Describe the Zero-Trust Model
Traditional Information Technology (IT) security measures have relied primarily on treating the corporate infrastructure as a boundary—everything inside the local network is safe, while anything outside the firewall is a threat.
However, the proliferation of mobile devices, hybrid work, and Bring-Your-Own-Device (BYOD) scenarios has allowed organizational data to be freely transported beyond the corporate network boundary. Firewalls in an office setting are not effective when the data you are trying to protect is on a tablet computer that was left at a restaurant or on the subway.
With that in mind, Microsoft (and the tech industry as a whole) has pivoted from the traditional security perimeter defense perspective to a model called zero trust.
Zero trust is based on the concept of minimizing an organization’s risk footprint by interrogating the security of everything that attempts to access data or services. The zero-trust model treats all new requests as if they are from an untrusted actor until proven otherwise. In other words, never trust, always verify.
Zero Trust Principles
The zero-trust model is based on the following principles:
- Explicit verification
- Least-privilege access
- Assume breach
Read on to find out about each of these principles.
Explicit Verification
Explicit verification means evaluating the authentication and authorization requests. The possible evaluation criteria include user identity, the network location from which the access requests originate, the health or compliance of a device, service, or workload configuration, classification of the requested data, or other characteristics that may present themselves during the verification process.
Least-Privilege Access
The concept of least -privilege access focuses on reducing the standing rights and permissions that a user or device has to access a resource. For example, if an account with a high level of permission is compromised, then everything that the account is authorized to access is at risk. To limit the risk or exposure (sometimes referred to as the blast radius), it’s important to ensure that identities and devices only have the minimum number of rights and permissions necessary.
Least privilege can be combined with technologies that offer programmatic, just-in-time, and just-enough access. That way, users or administrators can request additional rights or privileges for a defined period in order to perform specific activities.
