i 1 2 3 4 5 Cracking the Code to Secure Productivity in Two Steps 6 Step one Establish a Zero Trust security foundation Zero Trust is a security model that operates Principles of Zero Trust Implement least-privilege access under the motto, “Never trust, always verify.” This principle ensures that users get access Instead of assuming everything behind your It recognizes that trust is a vulnerability that to the resources they need to complete their corporate firewall is trustworthy, Zero Trust can be used to find exploitable points of entry tasks—and nothing more. This approach limits security assumes that any entity (internal and requires that you put up guardrails that the exposure of sensitive data and resources or external) trying to access organizational ensure cybercriminals aren’t unintentionally to unauthorized or compromised users and allowed through your defenses. resources is a potential threat. This assumption devices and restricts the extent of damage makes it necessary to apply three principles: an attacker can inflict within the network. verify explicitly, implement least-privileged Methods like just-in-time and just-enough access, and assume breach. access (JIT/JEA) policies, adaptive policies based on risk assessment, and data protection Verify explicitly strategies help to enforce this principle. Never trust The first principle is designed to make sure the person trying to access your network is Never implicitly trust any entity, Assume breach who they say they are. Every access request This principle aims to minimize the damage whether internal or external. to a resource is authenticated and authorized a breach can do. Assuming breach involves based on several factors, including the user’s segmenting access to resources, ensuring Always verify identity, their device, their location, the data encryption in transit and at rest, and service or workload they’re accessing, data Require continuous verification of using analytics for visibility, threat detection, classification, and any identified anomalies or identity, device, data, and network. and defense enhancement. This strategy risks. This ensures that valid users and devices is crucial to shrinking the blast radius of an can access to company resources, while attack and preventing attackers from moving suspicious entities are blocked or questioned. laterally within the network if they happen to gain access.
