As the world of computer systems has evolved from everything running on individual computers in one location to distributed networks connected to the cloud, there is a need to reevaluate system security. Traditional system security architectures are based on perimeter defense and are focused on stopping the intruder at the defensive wall. Emerging from perimeter defense is the zero trust security architecture. With zero trust, the primary architecture consideration is that the defensive wall has been breached, and someone is now inside your system. Since the intruder has breached the defenses, and you do not know who they are, you can trust no one.

Zero trust as architecture is not one thing; it is a combination of system procedures and tools that expand on the perimeter defense concepts of defense in depth, access control, and least privilege. The zero trust architecture leverages perimeter defense by expanding segmentation and authentication requirements, and — most importantly — by requiring robust system monitoring. This monitoring is continuous system assessments focused on system and user behaviors that can invoke an automated response to prevent malicious actions. These monitoring decision support tools are a major element of zero trust and set it apart from perimeter defense. The assumption behind these tools is that someone has breached your system and internal communications are no longer trustworthy, meaning all communications need to be validated and monitored.

It is important to consider that many information management system architectures that follow standard system security best practices are a hybrid of zero trust and perimeter defense. These hybrid systems are built on the zero trust and perimeter defense fundamentals of least privilege, where all users are restricted to only the resources they need for a function or job. Multi-factor authentication is required for both external access to access the system from the outside as well as internal access of highly secured resources. Other system design elements are data segmentation, ensuring internal system access is not flat, meaning access is granted equally to all resources. Instead, resources are segmented or chopped up into separate enclaves (micro-segmentation, micro-perimeters), with each enclave requiring access through specific authentication.

Zero trust architecture is outlined by seven basic tenets:

  1. Data sources and services are considered system resources; networks are more than the devices under configuration management control (i.e., anything that is connected).

  2. All communications are secured; access to resources is not automatically granted just because a user is in the system. Access is segmented through micro-segmentation by micro-perimeters.

  3. Access to resources is granted on a per-session basis. This is least privilege; access is constrained to only authorized resources.

  4. Access to resources is dynamic. Implementing this tenet requires sophisticated tools that can allow or deny access based on rules, including time, day, location, software version, and risk.

  5. Implement a tool-based function where the integrity and security of system devices are evaluated through continuous diagnostics and mitigation. All assets are considered untrustworthy, and access is based on dynamic assessment results.

  6. Implement dynamic resource authentication and authorization. The requirement is to constantly reevaluate trust for all devices, users, and systems.

  7. Collect information to improve security. Monitoring is the collection of information to identify outlier behavior (i.e., looking for an activity that does not belong).

The common theme in these tenets is dynamic access control. This is because nothing is static: User access requirements change, the health of devices change, and software becomes out of date. It also recognizes that as an internal threat moves within the system, elements may be compromised. Zero trust can only work if robust access rules can be dynamically enforced by software.

Many factors are driving the movement to zero trust. Networks have expanded to include non-company-controlled devices, employee personal devices, external systems and resources, and IoT devices outside of the company’s defensive perimeter. Additionally, the threat has evolved and improved their ability to move within the system laterally; this movement is aided by weak internal segmentation, authentication, and system monitoring.

Implementing zero trust requires assessment tools and an upgrade of system administration procedures. It also requires plenty of processing power, as constant monitoring and assessments require considerable system resources, and none of this is cheap. However, time is on your side as many companies now sell zero trust solutions, and as with all things IT, these tools become less expensive and better over time.

With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at