Zero trust is the new standard in network security that strictly limits user access based on a dynamic authorization policy. This security framework requires all users–whether inside or outside the organization’s network–to be authenticated, authorized, and continuously validated for security configuration and posture before accessing applications and data.
Because nothing connected to the network is assumed to be safe, a zero trust security framework involves constant monitoring and assessment of all users and network resources, such as devices, data stores, and applications, for security risks.
For user security, this means implementing a dynamic authentication and authorization policy to assess risk both before they are granted access to the network, and during their session. For network resource security, this means monitoring usage and security postures, keeping up with updates and patches, and adjusting configurations.
The three basic principles of a zero trust security framework are:
Explicit verification: Authenticate and authorize every user and device on every session, using as much data as possible to determine their risk level.
Principle of least privilege: Only grants the user access to the resources they are using at the time, and only for as long as they need it during that session.
Assume a breach: Act as though your network has been breached. Limit access to resources, verify end-to-end encryption, and use analytics to monitor network activity, detect threats, and adjust access policies.
According to the National Institute of Standards and Technology’s 800-207 standard, the tenets of a zero trust security framework are as follows:
The system evaluates attributes like device ID, geolocation, time of day, and user role to assess authorization requests for access to resources, such as data stores and applications. The system assesses each authentication request and each authorization request separately, using dynamic access policies, taking into account user and device attributes, network type, and current environmental conditions.
Requests that fit the policy are granted. Unusual or suspicious requests are escalated for additional authentication or rejected and flagged for later review.
Risk evaluation engines build profiles of how users and user classes typically interact with applications and data stores. As they monitor and authenticate users, they will detect and flag anomalous behaviors.
With complex access policies evaluating every request both outside and inside the network, zero trust security systems require both automation and well-designed policies informed by constant monitoring.
Previous network security frameworks relied on perimeter defense to secure network resources. Applications and data were secured by firewalls, VPNs, and other static defenses. After a user had been authenticated, they had access to federated resources inside the network. More sensitive resources might be protected by multiple layers of security or heightened requirements, such as multi-factor authentication (MFA).
Another strategy is for an organization to issue trusted devices to their users. These devices are secured and managed by the organization, and regularly updated with security patches and new policies.
The drawback of these security approaches is that when a malicious actor has made it past the barrier, they have essentially unchallenged access to every resource within that barrier. Because most security breaches involve bad actors using valid credentials to access a network, this kind of passive security framework isn't sufficient to protect most systems.
Zero trust is a dynamic, active security framework that scales to accommodate large numbers of users, network resources, and transactions.
Zero trust secures each of your network resources individually, limiting their exposure in case of a breach.
Because zero trust doesn't privilege network location, it allows your organization to enhance the security of existing infrastructure such as VPNs by integrating them into dynamic security policies. Zero trust can also streamline your user experience by eliminating the necessity for MFA for routine, low-risk transactions.
Related Resources
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a free demo
Thank you! Keep an eye on your inbox. We’ll be in touch soon.