Zero Trust Security is a framework for securing data and networks. Unlike traditional security frameworks designed to protect an organization’s perimeter from external threats, Zero Trust frameworks assume that network security is continuously under threat from both external and internal attacks.
Zero Trust was developed by John Kindervag in 2010 and assumes that every connection and endpoint is a threat. By default, access to data and networks is restricted, and the system verifies and authorizes each connection. Verified and authorized users receive access to specific data in a particular network segment for a limited time before they must be re-verified and re-authorized. The entire process is typically monitored and logged. Though expensive to adopt and maintain, more companies have adopted systems following this framework following publicized data breaches attributable to internal attacks and the increasing shift towards remote work.
Another form is a Zero Trust encrypted environment that relies on the nature of data held. These systems only accept previously-encrypted data (which the custodian is unable to decrypt by itself because it does not hold the relevant keys) and potentially a minimum amount of non-sensitive user data on their networks. By design, custodians can only lose what they possess, and third parties hold the keys (or details necessary to generate the keys) required to decrypt sensitive data that was previously encrypted. Even in a significant data breach, bad actors may recover encrypted data but not the ability to decrypt it. The underlying data would only be compromised if the bad actor also obtains the relevant decryption keys from third parties or independently decrypts the data (a brute-force attack). This framework has been adopted by certain password managers, secure file transfer providers, and online digital vaults. Zero Trust encrypted environments typically do not allow custodians to access, review, search, analyze, or restore data if the keys are lost. Because these custodians are not capable of accessing the data that it hosts, these Zero Trust encrypted environments are sometimes referred to as “host-proof hosting.”