Zero trust planning and implementation
Take Your Mark
The zero trust model was published in 2010 by John Kindervag, who was employed by IT analysts Forrester Research at the time. However, the foundations for zero trust were laid down as early as 1994 by Stephen Paul Marsh in his doctoral thesis at the University of Stirling (Scotland).
The strategy only really became popular in 2020 when, as a result of the coronavirus pandemic, many companies had to switch to home offices and new labor models at short notice, putting their previous safety solutions to the test. As a result, many companies defined zero trust as the core of their cybersecurity setups and launched projects to match.
The steps from the basic model to a concrete implementation are painstaking, partly because the model was initially very network-centric (zero trust networks) and primarily postulated generic requirements. However, the zero trust architecture [1] from the US National Institute of Standards and Technology (NIST) and a position paper from Germany's BSI [2] (for which the institute expressly invites suggestions, comments, and criticism) have since been released.
Basic Principles
Zero trust originally focused on security in network infrastructures, with the focus on preventing lateral movement (i.e., preventing attackers from moving relatively freely on the network to attack systems after working around the firewall). The next basic idea was not trusting individual components, but rather carrying out continuous verification at different points and on different levels: never trust, always verify. The fundamental cornerstones of zero trust are derived from:
- Continuous verification or, to be more precise, repeated verification of users, devices, and applications during access and in ongoing sessions, because they are all considered inherently
Buy this article as PDF
(incl. VAT)