Back to glossary

Zero Trust

The zero trust security model is an approach to IT system design and implementation that follows the principle of "never trust, always verify." Users and devices are treated as untrusted (even if they are inside the organization's network) – meaning they must be authenticated and authorized before they can access organizational resources. 

Zero trust involves:

  • Strong identity verification 
  • Device compliance checks
  • Least-privilege access: means only granting access to the minimum resources necessary for a user or device to perform their specific tasks 

This approach is predicated on the notion that traditional approaches to corporate network security – such as trusting devices within a "corporate perimeter" or connecting via a VPN – are no longer relevant. Modern corporate networks are complex and have resources scattered across multiple clouds and private data centers, diffusing the parameter and its predefined entry points that can be adequately secured..

The principles of zero trust can also be applied to data access and management. Zero trust data security involves dynamic authentication and least-privileged access to data resources. This can be achieved using Attribute-Based Access Control (ABAC) policies, which determine if access to data can be granted based on attributes of the data, the user’s identity, and the type of environment where the data is stored. 

The zero trust model has gained popularity in recent years due to high-profile data breaches and the need for secure remote access technologies.