Zero Trust Model and priciples
- Verify explicitly. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use the least privileged access. Limit user access with Just-In-Time and Just Enough Access (JIT/JEA), risk-based adaptive policies, and data protection to protect both data and productivity.
- Assume breach. Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses.
A Zero Trust model has three aspects.
- It requires signals to inform decisions. Zero Trust considers many signal sources, from identity systems to device management and device security tools, to create context-rich insights that help make informed decisions.
- Policies to make access decisions. The access requested, and the signal’s analyzed to deliver a decision based on finely tuned access policies, providing granular, organization-centric access control.
- Enforcement capabilities to implement those decisions effectively. Decisions are enforced across the entire digital estate, such as read-only access to the SaaS app or remediating compromised passwords with a self-service password reset.