matter if this user or system has accessed this resource a thousand times or more, it will have to prove its legitimacy. Yes, Every<\/span> time!<\/em> A manager logs into a company system from their usual office location using a company laptop.<\/p>\n\n\n\n Later that same session:<\/p>\n\n\n\n Systems detect the increased risk and can:<\/p>\n\n\n\n Trust is continuously evaluated, not permanently granted. Does NOT<\/span> <\/strong>need access to:<\/p>\n\n\n\n Zero Trust assumes the network may already be compromised. This should be your assumption. Do you know every device & user connected to your network at all times? Do you know what they are accessing? How do you keep this contained to have the least impact on your operation? Quick detection of anomalies, containment and minimizing operation impact becomes the focus. <\/p>\n\n\n\n Example:<\/strong> Instead of giving the attacker unrestricted access across the network:<\/p>\n\n\n\n Even though the account was compromised, the attacker\u2019s ability to move through the environment is heavily restricted. As much as I wanted this article to be full of advanced configurations and technical guidance, that level of detail is unnecessary for this overview. The reality is that Zero Trust is a concept, not a fixed set of instructions. The real challenge comes during implementation in live environments, which is where more advanced technical discussions become valuable. <\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" Zero Trust is a cybersecurity model built on a simple idea. Zero Trust assumes no user, device or system should be inherently trusted, whether inside or outside the network. This moves away from the more traditional method of intense security controls at the network edge, while implicitly trusting traffic already inside. The concept is widely […]<\/p>\n","protected":false},"author":2,"featured_media":1246,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[4,6,11],"tags":[],"class_list":["post-1242","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-study","category-tech"],"acf":[],"_links":{"self":[{"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/posts\/1242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/comments?post=1242"}],"version-history":[{"count":2,"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/posts\/1242\/revisions"}],"predecessor-version":[{"id":1247,"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/posts\/1242\/revisions\/1247"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/media\/1246"}],"wp:attachment":[{"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/media?parent=1242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/categories?post=1242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/casioaktech.com\/index.php\/wp-json\/wp\/v2\/tags?post=1242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Example:<\/strong><\/p>\n\n\n\n\n
\n
Least Privilege<\/em><\/strong>
Users and systems only get the minimum level of access needed to complete their task. This keeps the potential damage of unauthorized access to critical information or systems as small as possible in the event of a compromise. In effect, this keeps the attack surface as small as possible.
Example:<\/strong>
A leasing agent needs access to the following resources:<\/p>\n\n\n\n\n
\n
Assume Breach<\/em><\/strong><\/p>\n\n\n\n
An employee\u2019s credentials are stolen through a phishing email.<\/p>\n\n\n\n\n
<\/p>\n\n\n\n