The three Zero Trust principles
- Nobody can be trusted: we can never assume that someone is to be trusted, and therefore, we need to continually verify, analyze, and evaluate users, certificates, and machines.
- Nobody needs access to everything simultaneously at the same time: we minimize access to resources to only those users, devices, and assets identified as needing access as well as continually authenticating and authorizing the identity to identify and security posture of each access request.
- We’ll assume breach: since we can’t know for sure that an attacker isn’t already inside, we’ll assume breach. That means that our environment is no more trustworthy than those environments owned by third parties.