Defining Zero Trust
With phrases as popular as Zero Trust, there is often lack of agreement on the exact definition – perhaps as there are too many claimed solutions to the problem! The Zero Trust model was created in 2010 by John Kindervag, a principal analyst at Forrester Research. Kindervag emphasised that organisations should not automatically trust users or assets, irrespective of location.
As technology has evolved, it is perhaps best to think in terms of the important characteristics of the Zero Trust approach, and how these may continue to adapt. The key point remains that you should no longer implicitly trust a managed entity - be that a device or user - just by virtue of them being, for example, connected to an internal network. This leads to two responses:
Seeking to have greater trust in the identities managed; and,
Having greater control over how resources are accessed.
The desired outcomes include having confidence in both the identity and integrity (health) of a device, combined with the identity of a user that can be verified at a granular service level when a service is accessed, all underpinned by robust security mechanisms that are, as far as possible, transparent to the user and easy to manage.
The tools available to achieve these outcomes include:
Device Identity Management
Device Health Monitoring
User Identity & Access Management