A modern cybersecurity model that assumes no implicit trust, requiring strict authentication and authorization for every access request, regardless of location.

Zero Trust Security Model

Never Trust, Always Verify

Zero Trust is a modern Cyber Security model that upends the traditional "castle-and-moat" approach. The conventional security model assumes that "the internal network is trusted, and the external network is dangerous." The core principle of the Zero Trust model, however, is "Never trust, always verify."

It operates on the assumption that the network perimeter is always at risk, whether from external attacks or internal threats. Therefore, it strictly authenticates every person or device attempting to access resources on the network, without exception.

Core Principles

1. Identity is the New Perimeter: The security boundary is no longer a physical network location but the user's identity. Every access request must be authenticated, regardless of whether the user is on the corporate network or at a coffee shop.
2. Principle of Least Privilege: Each user or device is granted the minimum level of access permissions necessary to complete their task.
3. Micro-segmentation: The network is divided into many small, isolated security zones. Even if one zone is compromised, this effectively prevents an attacker from moving laterally across the network.
4. Continuous Monitoring and Analysis: All network traffic is continuously monitored, logged, and analyzed to promptly detect anomalous behavior and potential threats.

Recommended Reading

• Popular Science:
  • (Book) Zero Trust Networks: Building Secure Systems in Untrusted Networks by Evan Gilman and Doug Barth.
• Textbooks:
  • (Framework) NIST Special Publication 800-207: "Zero Trust Architecture".
• Further Reading:
  • (Book) Project Zero Trust: A Story about Information Security by George Finney.