Before the concept of a ‘Zero Trust Network’ was introduced in 2010 by Forrester Research analyst John Kindervag, networks were protected using the perimeter model of security. Think of it like a castle surrounded by a large moat: all your trusted users and precious resources were within the castle walls, safeguarded from the outside world by the moat. Only those who were given access to cross the moat were allowed inside the castle, but once they were inside, they had free access to most parts of the castle. It’s pretty simple, and it makes sense, right?

Just one problem: what if someone managed to get inside without authorisation? Maybe they disguised themselves as a trusted user, or found a way to cross the moat without raising the alarm? Now the castle has a dangerous outsider roaming its innermost sanctums, and no protocols have been established to even look for—let alone identify—the intruder.

Zero trust is the direct answer to the issues with the perimeter model, both on a conceptual and technological level.

As a concept, zero trust says that your network can’t implicitly trust users to be who they purport to be. Any device or user trying to access resources on the private network needs to verify their identity first, regardless of whether they’re within the network perimeter or not. The system assumes that there are always attackers present within the network, so no user can be trusted by default.

While the technical implementation of the zero trust model can vary wildly from one organisation to the next, there are several core principles or practices you need to follow in order for it to be effective.

1. Least privilege
2. Continuous monitoring and validation
3: Device access control
4. Microsegmentation
5. Preventing lateral movement
6. Multi-factor authentication

Zero trust isn’t a singular milestone or ‘event’ that you can reach simply by implementing the right security controls. It’s a complex, multi-stage process that involves making incremental changes to your system, assessing the needs of the tech stack, and gradually adopting more secure practices and technologies at every level of your organisation. This, as you might imagine, takes time and consistent effort.

It helps to break down the process of zero trust adoption into various stages or levels of maturity, letting you answer questions like:
1. How many potential threat scenarios have we covered so far?
2. What are the most critical security concerns we must address?
3. What is the next step to take?

There are typically 5 stages to implementing zero trust at your organisation:
Stage 1: Building the foundation
Stage 2: Add preliminary access controls
Stage 3: Building mature access controls
Stage 4: Closing all the gaps
Stage 5: Real-time monitoring