With so many definitions of 'Zero Trust' out there, it's often unclear what it references. What do you think Zero Trust means? What does it encompass?

The latest NIST guidance on implementing a Zero Trust Architecture (ZTA) suggests that the number one priority in migrating to a ZTA is the implementation of an enterprise Identity Access Management  architecture that provides the ability to enforce policy rules at every step of the authentication process. Cloud providers do a good job providing services to implement ZTA. However, most organizations will likely be stuck in a hybrid security architecture encompassing both cloud and legacy infrastructure. The likely challenge for most organizations will be to apply ZTA processes in the cloud workflow architecture as applications migrate from server based processes to cloud work flows.

137 views
25 comments
1 upvotes
Related Tags
Anonymous Author
The latest NIST guidance on implementing a Zero Trust Architecture (ZTA) suggests that the number one priority in migrating to a ZTA is the implementation of an enterprise Identity Access Management  architecture that provides the ability to enforce policy rules at every step of the authentication process. Cloud providers do a good job providing services to implement ZTA. However, most organizations will likely be stuck in a hybrid security architecture encompassing both cloud and legacy infrastructure. The likely challenge for most organizations will be to apply ZTA processes in the cloud workflow architecture as applications migrate from server based processes to cloud work flows.
2 upvotes
Anonymous Author
Without searching for the term on the internet, my impression is that it is similar to the concept of least privilege where it's assumed by default that a user should not have access to anything and only with business justification can access be granted to anything and then only that thing is allowed.
0 upvotes
Anonymous Author
Maintaining strict control starting with no access even to inside folks and then providing access as necessary and required
1 upvotes
Anonymous Author
I like to start with this simple statement: "Assume that you have no/zero security perimeter, how do you ensure that all attack vectors are protected?" From that one architects and implements the correct set of solutions and technologies that results in what is now the ZTA buzzword/acronym
1 upvotes
Anonymous Author
It is like verify then trust. A lot of companies go with two factors or multi-factors authentication to control access. Almost every banks and financial companies implement two factors authentication.
0 upvotes
Anonymous Author
To mean it is just a new way of saying “least privileged access”. You start with the assumption that no access is assumed and only build trust as access is authorized.
1 upvotes
Anonymous Author
Like many other security terms these days, it's just regurgitating old security principles and giving them new names. Zero Trust = only those who are supposed to get access... well... get access.
0 upvotes
Anonymous Author
In its most simplistic form Zero Trust means everything must verify prior to it connecting to the network.
1 upvotes
Anonymous Author
It means you have zero trust and always verify any access. Any access by a user must be verified using one or more means by which you have faith in authenticity of the verification method also control over it. Eg: if you use G-Suite you could force users to authenticate against their G-Suite account for access and you can control that level of access from none to root depending on the account. You can use more than one factor and also tune the validity periods etc.  When it comes down to it, you have zero trust that the person is who they say they are and enforce proof everytime.
0 upvotes
Anonymous Author
In its simplest form, no one is trusted by default, and validation is required for anyone wanting to access services within the network
0 upvotes
Anonymous Author
to me it refers to a multitude of layered security principles.    - assume internal and external threats in the overall architecture  - segmentation data and specific access rules  - principle of lowest privilege  - validation of endpoints  - real-time monitoring of activity/traffic
1 upvotes
Anonymous Author
For us, zero trust means that we do not allow access to resources unless we have verified the human and the device that is initiating the connection. One layer is identity of the person, the next is identity of the device. Without both being known and verified, access to corporate resources is denied. And the access to resources is more granular - on the network side you don't connect to the VPN and get access to everything within, you connect specifically to the application you need access to.
0 upvotes
Anonymous Author
Verify and then Trust linked to user identity when we no longer have datacenter boundaries.
0 upvotes
Anonymous Author
What I understand from Zero Trust is that any user will have to show their credentials regardless of the user role it has.
0 upvotes
Anonymous Author
I think of it as validate all network interactions - not just people.
1 upvotes
Anonymous Author
Zero Trust is the practice of shifting access control from the network perimeter to the assets, individuals, and the respective endpoints. For GitLab, Zero Trust means that all users and devices trying to access an endpoint or asset within our GitLab environment will need to authenticate and be authorized.  You can read more on our blog:  https://about.gitlab.com/blog/2019/10/02/zero-trust-at-gitlab-implementation-challenges/
0 upvotes
Anonymous Author
MFA enforcement
1 upvotes
Anonymous Author
At its most basic, I think it means that when gaining access to a network, you (your device) do not gain access to its resources unless you can prove you are part of a group that has the appropriate permissions. This is the opposite of finding an open network port in an office, plugging in, and surfing away. It assumes worst intentions unless otherwise is found to be true.
0 upvotes
Anonymous Author
Zero Trust means that I can use a broadband circuit and not have to rely on VPN or other proprietary circuits like MPLS.
0 upvotes
Anonymous Author
Very simply, that you don't trust anyone. Least access granted in all cases across the board.
1 upvotes
Anonymous Author
Zero trust means that until you can verify, there is no access to or availability of resources.
1 upvotes
Anonymous Author
ZTA refers to building Identity and Access Management (IAM) in the system which allows classify the user's based on their roles, policies, and permissions they have. This has been seamlessly implemented by infrastructure providers and we should be considering those implementations as the example when we wish to implement the IAM across our systems, including internal as well as external.
0 upvotes
Anonymous Author
Zero Trust to means no one or no equipment is trusted whether inside or outside your environment so every device has to be authenticated. So, you  need technology that enables you to enforce policy rules and authentication.
1 upvotes
Anonymous Author
Zero trust in practice is that there is default no access and on a per task basis trust is granted to the level that is needed to complete that task
0 upvotes
Anonymous Author
Starting with zero access and stepping back from their as access/privilege is warranted, bit by bit.
1 upvotes