In a model of perimeter security, everything inside the internal network is considered reliable and what is outside is unreliable. Over the past decade, and even quicker over the past 2 years with COVID, we are moving into much more complex, collaborative environments, where corporate information is inside and outside the network, and is accessed not only by internal users, but also by suppliers, clients, processors, and all kinds of collaborators. We have focused on protecting the wall when the important thing is the data.

Zero Trust is a new model that no longer relies on a privileged corporate network. Access depends solely on the device and user credentials, regardless of the network location. All access to enterprise resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials — each and every time it is requested.

To keep data and system resources secure and private we can still have fine grained access that is enforced once you have access to the data or resource.

The Zero Trust security model is built around these three things — Signal (the request to access something, from a specific user and device), the decision on whether or not to allow that access, and then the enforcement of the decision to allow or disallow the access.

We’ll dig deeper into this process in my next entry.