Zero Trust, devised by John Kindervag, offers a radical approach to network architecture and management. The premise behind zero trust approach is quite simply ‘never trust, always verify’. In practice, this means you need to minimise the line between the outside world and the internal network. In a zero-trust environment, you treat the internal network exactly the same as the outside world, i.e. with no confidence.
One thing we have learnt from empirical data is that a substantial number of information security incidents can be attributed to an abuse of trust. So, in the context of zero trust architecture, trust is a vulnerability. To avoid exploitation of this vulnerability you need to ensure that you are controlling and monitoring your estate.
The control and monitoring in zero trust-based environments involves the identification of data, assets, applications and services on your estate and monitoring interactions between those components. If you have already implemented ISO 27001, the good news is that you have already made your first steps towards implementing a zero-trust environment. Controls such as asset management (A.8), access control (A.9), operations security (A.12), communications security (A.13), system acquisition development and maintenance (A.14), are providing the foundations for zero trust.
Just before you run off asking for a budget to implement zero-trust as the ‘latest and greatest’ panacea in securing your information, consider what you already have in place and how it can help you to achieve zero trust-based environments.
I keep six honest serving-men
(They taught me all I knew);
Their names are What and Why and When
And How and Where and Who.
-Rudyard Kipling, Just So Stories, 1902