Visibility Enables the Three Key Principles of Zero Trust
Although Zero Trust models often show multiple pillars and foundational layers, at its core, Zero Trust is based on three key principles: Adopt a breach mentality, never trust, and continuously verify. These principles assume that organizations have full visibility of all the hardware and software assets, applications and data assets, users, and devices on their networks. This visibility enables these Zero Trust principles to be effectively implemented.
Adopt a Breach Mentality
With the rising sophistication of cyberattacks, organizations adopting a Zero Trust architecture must operate under the assumption of repeated breaches. Swift and accurate breach identification is crucial. Further, the architecture should have controls, such as segmentation, that can limit the impact of these attacks, often called “the blast radius.” This is achieved by developing a defense-in-depth security posture at all levels of the network.
This is the most easily understood of the Zero Trust principles but one of the hardest to put into practice since most systems within an organization have been traditionally built around an implicit trust model that assumed the trustworthiness of users, devices, and controls.
Despite the conflict between the Zero Trust philosophy of complete distrust and the trust culture nurtured by organizations over decades, it’s imperative to keep Zero Trust. Evidence indicates that a substantial number (of over 40 percent) of breaches are caused by employees or contractors acting in bad faith or human error.
The traditional trust model assumes stability, disregarding inevitable changes in behavior and technology. Zero Trust counters this by requiring constant verification of all network entities against defined security policies. For example, attackers get smarter, employees get careless, login credentials become compromised and so on. A key component of a Zero Trust network is a policy engine that has full visibility into all network activity and continuously verifies and enforces activities against these policies.