Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources.  Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.  Zero Trust is a security strategy. It is not a product or a service, but an approach in designing and implementing the following set of security principles:  Verify explicitly, use least privilege, assume breach. 

​

US executive order 14028, Improving the Nations Cyber Security, directs federal agencies on advancing security measures that drastically reduce the risk of successful cyberattacks against the federal government's digital infrastructure.

​

NIST has issued a draft, SP 800-207A, which is a model for access control in cloud native applications in multi-cloud environments.  According to NIST, Zero Trust Architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows.

​

JB-iSecurity assists our clients in implementing a Zero trust security strategy by focusing on the following key technology pillars:

​

Secure identity with Zero Trust

​

Identities—whether they represent people, services, or IoT devices—define the Zero Trust control plane. When an identity attempts to access a resource, verify that identity with strong authentication, and ensure access is compliant and typical for that identity. Follow least privilege access principles.

​

Secure endpoints with Zero Trust

​

Once an identity has been granted access to a resource, data can flow to a variety of different endpoints—from IoT devices to smartphones, BYOD to partner-managed devices, and on-premises workloads to cloud-hosted servers. This diversity creates a massive attack surface area. Monitor and enforce device health and compliance for secure access.

​

Secure applications with Zero Trust

​

Applications and APIs provide the interface by which data is consumed. They may be legacy on-premises, lifted-and-shifted to cloud workloads, or modern SaaS applications. Apply controls and technologies to discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control user actions, and validate secure configuration options.

​

Secure data with Zero Trust

​

Ultimately, security teams are protecting data. Where possible, data should remain safe even if it leaves the devices, apps, infrastructure, and networks the organization controls. Classify, label, and encrypt data, and restrict access based on those attributes.

​

Secure infrastructure with Zero Trust

​

Infrastructure—whether on-premises servers, cloud-based VMs, containers, or micro-services—represents a critical threat vector. Assess for version, configuration, and JIT access to harden defense. Use telemetry to detect attacks and anomalies, and automatically block and flag risky behavior and take protective actions.

​

Secure networks with Zero Trust

​

All data is ultimately accessed over network infrastructure. Networking controls can provide critical controls to enhance visibility and help prevent attackers from moving laterally across the network. Segment networks (and do deeper in-network micro-segmentation) and deploy real-time threat protection, end-to-end encryption, monitoring, and analytics.

​

We need an integrated capability to manage the resulting influx of data to better defend against threats and validate trust in a transaction.