Zero Trust

Zero Trust

Unlike traditional “moat and castle” or defense-in-depth designs, ____ presumes that there is no trust boundary and no network edge

Subjects

are the users, services, or systems that request access or attempt to use rights

Policy Engines

make policy decisions based on both rules and external systems

Policy Administrators

are not individuals. Rather they are components that establish or remove the communication path between subjects and resources, including creating session-specific authentication tokens or credentials as needed

Policy Enforcement Points

communicate with Policy Administrators to forward requests from subjects and to receive instruction from the policy administrators about connections to allow or end

The Control Plane is composed of four components

• Adaptive identity (often called adaptive authentication), which leverages context-based authentication. Adaptive authentication methods may then request additional identity validation if requirements are not met or may decline authentication if policies do not allow for additional validation

• Threat scope reduction, sometimes described as “limited blast radius”, is a key component in Zero Trust design. Limiting the scope of what a subject can do as well or what access is permitted to a resource limits what can go wrong if an issue does occur

• Policy-driven access control

• The Policy Administrator

The Data Plane includes

• Implicit trust zones

• Subjects and systems

• Policy Enforcement Points