By Zachary Malone, SE Academy Manager at Palo Alto Networks \n\nWhat Does \u201cZero Trust\u201d Really Mean? \n\nInvented in 2010 by Forrester Research, Zero Trust is a cybersecurity model enterprises can leverage to remove risky, implicitly trusted interactions between users, machines and data. The Zero Trust model provides a process for organizations to protect themselves from threats no matter what vector the threat originates from\u2014whether from across the world or from Sandy down the hall. The three main principles to follow to realize the benefits of this model were:\n\nAfter 11 years, these ideas and principles have matured in the face of growing digital transformation, remote work, and bring-your-own-device proliferation. New principles have developed in light of the U.S. Federal Government mandating Zero Trust, codified in the NIST 800-207 with further details in the NCCoE\u2019s Zero Trust Architecture. Those principles are: \n\nWhy Is This Important in Cybersecurity? \n\nThe move toward Zero Trust has been one of the more significant shifts in how business approaches security. Before adopting a Zero Trust mindset, most companies tried to manage security as a gated function. Once a transaction was validated in the gated area, it was innately trusted. \n\nThis approach presents a problem because threat vectors do not always originate outside that area. Also, the world at large continues to adopt digital transformation and hybrid workforces, nullifying the concept of resources only existing behind a gate. Zero Trust methods require validating each element of every interaction continually\u2014no matter where they occur\u2014including all users, machines, applications, and data. There is no area of implicit trust. \n\nWhat Is the Spin Around This Buzzword? \n\nMany vendors today productize Zero Trust, naming their products as \u201cZero Trust solutions\u201d in and of themselves, rather than acknowledging that Zero Trust is a model and strategic framework, not a product solution. When looking at the cybersecurity market, you\u2019ll see vendors try to claim a supposed title is \u201cTHE Zero Trust player.\u201d \n\nOn closer inspection, however, those vendors typically only address a single principle of Zero Trust. For example, creating tunneling services between users and applications. This aligns with the second original principle: adopt a least-privileged strategy and strictly enforce access control. However, that same vendor might fail on the first principle: ensure that all resources are accessed securely, regardless of location. When they implicitly trust that the user is not a threat vector, they do not scan for malware or exploits inside the tunnel. \n\nOthers may cover only some of the aspects of the first original principle, like trying to claim identity and authorization checks are what make Zero Trust. Vendors may also suggest that only web-based traffic needs to be scanned. However, when only partial coverage of the model is implemented, companies risk creating an implicit trust that opens them up to vulnerabilities that would be otherwise covered in the remaining principles.\n\nOur Advice: What Should Executives Consider When Adopting Zero Trust? \n\nThe first step is to reframe your thinking on how enterprises should be secured, moving from a gated approach to one that continuously validates all interactions. To help make that shift: \n\nNext, enact changes with a plan, beginning with your enterprise\u2019s most critical users, assets, and interactions. Those will be your crown jewels and things that may be related to finance or intellectual property. Then, over time, expand your purview to include all interactions. The plan should cover how the users, applications, and infrastructure go through each of the four parts of an interaction when requesting a resource. \n\nThe final step in this transformation is really a recurring event: maintaining and monitoring.\n\nQuestions to Ask Your Team to Successfully Adopt Zero Trust \n\n\n\nTo learn more about what complete Zero Trust security looks like, click here.\n\n About Zachary Malone:\n\nZachary is the SE Academy Manager at Palo Alto Networks. With more than a decade of experience, Zachary specializes in cyber security, compliance, networking, firewalls, IoT, NGFW, system deployment and orchestration.