What is Zero Trust Architecture?

According to the National Institute of Standards and Technology (NIST), a zero trust architecture (ZTA) model in cybersecurity “refers to an evolving set of security paradigms that narrows defenses from wide network perimeters to individual or small groups of resources.”

Instead of focusing on protecting network segments, a ZTA model guards the resources. Therefore, this model is often referred to as data-centric security. It presumes threats are constantly originating from both inside and outside the network. A ZTA model embraces a data-centric approach that continuously evaluates risks and then enforces controls to mitigate them. In the past, physical boundaries were emphasized, but nowadays, new protections need to be employed due to the presumption of networks being compromised.

In lieu of building many security layers from the outside in, ZTA is predicated on protecting resources from the inside out and implementing security controls only where you need them. As a result, the focus shifts downstream, i.e., managing the risks associated with user access and the resources (data) requiring protection.

A Few Key Elements of Zero Trust Architecture

  • All data sources and computing services are considered resources.
    • A network may be composed of several different classes of devices, including personally owned devices that are allowed to access enterprise-owned resources
  • Access to resources is determined by policy (rules), including the observable state of user identity and the requesting system, and may include other behavioral attributes.
    • An organization protects resources by defining what resources it has, who its users are, and what level of access to resources those users need
  • User authentication is dynamic and strictly enforced before access is allowed.
    • Continuous monitoring and re-authentication should occur throughout user interaction, as defined and enforced by policy (e.g., time-based, new resource requested, resource modification, etc.) that aims to achieve a balance of security, availability, usability, and cost efficiency.