Zero-Trust Frameworks Explained

Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective

Zero-Trust Frameworks Explained. This week, let’s briefly explore Zero Trust (“ZT”) as a modern security strategy.  

ZT is a principles-based framework designed to prevent data breaches by placing “zero trust” in all enterprise resources (not just networks), and assuming instead that the entire environment is hostile. ZT requires operational capabilities that:


  • - Never trust, always verify – Treat every user, device, application/workload, and data flow as untrusted. Authenticate and explicitly authorize each to the least privilege required using dynamic security policies.
    - Assume breach – Consciously operate and defend resources with the assumption that an adversary already has presence within the environment. Deny by default and heavily scrutinize all users, devices, data flows, and requests for access. Log, inspect, and continuously monitor all configuration changes, resource accesses, and network traffic for suspicious activity.
    - Verify explicitly – Access to all resources should be conducted in a consistent and secure manner using multiple attributes (dynamic and static) to derive confidence levels for contextual access decisions to resources.

Unlike traditional IT security models, which focus on network architecture and assume that at least what is inside a company’s own network can be trusted by default, a Zero-Trust model adopts a comprehensive “never trust, always verify” strategy. “Zero Trust” requires everything – including user identities, devices, applications, data, infrastructure, and networks, inside or out – to be validated and proven trustworthy. 

ZT proponents argue that ZT places the focus squarely on data protection, and controls access to enterprise resources more precisely. Not only does it force companies to know exactly what users, devices, applications, data, infrastructure, networks, and services they have, but it also forces them to apply a "least privileged" access model and to secure each enterprise resource precisely by enforcing multi-factor authentication, granular segmentation policies and other controls, like containerization, in order to limit attackers’ ability to gain access to sensitive data no matter where it is located.  Among other things, this helps mitigate the risks posed by third-party service providers, and also means that controls and policies are adaptive, tailored to the particular risk-context, and enforced at each application level, not at a network level.

The concept of Zero Trust was developed in 2010, but has been gaining traction as companies’ digital and data assets have grown, and especially as reliance on remote workforces, cloud computing, and hosted applications has quickly expanded companies’ security perimeters.  A link to the original Zero Trust paper, Build Security Into Your Network’s DNA: The Zero Trust Network Architecture, follows:

http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf

The National Institute of Standards and Technology (NIST) also is in the process of drafting a timely publication on ZT.  A link to that draft follows:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft2.pdf

Update: March 8, 2022: The latest federal ZT guidelines and documents follow:

---

Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.

Hosch & Morris https://hoschmorris.com
Previous

Cameras from a Different Angle

Next

5 Tips for Protecting Your Home Network and Devices