What is the Zero Trust Model for Cybersecurity, Really?


By James Carder, CISO & VP of LogRhythm Labs

This shifts away from the large, corporate perimeters, with layered-in or bolted-on compensating security controls and moves to a model that is made up of a large number of micro perimeters at each identity type. Instead of building many layers of security controls from the outside in, Zero Trust proposes the idea of protecting data from the inside out and building out security controls only where you need them.

Principles of Zero Trust are built on inherently not trusting users, devices, networks, and access to sensitive resources based on any single one of those identity types and their associated attributes. Geographic location (your offices, local coffee shop, other U.S. locations) is no longer a source of trust and is merely treated as an attribute to gauge trust across the various entities outlined above. You always assume the network is hostile at all times — your corporate network or any network.

Why Zero Trust?

The intended outcome of a Zero Trust model is that trusted identities get access to the applications, systems, networks, and data that they are entitled to, based on their role, to perform their jobs and that trust is verified at every step to ensure the employee is who they say they are.

Another intended outcome is breach prevention. I’m not saying that this is the silver bullet to stop all breaches, but it gives you a good chance at containing an incident before it ever becomes a breach. In other words, an incident involving a compromise of one identity type (users, devices, network traffic, applications, or data) doesn’t constitute a compromise of all identity types.

In summary, the Zero Trust model is the next evolution of our security model. It’s built on an identity-centric model for security that completely transforms the current and legacy IT models. The model is the ultimate solution to building security from the inside out and not the outside in. While it may not be a complete silver bullet, it gives companies the best chance to contain security incidents before they become catastrophic breaches.

Want to find out how you can implement Zero Trust? Visit LogRhythm at Black Hat USA 2019 to learn more.

Sustaining Partners