• Svg Vector Icons : http://www.onlinewebfonts.com/icon Return to Glossary

    What is zero-trust security?

    Zero-trust security is a network securityarchitecture that limits which users, devices, and individual packets have access to each segment of a network. It comes from the security concept of “never trust, always verify.”

    Zero trust is an architectural approach to security. Each segment of the network is protected by its own tiny perimeter (called a “microperimeter”). This allows a security administrator to add an extra layer of security around the company’s most important data, assets, applications and services. To access any individual segment in a zero-trust architecture, users must pass strict identity and device verification procedures.

    Cloud computing, remote workers, and BYOD policies make enterprise firewalls increasingly difficult to defend.The zero-trust security model is much more effective than the old “defend the castle” model in the modern workplace. Contractors, vendors, customers, and remote workers who are outside of the “castle,” or trusted network, may need the same access usually reserved for those inside the network. Conversely, cyber criminals who penetrate the network or users who do not need access to sensitive content or applications should be confined to as little range as possible if they are inside the network. A zero-trust network is the solution to both challenges. Zero-trust security controls grant access to small segments of the network at a time only to users who confirm through multi-factor authentication that they are authorized to access each network segment.

    What is the importance of the zero-trust architecture model?

    In a traditional network security model, once a cybercriminal gets through the perimeter network defenses, they have access to all parts of the network. The zero-trust model effectively stops criminals even after they have broken through initial defenses, because a zero-trust network blocks users each time they attempt to access a different part of the network. This model results in greater web application security, since applications and workloads have an additional level of protection within the network.

    In addition, a zero-trust network does not automatically grant access to a user or device simply because that user or device has previously accessed the network. Each user and device must prove that they are authorized to access each segment of a zero-trust network every time they want access. Keeping a close eye on changing access privileges also eliminates security vulnerabilities that could be exploited by hackers.

    How to implement a zero-trust network?

    Building a zero-trust network is a significant undertaking and cultural shift for many organizations. Some may want to start small, building the network around specific devices or applications that they want to protect and then incrementally expanding it. Enterprises that want to implement any kind of zero-trust network should consider the following security controls:

    • Micro-segmentation: The first step in implementing a zero-trust network is micro-segmenting the data center to secure individual parts of the network. Micro-segmentation should be adopted in addition to traditional network and perimeter security controls.
    • Comprehensive audit: To set up effective security controls on a zero-trust network, the IT department needs to have a clear picture of all the users and devices that have access to a network and what access privileges each of them require to do their jobs. Good communication between the IT department and business units will go a long way in making this step easier.
    • Least-privileged access: In the zero-trust model, each user receives the minimum access privileges necessary for them to do their jobs.
    • Eliminated trust validation: A zero-trust network assumes that all users are unauthorized until they prove otherwise through security controls that validate all users who try to log into the network. The same rule should be applied to devices. All devices—even those within the network—should be considered unauthorized each time they try to access any part of the network until a security control can confirm they meet security standards. A zero-trust network should not prevent users from doing their jobs, but the zero-trust default is to deny access.
    • Multi-factor authentication: Multi-factor authentication is far more secure than using a password, which can be stolen. Eliminated trust validation should always be performed using multi-factor authentication.
    • Up-to-date access lists: An audit is just a baseline. Keeping an up-to-date list of users and the types of access they need plugs security holes that could result from employees leaving or changing roles. Users should only have the minimum access they need to perform their jobs. Without this security control, a zero-trust network is useless.
    • Network security policies: Once these zero-trust security policies are in place, the last step is to ensure that network security policies are kept up to date. It is a good idea to test their effectiveness on a regular basis to make sure no vulnerabilities have escaped notice.
    • Risk management analytics: Zero-trust network traffic is constantly monitored for unusual or suspicious behavior.

    Related Topics
    Network Security
    Application Security
    Mobile Device Security
    Mobile Device Management

    VMware Zero-Trust Security related Products, Solutions, and Resources