Zero trust architecture is a cybersecurity framework first proposed by John Kindervag, a Forrester Research analyst, in 2010. It was developed as a response to the increasingly complex nature of cybersecurity threats, and the limitations of traditional security architectures based on building a strong perimeter around an organization's network.

Kindervag argued that in today's interconnected world — where employees and devices constantly access network resources from a variety of locations — it is impossible to effectively secure a network by simply building a strong perimeter around it. Instead, zero trust architecture assumes that all network traffic is potentially malicious and requires verification before being granted access to resources.

Core Principles

One of the key principles of zero trust architecture is to never trust, always verify. Every access request, whether it comes from inside or outside the network, is treated identically and is subject to the same level of scrutiny. To implement ZTA, organizations need to deploy a combination of security controls:

Multi-factor authentication (MFA) requires users to provide more than one form of authentication when logging in — a password combined with a security token or biometric data such as a fingerprint or facial recognition.

Network segmentation divides a network into smaller, isolated segments each with its own security controls. Microsegmentation takes this further by creating fine-grained security policies that control access to individual resources or groups of resources.

Zero trust is particularly effective against lateral movement attacks, in which an attacker gains access to one part of a network and then uses that foothold to compromise other parts. ZTA prevents lateral movement and limits the scope of any potential breach.

Applying ZTA with BYOD and Remote Work

To apply zero trust architecture with BYOD and remote work, organizations should consider the following steps:

1. Inventory all devices and users that will be accessing the organization's resources, including personal devices and remote worker equipment.
2. Establish policies and procedures for device usage and the handling of sensitive data — device encryption, password management, data backup and recovery.
3. Implement multi-factor authentication (MFA) for all users and devices to prevent unauthorized access.
4. Use network segmentation to divide the network into more secure zones, applying different controls depending on the sensitivity of the resources and the trust level of the users.
5. Monitor and log all access to resources, including successful and unsuccessful attempts. This helps identify security threats early — consider a SIEM for centralized visibility.
6. Regularly review and update security policies, including evaluating the security posture of third-party apps and remote workers.

Challenges

There are legitimate arguments against implementing zero trust architecture:

1. Cost — Implementing ZTA can be costly and resource-intensive, requiring significant investments in technology, training, and personnel.
2. Complexity — ZTA can be complex to implement and maintain, particularly for large organizations, and may require overhauling existing security infrastructure.
3. User experience — Additional authentication and access controls can be perceived as inconvenient, leading to user frustration and decreased productivity.

These drawbacks are not insurmountable, and can be mitigated through careful planning and a phased implementation. Ultimately, the decision to adopt ZTA should be based on a careful evaluation of an organization's specific security needs and risk tolerance.

For more information about zero trust architecture:

• Zero-Trust Security (NIST)
• What is Zero Trust? A model for more effective security (CSO Online)
• Le Modèle Zero Trust (ANSSI)