What is Zero Trust?

What is Zero Trust?

It seems such a simple question, but the answer is more difficult than you might initially think. Often someone will have an idea of the concept or purpose, but it is difficult to give a single, comprehensive definition. In this blog I will discuss in greater detail how we view the concept of zero trust at Zscaler.

The name 'zero trust' actually says a lot about what the concept entails. Zero trust assumes that no one can be trusted. Access to an application is therefore never self-evident. To access an application or workload, a user must go through an authorization process. This happens every time, automatic connection never takes place. Simple, right? However, especially in recent years, many parties have started bandying around the words 'zero trust'.

Network security vendors in particular are trying to piggyback on the success of the zero trust concept by communicating that they provide 'zero trust network security'. But that simply does not exist. As the name suggests, network security providers provide solutions that secure traffic residing on the network. An important feature of zero trust is that it connects the user directly to the application, without going over the network. Basically the opposite of network security. The applications are hidden behind our zero trust platform, as it were. As a result, it is impossible or virtually impossible for them to be found and abused by cyber criminals. 

Another feature of zero trust is the way in which users are authorised. Zero trust assumes that users are by definition unauthorised and requires more proof of their legitimacy than traditional methods. In addition to identifying verification factors, the Zscaler Zero Trust Exchange, Zscaler's zero trust platform, considers factors such as the user's location, the security status of their device, and the application they are trying to access. Access is granted or denied based on this contextual information. 

So, what is zero trust? Zero trust is a cybersecurity strategy in which…

…no user or application is trusted by default,

…access policies are based on contextual information and strong authentication

…and users are connected to the application without going over the network.

Keeping these three attributes in mind will go a long way in developing a zero trust strategy for your organisation, regardless of where your employees are based.