What Does Zero Trust Mean?

With the continued rise of security breaches, ransomware attacks, and other cybersecurity threats, now is the time to update and improve your security policies and practices. And, in the context of developing a cybersecurity strategy, you’ll likely see the term “zero trust” mentioned frequently, but what does it mean? 

The zero trust concept has been around for a while to describe strict security and access control policies implemented as companies have outgrown the old “trust but verify” approach. In fact, NIST released a special publication explaining the basics of Zero Trust Architecture back in 2018. In this article, we’ll look more closely at what zero trust does and does not mean.

Let’s start with NIST’s official definition:

Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. … Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). 

Within a zero trust approach, authentication and authorization verification must be done before a connection to an enterprise resource can be established. The model assumes the presence of an attacker and grants no implicit trust.

“A zero trust security framework essentially boils down to trusting no one on the network — let alone anyone connecting in from the outside,” explains Jessica Lyons Hardcastle. “Instead of trusting employees or other users, devices, and networks by default, zero trust relies on using identity and behavior to verify users and machines in real time, and restricts data and access on a least-privilege basis.”

“Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary,” says NIST. 

Zero Trust Is Not a Product

The term zero trust has been used so much by product vendors to describe security solutions, says Tim Keary at VentureBeat, “that it’s become a bit of a buzzword, with an ambiguous definition.”

At the recent 2022 RSA conference, however, National Cyber Director Chris Inglis emphasized that zero trust is an architecture, not a product, reports Hardcastle. “I know [zero trust] is a much-maligned term,” Inglis said. “It’s a “digital architecture comprised of technology, of people, and practice doctrine.”

According to NIST, “transitioning to ZTA is a journey concerning how an organization evaluates risk in its mission and cannot simply be accomplished with a wholesale replacement of technology.” NIST also outlines the seven basic tenets of a zero trust architecture (ZTA) and points out that organizations must also implement comprehensive information security and resiliency practices in order for zero trust to be effective. 
 
Inglis, along with CISA Director Jen Easterly, also notes that, amid the seemingly new normal state of affairs characterized “by cyberattacks constantly in progress or on the horizon,” we must all work to make fundamental improvements in our cybersecurity ecosystem.

Learn More