Skip to content

What can we help you with?

Contact Us Chat with Sales Get Support

Zero Trust FAQs, Answered

What Is Zero Trust?

The National Institute of Standards and Technology (NIST) defines Zero Trust (ZT) as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” NIST further explains that the collection of concepts that comprise the zero trust principle are designed to “minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as contested.”

In practical terms, this entails:

  • Eliminating persistent trust
  • Performing continuous authentication
  • Granularly restricting access to the minimum needed
  • Applying segmentation and microsegmentation strategies
  • Continuously auditing access

What Is a Zero Trust Security Model?

As envisioned by NIST (SP 800-207), Zero Trust security models eliminate persistent trust and enforce continuous authentication, least privilege, and adaptive access control. This strategy also applies segmentation and microsegmentation for secure access. A zero trust approach is about constant visibility into who is doing what on your network. This ensures maximum control over network security and network access.

A zero trust security strategy reduces the threat surface and minimizes threat windows. Use zero trust to protect against everything from ransomware and malware to advanced persistent threats and insider threats.

What Is a Zero Trust Architecture?

NIST Special Publication (SP) 800-207 defines a Zero Trust Architecture (ZTA) as “an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”

NIST further articulates that the primary focus of a ZTA is “protecting data and resources. It enables secure authorized access to enterprise resources that are distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device in support of the organization’s mission.”

An example of a Zero Trust Architecture (ZTA), as outlined in NIST SP 1800-35B, applied to multiple security disciplines

What Are the Core Tenets of Zero Trust?

NIST puts forth the following seven fore tenets for zero trust:

  1. All data sources and computing services are considered resources. (Endpoints)
  2. All communication is secured regardless of network location. (Data Flows)
  3. Access to individual enterprise resources is granted on a per-session basis. (Data Flows)
  4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes. (Data Flows)
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets. (Endpoints)
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed. (Network Identity Governance)
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture. (Data Flows)

How Do I Implement Zero Trust?

To implement zero trust in practical terms, an organization must grasp which technologies and configurations can actually be implemented with tenets that meet theoretical requirements. To that end, NIST has published SP NIST 1800-352 on implementing Zero Trust (circa December 2022) to bridge that gap. Today, solutions (like Privileged Access Management, or PAM) exist that can address both the theoretical and practical requirements of zero trust.

How Does PAM Help Enable Zero Trust?

Privileged Access Management (PAM) is a foundational technology stack for implementing zero trust security controls and enabling a zero trust architecture. BeyondTrust PAM provides the following capabilities across on-premise and cloud environments:

  • Discovers, onboards, and catalogs all privileged identities, accounts, and assets.
  • Enforces adaptive access and continuous authentication to ensure all devices, users, accounts, and identities have a high confidence in their actual identity. In other words, they are who they say they are above just positive authentication.
  • Right-sizes privileged access and entitlements by applying least privilege, including just-in-time access, to all sessions, endpoints, and applications.
  • Enables secure, least privilege remote access for vendors, employees, and service desks for sessions and trusted applications.
  • Implements segmentation and microsegmentation to isolate assets and users, and to prevent lateral movement.
  • Monitors and manages every privileged session, providing continuous visibility and control over who is doing what, and why, so any suspicious behavior can trigger immediate revocation of permissions and access.
  • Extends Microsoft® Active Directory authentication, single sign-on capabilities, and Group Policy configuration management to Unix and Linux systems, simplifying the secure management of identities and the path to implementing zero trust enterprise-wide, regardless of operating system or application.

What Network Challenges Can Zero Trust Address?

Network location can no longer be treated as the prime component to the security posture of the resource due to the fact that:

  • Networks have become decentralized, perimeterless environments with resources distributed across both on-premises environments and multiple clouds.
  • Many users need access from anywhere, at any time, from any device to support the organization’s mission.
  • Data is programmatically stored, transmitted, and processed across different boundaries under the control of different organizations to meet ever-evolving business use cases.
  • It is no longer feasible to simply enforce access controls at the perimeter of the enterprise environment and assume that all subjects within it can be trusted.

The zero trust model is an effective form of security because it operates under the assumption that no asset or user account can be implicitly trusted based solely on their physical or network location or asset ownership. Zero trust requires both subject and device authentication and authorization before a session to an enterprise resource can be established.

What are the Benefits of Zero Trust Security?

With a carefully implemented Zero Trust Architecture, you'll gain:

  • Greater visibility across the enterprise into who (or what) has access to your network, when, and from where.
  • Streamlined and optimized processes to improve the efficiency and efficacy of IT managers and security teams.
  • Improved data protection with a Zero Standing Privilege framework combined with just-in-time (JIT) access.
  • A secure remote workforce that results from setting identity as the new perimeter, and from establishing secure access solutions that don't require a VPN.
  • Advanced hybrid cloud security.
  • A significant reduction of overall risk and increased protection against common threats.
  • Continuous compliance through enhanced logging and audit trails.

What Types of Attacks Can Zero Trust Prevent?

  • Ransomware
  • Malware
  • Lateral movement
  • Account Hijacking
  • Supply chain attacks

Can Zero Trust Help Me Meet Compliance Standards?

A zero trust security model can help organizations maintain continuous compliance because it introduces increased and centralized network monitoring and visibility and advanced logging and audit trails, simplifying the auditing process. Zero Trust also shifts organizations from a network-based perimeter to an identity-based perimeter, which places greater emphasis on protecting access to data and identities, core components of many compliance standards.