cso spotlight: zero trust

7 tenets of zero trust explained

Cut through the hype. NIST's core zero trust elements provide a practical framework around which to build a zero trust architecture.

Conceptual image of a network labeled 'Zero Trust.'
Olivier Le Moal / Shutterstock

There’s no shortage of definitions of zero trust floating around. You’ll hear terms such as principles, pillars, fundamentals, and tenets. While there is no single definition of zero trust, it helps to have a shared understanding of a concept. For that reason, the National Institute of Standards and Technology (NIST) published NIST SP 800-207 Zero Trust Architecture, which describes the following seven tenets of zero trust.

1. All data sources and computing services are considered resources

Gone are the days of considering only endpoint user devices or servers as resources. Networks today consist of a dynamic array of devices from traditional items such as servers and endpoints to more dynamic cloud computing services such as function-as-a-service (FaaS), which may execute with specific permissions to other resources in your environment.

For all data and computing resources in your environment you must ensure you have basic, and when warranted, advanced authentication controls in place as well as least-permissive access controls. Feeding into subsequent tenets, all these resources are communicating to some extent and can provide signal context to help drive decisions made by the architectural components in zero trust, which are discussed in tenet 7.

2. All communication is secured regardless of network location

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)