First coined by John Kindervag (with Forrester Research at the time), zero trust holds that no environment is entirely secure and therefore, trust within the network is often misplaced. Furthermore, it recognizes that most investments focus on securing devices and networks at the expense of the enterprise data that are the organization's crown jewels.
Building on this initial concept, Forrester recently described zero trust (content accessible to Forrester client or via purchase) as "…a conceptual and architectural model for how security teams should redesign networks into secure micro-perimeters, use obfuscation to strengthen data security, limit the risks associated with excessive user privileges, and use analytics and automation to dramatically improve security detection and response." 1
The National Institute of Standards and Technology (NIST) has further codified (NIST SP 800-207) the zero trust approach for the federal government, describing it as follows:
Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust responds to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that exist outside an enterprise-owned network boundary. Zero trust focuses on protecting resources, such as assets, services, workflows, and network accounts, and not network segments. The network location is no longer seen as the prime component to the security posture of the resource.
In practical terms, implementing an adaptive security architecture like zero trust means taking a data-centric approach to cybersecurity. Agencies must effectively catalog their digital assets and intellectual property in terms of potential risk and implement procedures to identify, manage, and monitor the users, devices, and applications accessing this data. This method creates a more layered approach to protecting assets coupled with an enhanced ability to detect and respond to rogue actors within the enterprise.