New RCE Report: the Zero Trust Principle

The 13th instalment in the series designed for military and national security decision makers focuses on the analysis of usage of the Zero Trust principle — what it is, best practices, architecture and technology and legal aspects. 

Today, when companies and organisations set out to modernise and improve their cybersecurity posture, chances are that they will base their approach on the Zero Trust security model —and for good reasons. Computer security professionals love to say that there is no such thing as 100% security.

Despite that, many security strategies seem to be founded on the assumption that setting up border protection and establishing a secure perimeter around the enterprise network can be done well enough. Zero Trust does not make that assumption.

Zero Trust is a security model built around the idea that no user or device should be trusted just because it is operating in a ‘private’ network.

Many major corporations and organisations are now using it, with Google being one of the early adopters. In the last year, government security agencies have been pushing the model more and more. There has, however, been a lot of market hype connected with the model, and different vendors will claim that their particular offering is the true path for implementing Zero Trust.

Zero Trust teaches us that we should always assume a breach and verify every access even from within the internal network, even with air-gapped networks. There is always an insider threat and the risk of physical intrusion or failure of security mechanisms and the same Zero Trust principles should be applied for these systems. The outer shell may be more secure, but the damage, if it is breached, will be much greater.

Applying these principles also means using end-to-end encryption to protect information, even on the internal network. There should not be any implicit trust in the network or its users just because it is internal.

This recurring report is the collaborative view of NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) researchers highlighting the potential effects of current events and developments in cyberspace on armed forces, national security and critical infrastructure, based on publicly available information. It does not set out to be exhaustive.

While the authors have made every effort to describe events from a perspective relevant to NATO and partner nations, there may be national and regional differences which this paper does not address. The authors of this paper are independent researchers at the NATO CCDCOE; they do not represent NATO, nor does this paper reflect NATO’s position. The aim of the paper is not to replace information about vulnerabilities and incidents provided by CSIRTs and providers of CIS products and services.