How zero trust works
To visualize how zero trust works, consider a simple case: a user accessing a shared web application. Under traditional security rules, if a user was on a corporate network, either because they were in the office or connected via a VPN, they could simply click the application and access it; because they were inside the security perimeter, they were assumed to be trustworthy.
Zero trust takes a different approach. In a zero trust environment, the user must authenticate to use the application, and the application must make sure the user’s credentials match with someone who has the right access privileges. This ensures that someone who has managed to slip onto the corporate network can’t access restricted data or functionality. Moreover, the lack of trust goes both ways: The user should be able to authenticate the application as well, with a signed digital certificate or similar mechanism. This ensures the user doesn’t accidentally encounter or activate malware.
Given the number of interactions with systems and data a typical user encounters in a day, the scope of what zero trust must cover is considerable. “All requests for access [must] meet the standards of the zero trust architecture,” says Jason Miller, founder and CEO of BitLyft, a leading managed security services provider. “Common attributes for verification include geographic location, user identity, and type of device. As you might guess, this requires continuous monitoring. This is the only way to validate a specific user and their device.”