Zero trust is the security principle which states that nothing within the local area network (LAN) and or trusted network is automatically trusted. Another way to visualize zero trust is to assume that there is currently a threat within the LAN/trusted network. To follow the zero-trust principle, implement security controls, such as segmenting the internal network into further microsegments and inspecting traffic between these segments. Other security control examples include using multifactor authentication, leveraging identity and access management solutions, and continuously monitoring and logging network activities.
When implementing and designing for this solution, consider all of the components (software application, operating systems, network devices, and so on), how they connect, and how they communicate with each other.
Consider following the seven tenets of Zero Trust from the NIST 800-207 Zero Trust Architecture publication:
- Consider all data sources and services as a resource that needs to be identified, authenticated, authorized, and protected.
- Secure all communications, regardless of their network location. In other words, do not automatically trust or assume all communications within a trusted network are secure or legitimate.
- Grant access to individual resources on a per-session basis. Apply strategies like the principle of least privilege, and do not share authorization across different resources.
- Determine access to resources based on a dynamic policy. For example, apply conditional access for access requests that can take into account the requestor's network location, time of day, software or client versions, and more.
- Do not inherently trust any asset. Measure the integrity and security posture of all assets, using techniques like continuous configuration detection, to help identify any drift. This can be implemented by using robust logging and monitoring solutions that can also monitor and analyze the state of the network assets.
- Enforce strict authentication and authorization before access is granted. Implement a constant cycle of access and authorization to continually reevaluate trust within the network. An example is to continually reauthenticate and reauthorize access throughout user or service transactions.
- Continuously monitor and collect as much information as possible about your network and all assets. Use this information to improve access and authorization rules as well as overall security posture.