The Zero Trust model is perhaps the most significant trend in enterprise cyber security today. Statistics show that 30% of businesses have already begun to roll it out, while another 42% plan to soon. Meanwhile, research from Microsoft shows that most security decision-makers believe Zero Trust will be critical to their organisation’s success.

This is an impressive achievement for a concept that is little more than a decade old. So, what exactly is the Zero Trust model, and where should you begin with it?

What is Zero Trust?

The Zero Trust cyber security model fundamentally assumes that no device or user that connects to your network should be trusted without verification. It was first defined by an analyst at Forrester in 2010, but has only really achieved widescale adoption in the past few years. Zero Trust is perhaps best understood in comparison with the more traditional approach to cyber security.

Until relatively recently, the dominant model of cyber security was the ‘castle and moat’ model. IT departments focused on building a strong firewall that prevented outside actors from getting into their network. If someone has the right credentials (usually with a username and password), they are implicitly trusted, and are free to access files, download information and move around the environment as they wish. The problem with this model is that, if an attacker ever manages to get past the firewall, they are able to access pretty much any content they want.

The Zero Trust model takes a different approach. It assumes that no one should automatically be trusted, and involves continually verifying users and devices whenever they access your network. This makes it much harder for an attacker to exploit your systems because they must continually prove that they are who they say they are.

Perhaps the main reason Zero Trust is receiving so much attention is that it seems to work. Studies show that organisations that have implemented Zero Trust are less likely to be breached, and when attackers do manage to break in, the financial hit tends to be a lot lower. What’s more, in a world of hybrid working where staff are connecting to corporate IT systems remotely and in the cloud, it’s much harder to verify people’s identities (compared to when staff had to be physically in the building to access files). Zero Trust makes identity verification easier.

Recommended: Cybersecurity predictions for 2022


Typical features of Zero Trust

Zero Trust should best be thought of as a model or a set of practises, rather than a specific technology system. Different organisations will implement Zero Trust in different ways depending on their strategy, the kinds of data they hold, whether or not they use cloud technology, and where their workers are physically located. That said, there are several common features of a Zero Trust strategy, including:

  • Multi factor authentication (MFA)

Whenever a user or device tries to connect to your network, multi factor authentication asks them to prove they are who they say they are with two or more pieces of information. For example, after logging in with a username and password, an MFA system might then send a text to that employee’s mobile phone to verify that they are actually trying to log in. It’s also possible to use biometrics (such as fingerprints or retina scans) to verify an individual’s identity. This makes it much harder for someone to break into your systems if they’ve stolen a password.

  • Continuous validation

In the traditional approach to IT security, once someone was inside your system they could effectively do more or less do what they wanted. However, in a Zero Trust model that individual or device would need to revalidate who they are on a regular basis. Devices are logged out every few hours, and users must revalidate who they are when viewing different kinds of content.

Watch our webinar: Identity is the new security


  • Smart monitoring

The Zero Trust model can make use of the most advanced artificial intelligence to continually monitor your environment and identify any suspicious activity. It could, for example, notice an employee is trying to log in from an unusual location, or from a device they’ve never previously used. This continual monitoring will identify unusual patterns of behaviour and alert you to any risks.

  • Least privilege and micro segmentation

An important aspect of the Zero Trust model is least privilege and micro segmentation. It is assumed that users should only be able to see specific kinds of content in your systems and will need to ask permission to view any more. This is as much about information management policies as it is about technology, but this approach makes it much harder for attackers to enter your systems and move laterally between environments.

Related: How does your company’s data protection strategy compare?


Where to begin with the Zero Trust model?

The Zero Trust model is as much about strategies as it is about specific security software or tools. There are many different technologies available that organisations can use to implement Zero Trust, so the first step is to plan what you want security to look like, then select the right tools for the job.  

At FITTS, our security and privacy consultants are entirely vendor-neutral and can support you with choosing the right Zero Trust technologies to support your strategy. Contact us today to discuss your Zero Trust goals.