A Study on Zero Trust
Spencer Wan
University of Wollongong
Singapore
Abstract— Zero Trust is a strategic cybersecurity approach
that revolutionizes traditional security models by eliminating
implicit trust and requiring continuous validation for every
digital interaction. This paper explores the core principles of
Zero Trust, some of their benefits and their implementation
strategies.
Keywords—Zero, Trust, Case, Study
I. INTRODUCTION
Zero Trust is a strategic approach to cybersecurity that
secures an organisation by eliminating implicit trust and
continuously validating every stage of a digital interaction.
In essence, it is the model of requiring strict identity
verification for every person and device trying to access
resources on a private network, regardless of whether they
are inside or outside the network perimeter.
Unlike traditional security models that operate on the
typical assumption that entities inside the network perimeter
were inherently trustworthy, Zero Trust mandates
verification, and does not grant automatic trust, thereby
abolishing any of the exemptions for specific people or
devices. The goal is to minimise data breaches and limit
internal lateral movement by continuously verifying
credentials and employing a principle of least privilege.
II. CORE PRINCIPLES
Zero Trust is built on three fundamental principles that
form the backbone of its strategic approach to cybersecurity:
Verify Explicitly, Use Least Privilege Access, and Assume
Breach. Each of these principles ensures that security is
maintained at every step of a digital interaction, making it
significantly more difficult for malicious actors to
compromise systems and data.
A. Verify explicitly:
The Zero Trust model fundamentally rejects the
assumption that any entity, whether user, device, or
application, can be trusted by default (NIST, 2020).
Therefore, every access request must be authenticated and
authorised based on comprehensive, context-aware criteria
before granting access. This approach requires considering
multiple factors beyond just user credentials, such as User
identity, Device health and Data classification.
1) User identity:
Before granting access, robust authentication methods,
such as multi-factor authentication (MFA) should be
prompted in any environment, outside or inside the network
to diligently ensure that the user is who they claim to be.
2) Device health:
Evaluate the security posture of the device being used.
This includes checking for compliance with security policies,
such as up-to-date antivirus software and operating system
patches. This aims to ensure that devices brought in are
checked for vulnerabilities and to ensure their risks are
mitigated as much as possible.
3) Data classification:
There must also be classification and considering of the
sensitivity of the data being accessed. Access to higher
classification data should require more stringent verification
processes and be based on the principles of least privilege.
B. Use Least Privilege Access
The principle of least privilege access aims to minimise
the potential damage of a security breach by restricting
access rights for users and applications to the bare minimum
necessary for their roles and functions. Key aspects of
implementing least privilege access includes Role-based
access controls and Just-in-Time access:
1) Role-based access control:
This method assigning permissions based on the user's
role within the organisation. Each role is assigned a set of
permissions that align with its responsibilities, ensuring that
users can only access the information and resources
necessary for their job functions.
2) Just-in-time access:
This method grants temporary access rights to users for a
specific task or period. Once the task is completed or the
time period expires, the access rights must be revoked. Either
manually for early task completion, or automatically once the
time expires. This approach ensures that elevated access
permissions are granted only when absolutely necessary and
for the shortest duration possible.
C. Assume Breach
The principle of assuming breach shifts the mindset from
prevention to resilience, operating under the assumption that
security breaches are inevitable. This principle drives the
design of systems to contain and minimize the damage from
breaches. Key strategies include Micro-segmentation,
Continuous monitoring and analytics, Data encryption and
tokenisation, and a Robust incident response strategy.
1) Micro-segmentation:
This method involves dividing the network into isolated
segments or zones, each protected by its own security
controls. This strategy limits the lateral movement of
attackers within the network, confining any breach to a single
segment.
2) Continuous monitoring and analytics:
This method involve using advanced tools and techniques
to monitor network activities in real-time, detect anomalous
behaviour, and identify potential breaches quickly.
3) Data encryption and tokenisation:
This method involve securing sensitive data both at rest
and in transit, ensuring that even if data is accessed by
unauthorized parties, it remains unreadable and unusable.
4) Robust incident response:
This method involves establishing comprehensive plans
and procedures to detect, respond to, and recover from
security incidents. This includes regular IR drills and
simulations to ensure the organization is prepared for real-
world scenarios.
 III. BENEFITS OF ZERO TRUST APPROACH
Since the Zero Trust model emphasises the principle of
"never trust, always verify." (Buck, 2021). It focuses on
eliminating implicit trust and continuously validating every
stage of a digital interaction. Some of the key benefits of
implementing a Zero Trust architecture includes
enhancements to an organisation's overall security posture,
compliance and risk mitigation, operational efficiency, and
cost savings.
A. Enhanced security:
1) Pro-active defence strategy:
By incorporating the Zero Trust methodology of
assuming breach, it stimulates the network by probing it and
also continuously monitoring for any anomalous behaviour.
Instead of waiting for something to happen, it is more
prudent to treat the network as if there was an attacker
already inside, thereby increasing the rate with which
defence systems can successfully respond to new attacks
(Colbaugh, 2021).
2) Reduced attack surface:
Since every access request is authenticated and
authorised, it mitigates the risk of credential theft, Man-in-
the-Middle attacks, and insider threats. Furthermore,
enforcing least privilege access by granting users and
applications only the minimum permissions necessary to
perform their roles, it minimises the number of potential
entry points for attackers. Together, they significantly reduce
the attack surface.
3) Restricting attacker’s lateral movement:
As Zero Trust employs micro-segmentation, each
segment, is protected by its own security controls. This
strategy limits the potential lateral movement of attackers
within the network, with the goal of containing a breach to a
single compartment – like a specified VLAN or Physical
network.
B. Compliance and risk mitigation:
1) Due diligence:
Zero Trust helps organisations comply with stringent
regulatory requirements such as GDPR or HIPAA, by
enforcing strict access controls and protecting sensitive data
through encryption and tokenisation. This standard legally
ensures that sensitive information is safeguarded. The
detailed logging and monitoring integral to Zero Trust
provide comprehensive records of access and activity. This
facilitates compliance audits and simplifies reporting, making
it easier for organisations to demonstrate adherence to
regulatory requirements. With these practices, it can be
shown due diligence is being rigorously followed, leaving no
room for doubt about compliance and data protection efforts.
2) Risk mitigation:
a) Operational readiness
Operating under the assumption that breaches are
inevitable, Zero Trust enables organisations to design
systems that quickly identify, contain, and mitigate the
impact of security incidents thereby enhancing the ability to
manage and recover from breaches to maintain operational
capabilities.
b) Data protection
Since sensitive data should be encrypted both at rest and
in transit, it remains unreadable and unusable. Tokenised
data further protects sensitive information by replacing it
with non-sensitive tokens.
C. Operational efficiency:
1) Seamless Security
By employing seamless authentication mechanisms, such
as single sign-on (SSO). For example, SSO reduces the need
for users to remember multiple passwords, and also helps
reduce the number of password resets. This balance of
security and convenience enhances productivity without
compromising protection.
2) Remote Work Enablement
In the era of increased remote work (Ozimek, 2020), the
policy of Zero Trust can support secure remote access to
company resources since every access request, even within a
VPN, is authenticated and authorised. This provides an extra
layer of security for remote connections.
D. Cost savings:
1) Reduced operational costs:
Having effective breach prevention and mitigation
reduces the time and resources needed to recover from
security incidents. This includes lower costs for incident
response, system restoration, and data recovery. Furthermore,
a centralised and automated security management reduces the
need for manual intervention and oversight, leading to
operational cost savings.
2) Demonstrable due diligence:
In the event of a breach, since the organisation that can
demonstrate they have implemented robust security measures
like Zero Trust, it is more favourable to reduce potential fines
and legal fees.
a) Avoidance of penalties
By complying with data protection regulations such as
GDPR or HIPAA, it mitigates the risk of regulatory actions
and associated legal costs as non-compliance can result in
significant fines.
b) Reduced legal costs
As data breaches often lead to legal battles, including
lawsuits from affected parties and contractual disputes with
partners. We decrease the likelihood of such breaches,
thereby reducing the potential for costly legal proceedings.
IV. THOUGHTS ON ZERO TRUST APPROACH
In my view, the Zero Trust architecture approach to
cybersecurity represents a paradigm shift from traditional
security models that relied heavily on perimeter defences and
implicit trust for internal network activities. It is the war
forward to proactively adapt to the changing security risks in
today's complex digital environments. By implementing
granular access controls, continuous monitoring, and strong
authentication mechanisms, organizations can better protect
their assets and data from potential breaches and insider
threats.
However, some challenges remain; in an ideal world,
with unlimited resources and money, a full Zero Trust model
would be a highly secure working environment that should
also seamlessly allow work to function without hassle. It
would also check every single nook and cranny, in this case,
every device, asset, software or people.
Change management is an important factor in deploying
Zero Trust. There needs to be a buy-in from all stakeholders
and decisionmakers, to ensure that Policies and Procedures
will be followed through. To add on, there also remains the
difficulty of linking and integrating it with existing systems.
It is time consuming to detail down what can function
together with what already exists.
Hence, the upfront cost of investing into Zero Trust
technologies and solutions can be a substantial hurdle for
organisations. Budget must also be allocated to these new
tools, hiring new staff to utilise and to train for existing staff,
and the management of the new resources.
Fundamentally, there needs to be a Security Operations
Centre (SOC) to perform the task of Continuous Monitoring
as Zero Trust requires constant vigilance and real-time
monitoring to be effective. Ideally an in-house SOC would
be preferred, as the organisation would have full control and
visibility. But outsourced SOCs should not be discounted as
well if budget is tight.
With these in mind, there are two big challenges I see in
Zero Trust – Cost, and the balance of security and
accessibility.
A. Cost:
The most critical consideration is cost. The cost
challenges associated with Zero Trust requires careful
planning, budgeting, and prioritisation. Organisations should
conduct a thorough cost-benefit analysis to assess the
potential return on investment (ROI) of implementing Zero
Trust measures and prioritise investments based on their
unique security requirements, risk profile, and available
resources.
B. Balance between security and accessibility:
Next, is the consideration of convenience. It is human
nature to take the shortest path to our destination – and it is
the same challenge cyber security. Too many restrictions,
strict access controls, frequent authentication prompts, and
other security measures can introduce friction and
complexity into user workflows, potentially hindering
productivity, and user satisfaction. Potentially, this might
also increase the likelihood of Shadow IT being used to
circumvent these restrictions.
With these in mind, user education and awareness are
essential components of achieving a balance between
security and usability. Employees need to understand the
importance of Zero Trust security measures and how to
navigate them effectively. Of course, to balance the two, we
could leverage on the Russian proverb “Trust, but Verify”. In
my view, it is going to be infeasible to verify all assets every
single time they request access, a balance could be that some
things could be trusted, if the risk analysis shows to be
extremely low, but you should occasionally verify them.
(Burgess, 2023)
In the end, these factors vary from place to place, and
organisations must take them into account before, during and
after the deployment of Zero Trust architecture. Finding the
right balance can be a tricky thing, but Zero Trust will be the
way forward in cyberspace.
REFERENCES
[1] Stafford, V. A. (2020). Zero trust architecture. NIST special
publication, 800, 207.
[2] Buck, C., Olenberger, C., Schweizer, A., Völter, F., & Eymann, T.
(2021). Never trust, always verify: A multivocal literature review on
current knowledge and research gaps of zero-trust. Computers &
Security, 110, 102436.
[3] Colbaugh, R., & Glass, K. (2011, July). Proactive defense for
evolving cyber threats. In Proceedings of 2011 IEEE International
Conference on Intelligence and Security Informatics (pp. 125-130).
IEEE.
[4] Ozimek, A. (2020). The future of remote work. Available at SSRN
3638597.
[5] Burgess, C. (2023, July 24). The old “trust but verify” adage should
be the motto for every CISO. CSO Online.
https://www.csoonline.com/article/646698/the-old-trust-but-verify-
adage-should-be-the-motto-for-every-ciso.html