1.2e - Zero Trust: Professor Messer (Security+)

Zero Trust

• Zero trust: A security model that requires strict verification and authentication for resource access - this is applied to every device, every running process, and every user on a network; everything is subject to some type of security check.

Data plane

• Data plane: The part of a network that carries user traffic and is responsible for forwarding network data (packets) to their destination. Handles forwarding, network address translation, or processes that move data packets.

Control plane

• Control plane: Network component that manages the actions that occur in the control plane (e.g., port forwarding policies, controls over what data traverses the network).

Adaptive identity

• Adaptive identity: Examination of an individual’s identity based on the information gathered during authentication or examination - not trusting a user based on their claims, but by the proper authentication credentials they provide, as well as contextual data, such as location, device type, and time of access.

Limiting access points

• Limiting access points: Limiting ways individuals can access internal resources, such as restricting connection to internal IP addresses/machines or VPN connections.

Policy-driven access control

• Policy-driven access control: Enforcing security policies that determine who can access which resources based on predefined criteria, ensuring that only authorized individuals can perform specific actions based on their identity and context.

Security zones

• Security zones: Specific areas within a network to separate and control access depending on the security requirements and risk tolerance, thereby minimizing the attack surface.

Implicit trust

• Implicit trust: Use of a security zone to provide access to sensitive resources, based on pre-established criteria (e.g., someone located in an office security zone can access internal network shares)

Policy Enforcement Point

• Policy Enforcement Point: A critical component in a Zero Trust architecture that validates user identities and device security before granting access to resources.

Policy Decision Point

• Policy Decision Point: Component in Zero Trust architecture used to make authentication decisions to forward to the Policy Enforcement Point. Composed of a Policy Administrator and Policy Engine

Policy Administrator

• Policy Administrator: Communicates with the Policy Enforcement Point to allow/disallow access - also generates access tokens or credentials.

Policy Engine

• Policy Engine: Evaluates/makes authentication decisions based on policies (grant, deny, revoke access).