The National Security Agency (NSA) has released Cybersecurity Information Sheet: Embracing a Zero Trust Security Model, which provides information about, and recommendations for, implementing Zero Trust within networks.
The Zero Trust security model is a set of IT system design principles and a cybersecurity strategy based on the fact that threats exist both inside and outside traditional network boundaries. Zero Trust challenges the fact that the users, devices, and network components should be automatically trusted based on their location within the network.
The Zero Trust model revolves around comprehensive security monitoring – a mixture of granular, dynamic, and risk-based access control in order to focus specifically on protecting critical data. This security model follows the concept of least privileged access to be applied to every permission decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources. Implementing zero trust takes time and effort, but it doesn’t necessarily have to be done all at once. Many organizations can incorporate certain zero-trust concepts into their existing framework.
