Home office, digitalization, and the migration of processes and data to the cloud have changed the way we are working resulting in a higher risk exposure of companies. Many accesses to systems and data of employees no longer take place within the protected company. Consequently, the classic perimeter-based protection approach to defend against external threats is no longer sufficient to continue to effectively exclude all risks of unauthorized access.
The zero-trust approach is based on the continuous verification of whether an activity can be considered ordinary and legitimate. In this context, authorizations, once granted and reviewed, are not considered permanent, but are regularly assessed for context (i.e., time, location, device, etc.) before being granted again. Zero Trust goes beyond classic access rights management.
This paper explains the principles on which Zero Trust is based and how they help to reduce risks. Furthermore, the implementation of a Zero Trust architecture is outlined and the preconditions that must be in place in the company are illustrated. Finally, possible steps of an introduction of the required processes and technologies are shown.
