Assume that everything is on the internet. Don't implicitly trust something because it's inside vs outside your network. Strongly authenticate and authorize everything. The model was created in 2010 by John Kindervag. Square was an early adopter of mutual TLS auth, in-house PKI with pinned cert trust chains. Google jumped on the bandwagon soon after the Snowden leaks came out. Zero trust is an evolving set of Sec paradigms and move defenses from static, network-based perimeters and instead focuses on users, assets and resources. There should be no implicit trust granted assets or users based solely on their physical network location or based on asset ownership (managed or self-owned). Authentication and authorization (for both subject and device) are discrete steps, applied before each session (e.g. each http request). [[Zero Trust Security Model|ZT]] is focused on protecting each resource (assert, service, workflow, account, data) rather than the network segment. The network shouldn't be seen as a prime component of the security model for a resource (although it can still help as part of a multi-layered approach for example by controlling outbound network flow to make ex-filtrating sensitive data that much harder). ## Resources - [Zero Trust Architecture](https://csrc.nist.gov/publications/detail/sp/800-207/final) --- - Links: [[Security]] [[Networking]] [[InfoSec]] - Created at: [[2021-03-09]]