The zero trust cybersecurity model has become a popular topic of conversation in cybersecurity circles of late, with many cybersecurity experts urging organizations to adopt the concept. This should come as no surprise with the threat landscape getting seemingly more threatening by the day.

For the uninitiated, a zero trust architecture is a holistic and layered cybersecurity model that focuses on preventing data breaches by removing trust from an organization’s network and users. Instead of the old “trust, but verify” approach to monitoring potential problems, the underlying philosophy in a zero trust architecture is “never trust, always verify.”

The elements of zero trust

There is no one way to build a zero trust architecture, and the work is never really complete. There are always more improvements a company can make to build a zero trust cybersecurity program. No cybersecurity strategy is ever 100% foolproof, but the goal is to build a program that eliminates as much cyber risk as possible.

That said, there are several elements that make up a good zero trust architecture:

Data is gold

Organizations should keep in mind that the ultimate goal of a zero trust environment is protecting the data. All security controls and restrictions should be applied for the purpose of protecting the organization’s data.

Least privilege and minimal access

One of the foundations of a zero trust architecture is the concept of minimal access to data. Access to a company’s systems for users and for other systems is only deployed on an as-needed basis. Employees should have bare minimum access privileges — just enough to do their jobs — and be assigned additional access only when absolutely needed.

Identity as the new perimeter

User and device connections are no longer contained within corporate networks, as users can now work from anywhere. The network they use to connect to the corporate network should be assumed to be a hostile one. For employees to connect from outside the corporate network, strong identity verification is needed.

Trust actions, not systems

Companies should not give implicit or explicit trust to systems or networks. They should not grant trust to a connection based on the IP address, network location, device ID or user ID. Instead, they should assume all connections are hostile until proven otherwise.

Multi-factor or two-factor authentication is the standard

All user authentication requests should be subject to multi-factor or two-factor authentication as a minimum standard. Multi-factor authentication protects against several significant threats, such as password cracking and credential disclosure.

These are just a handful of several elements of a zero trust security architecture. Other concepts that fit with the environment include federated identity, automation and dynamic risk assessments.

If this sounds like a lot of work, it is. Each of the pillars of a zero trust architecture is accomplished over time — the one and done approach does not work here. Zero trust is not just about installing new technology. It’s about managing and shifting the organization’s technology, people and processes holistically. While implementing zero trust, the changes must have only a limited impact to the business, its people and its security. It does no one any good to move to a new cybersecurity approach if it leaves an organization vulnerable during the adoption phase.

For those companies attracted to the concept, the first step is to make a decision to move to a zero trust framework. It is not just an information technology decision or a security decision — it is a business decision. Making the change requires buy-in from management and employees.

Companies should define their security architectural principles to keep all stakeholders on the same page. They should identify the stakeholders at multiple levels of the business. 

Again, zero trust is not just something security leaders can add on to the current cybersecurity model. It’s a different way to approach business — with cybersecurity baked in. Zero trust is not a magical cure-all, but it will reduce organizational threat surface significantly, if done properly and with full commitment. And that, to me, makes it worth the effort.