Zero Trust doesn’t literally mean zero trust; it means zero implicit trust

We have learned that Zero Trust Architecture is an enterprise cybersecurity plan – and NOT a product – that incorporates the seven zero trust tenets (NIST 800-207) into component relationships, workflow planning, and access policies. As first steps we have defined the protect surfaces and designed the Zero Trust Architecture following the main principle behind Zero Trust

"Never trust, always verify."

With Zero Trust Access, all data access must be validated anew each time using different attributes, otherwise no communication occurs. Access authorization is only granted for a specific period of time. Security is controlled by software-based and constantly updated policies. The context of the connection and the status of the devices are also continuously analyzed. Therefore, the term software-defined perimeter or perimeterless security is closely related to the Zero Trust Model.

The Zero Trust Model works environment-independently, i.e. from which LAN, which cloud or which container a data communication originates no longer plays a role. A zero trust architecture creates a micro-segmentation in which smaller perimeters are stretched around certain (vulnerable) data collections. Transparency and control options increase in this tightly defined area.

To implement Zero Trust Architecture, you have to know

• all your users (User authentication),
• all devices (Machine authentication),
• their relationships and the workflows.

You have to define, monitor and eventually update identity based access policies and

• additional context, such as policy compliance and device state,
• authorization policies for access to an application
• access control policies within an application.

Based on this knowledge you can start a gradual rollout of Zero Trust which according to your defined policies automatically grant or deny access to your resources (System, Data or Application). Services that are accessed from outside the traditional perimeter are traditional gateways and should be prioritized. These include cloud applications, interfaces to suppliers and partners (supply chain), and customer portals. In addition, the focus should be on applications and resources that contain sensitive information such as customer data.

Our value proposition:

The security engineering team at achelos GmbH has the ambition to support our customers and partners in securely developing, testing, assessing, approving, deploying and maintaining their security solutions. We are in particularly interested in

• Improving software engineering methods and techniques to integrate the consideration of security requirements in development processes and making the security designs easier accessible to the review and analysis of security experts
• Contributing to the evolution of security testing, security evaluation and certification methods to establish and maintain security and trust in increasingly complex security system
• Supporting with our security experience new and emerging security markets to define proper and realistic security baselines

#security #securityengineering #itsecurity #zerotrust #cybersecurity #securityconsulting #achelos