The zero trust security and architecture model was created by John Kindervag in 2010 when he was a principal analyst at Forrester Research Inc. The zero trust architecture is a powerful, holistic security strategy that is helping to drive businesses faster and more securely.

A zero trust architecture eliminates the idea of a trusted network inside a defined perimeter. In other words, it is a security model that focuses on verifying every user and device, both inside and outside an organization’s perimeters, before granting access. The zero trust security framework:

• Assumes attackers are already lurking on the network
• Trusts no environment more than any other
• Assumes no implicit trust
• Continually analyzes and evaluates risks
• Mitigates risks

The zero trust approach is primarily focused on protecting data and services, but it should be expanded to include all enterprise assets (devices, infrastructure components, applications, virtual and cloud components) and subjects (end users, applications, and other non-human entities that request information from resources).

In the past, perimeter security approaches followed a simple paradigm: “Trust but verify.” While the user experience was better, evolving cybersecurity threats are now pushing organizations to reexamine their postures. In recent years, a typical enterprise infrastructure has grown increasingly complex and is outpacing perimeter security models.

Examples of these new cybersecurity complexities include:

• An enterprise may operate several internal networks, remote offices with local infrastructure, remote and/or mobile users, and cloud services
• Complexity has exceeded legacy methods of perimeter-based network security
• There is no more single, easily identifiable enterprise perimeter
• Perimeter-based network security is now insufficient – once attackers breach the perimeter, their lateral movement is unimpeded

Along with these complexities, securing the network perimeter is insufficient because apps are now on multiple cloud environments, with 81% of enterprises having apps with at least two cloud providers (IBM Mobile Workforce Report). Also, global remote work trends continue, with 65% of workers citing they would like to continue to work from home or remotely (Gallup Survey). Furthermore, global mobile workforce growth continues, as indicated by Gartner’s Why Organizations Choose a Multicloud Strategy report, which estimated there would be 1.87 billion mobile workers globally by 2022.

First, a successful zero trust model should provide visibility for all traffic – across users, devices, locations, and applications. Additionally, it should enable visibility of internal traffic zoning capabilities. You should also consider having the enhanced ability to properly secure the new control points in a zero trust environment.

The right access policy manager secures, simplifies, and centralizes access to apps, APIs, and data, no matter where users and their apps are located. A zero trust model validation based on granular context-and-identity awareness, and securing every application-access request, is key to this and should continuously monitor each user’s device integrity, location, and other application-access parameters throughout their application-access session.

Having a robust application security portfolio in a zero trust approach is also important. The right solutions can protect against layer 7 DoS attacks through behavioral analytics capability and by continuously monitoring the health of your applications. Credential protection to prevent attackers from gaining unauthorized access to your users’ accounts can strengthen your zero trust security posture. Plus, with the growing use of APIs, you need a solution that protects them and secures your applications against API attacks.