Zero Trust is not a product; it’s a security framework conceptualized in 2004 by the Jericho Forum in the U.K. It was originally network-centric, focusing on segmentation of the network so that if attackers got in, they wouldn’t have free rein to go wherever they wanted. This is often referred to as limiting lateral movement, which was, and remains, a significant aspect of most breaches.
In 2010 while at Forrester Research, the analyst John Kindervag built off that work and coined the term Zero Trust. In 2017 his successor at Forrester, analyst Dr. Chase Cunningham, coined the term Zero Trust eXtended (ZTX) Ecosystem, evolving the network-centric focus by moving up the stack to consider areas such as Identity and Access Management (IAM) and Privileged Access Management (PAM) amongst others.
A core tenet of Zero Trust is that with the traditional network perimeter dissolving, we can no longer rely on “trusted insiders” and “untrusted outsiders” as a foundational assumption when designing a security architecture. We must assume that threat actors are already in our extended network. As such, accounts with high levels of privilege should never be available since they represent the highest risk if compromised or abused. Thus, Zero Trust means removing or vaulting those accounts, taking them off the playing field, and having admins log in with their personal, low-privilege account. I.e., zero administrative trust. When they legitimately need additional rights, they can request them, “just-in-time,” only when needed. Workflow routes the request for approval, and access is granted or denied taking context into account. If granted, the extra rights are only available for the task being performed after which, they’re automatically removed.
Zero Trust turns on its head the old security tenet, “Trust but Verify,” into one of “Never Trust, Always Verify.”