Never Trust, Always Verify. What Is Zero Trust?

1. The Origins of Zero Trust

1.1. What Is Zero Trust

  • Zero Trust is a security model based on the principle of "never trust by default, and always verify every access request".

1.1.1. Never Trust, Always Verify

  • Never trust, always verify
    • Users, devices, and network locations are not trusted by default.
    • Even the internal network is not assumed to be safe.
    • Every access request is always subject to Authentication and Authorization.

1.1.2. Least Privilege Access

  • Principle of Least Privilege
    • Users are granted only the minimum permissions necessary to perform their job.
    • Unnecessary access privileges are not permitted.

1.1.3.  Assume Breach

  • Assume Breach
    • Systems are designed on the premise that they may already have been compromised.
    • Systems are designed to prevent the spread of an attack even if one occurs.

1.2. The Background of Zero Trust

  • In 2010, a large-scale cyberattack known as Operation Aurora took place.

  • Overview:
    • The attack was a large-scale APT (Advanced Persistent Threat) campaign targeting more than 20 major IT companies, including Google.
  • Attack Method:
    • The attackers exploited a zero-day vulnerability in Internet Explorer using a technique called "Drive-by Download."
  • Response:
    • Google, which suffered significant damage from the attack, concluded that traditional network perimeter-based security models alone were insufficient to defend against sophisticated cyberattacks.
    • In response, Google spent approximately 8 years redesigning its infrastructure using a Zero Trust architecture that verifies every access request.
    • In 2014, Google published the results of this effort in a paper titled 'BeyondCorp', which became a milestone in spreading the concept of Zero Trust worldwide.

※ Drive-by Download: An attack method in which malicious code is automatically downloaded and executed simply by visiting a webpage, without any additional action by the user.

1.2.1. BeyondCorp Paper

BeyondCorp: A New Approach to Enterprise Security
    • The BeyondCorp paper describes how Google abandoned its traditional internal-network-centric security approach and transitioned to a Zero Trust security model.
    • The core of BeyondCorp is not trusting network location. Whether accessing from inside or outside the company, all access is verified based on user identity, device health, and authorization information.
    • In short, BeyondCorp is a representative example of applying the Zero Trust principle — "don't trust just because you're inside; continuously verify every access" — to a real enterprise environment.

1.2.1.1. Key Points

  • The traditional security model trusted the internal network, but once the internal network was compromised, it was difficult to effectively contain the spread of an attack.
  • In response, Google determined that the internal network could be just as dangerous as the public internet, and applied a Zero Trust model that performs Authentication and Authorization for every access request.
  • In this model, User Identity and Access Control become more important decision criteria than the user's location (On-Premise or Remote).
  • Furthermore, not only the user but also the Device Security Posture and Device Management status are verified together.
  • This ensures that only trusted users and devices can access business systems, reducing reliance on VPN (Virtual Private Network) and providing secure access regardless of location.
  • Ultimately, this case demonstrates that Zero Trust is not just a theory, but a practical and implementable security model even in large-scale enterprise environments.

1.2.1.2. Implementation

BeyondCorp components and access flow
BeyondCorp components and access flow

  • When a user accesses a business system, all requests first pass through the Access Proxy, which serves as the central control point.
  • The Access Proxy is responsible for performing User Authentication, as well as Authorization and Logging of each request.
  • The Access Control Engine then determines whether to allow access based on user identity, group membership, and access permissions.
  • At the same time, the Device Inventory Database is used to verify whether the device is a legitimate, enterprise-managed device.
  • Additionally, device certificates and security posture information are used to perform Continuous Verification of the device's trust status.
  • Ultimately, access to enterprise applications is permitted only when both the user and the device satisfy the security policy.
  • All communications are encrypted, enabling a secure remote access environment without VPN.

1.2.2. Jericho Forum White Paper

Jericho Forum Visioning White Paper
  • Jericho Forum Visioning White Paper
    • This is the seminal white paper by the Jericho Forum that explains the concept of De-perimeterization and the motivation behind it.
    • The idea of "security that does not rely on the perimeter," which is central to the BeyondCorp paper, is rooted in the De-perimeterization concept introduced by the Jericho Forum, founded in 2004.
    • This concept later became the philosophical foundation of the Zero Trust security model.

1.2.2.1. Key Points

  • The Jericho Forum identified the limitations of traditional network perimeter-based security and proposed the concept of De-perimeterization.
  • It argued that relying solely on the distinction between internal and external networks is insufficient to address modern threats, as the security perimeter has been eroded by the rise of cloud computing, business partners, and remote work.
  • Accordingly, security should be applied based on the criticality and risk level of assets rather than network location, and every access should require explicit trust verification.
  • This perspective later evolved into the foundational philosophy of Zero Trust.

1.2.2.2. Implementation Approach

  • All communications must use verifiable and secure protocols, and users and devices must authenticate mutually before gaining access.
  • Authentication, authorization, and auditing capabilities must extend to external organizations, and data access is controlled by permissions and security attributes rather than location.
  • Data must be protected throughout its entire lifecycle — at rest, in transit, and in use — and even administrative privileges must be strictly controlled without exception (separation of duties).

2. Realizing Zero Trust

2.1. Before vs After

Zero Trust Before vs After
  • Before: Perimeter Defense 
    • The internal corporate network is treated as a trusted "zone."
    • Trust is granted based on network location (internal/external); once the perimeter is crossed, internal resources are assumed to be safe.
  • After: Zero Trust 
    • The principle of "trust nothing by default."
    • Even if a user is on the internal network, they are not trusted; every access request is always strictly verified regardless of location.

2.2. Zero Trust Implementation Technologies

  • The key implementation technologies of Zero Trust are components responsible for user identity verification, device management, access control, endpoint protection, cloud security, data loss prevention, and security monitoring.

2.2.1. Authentication & Access Control

  • MFA (Multi-Factor Authentication)
    • A multi-factor authentication method. It strengthens security by requiring two or more authentication factors — such as OTP or biometrics — in addition to a password.
  • RBA (Risk-Based Authentication)
    • A method that analyzes risk factors such as location, device, and time of login to determine whether additional authentication is required.
  • IAM (Identity and Access Management)
    • A system that comprehensively manages user identities and access permissions. It encompasses both Authentication and Authorization.

2.2.2. Device Security

  • MDM (Mobile Device Management)
    • A technology that allows enterprises to remotely manage and control mobile devices. It handles device configuration, security policy enforcement, and remote wipe.
  • MAM (Mobile Application Management)
    • A method that manages only specific enterprise applications on a mobile device rather than the entire device. It is a data-protection-focused management approach.

2.2.3. Endpoint Security

  • EPP (Endpoint Protection Platform)
    • A traditional antivirus-based endpoint security solution. Its primary focus is on malware detection and blocking.
  • EDR (Endpoint Detection and Response)
    • A security technology that continuously monitors endpoint behavior to detect and respond to threats. Its distinguishing feature is that it covers response even after an attack has occurred.
  • XDR (Extended Detection and Response)
    • Rather than being an individual solution, XDR is an extended security framework that integrates various security systems — including network, server, email, and cloud — to analyze, detect, and respond to the full scope of a threat.

※ EPP focuses on malware prevention, EDR focuses on endpoint behavior-based detection and response, and XDR integrates multiple security domains to perform enterprise-wide threat analysis and response.

2.2.4. Network & Access Security

  • VPN (Virtual Private Network)
    • A technology that establishes a secure connection through an encrypted tunnel when accessing an internal network from outside. In many configurations, it grants access to the entire internal network upon connection.
  • IAP (Identity-Aware Proxy)
    • A method that controls application access on a per-user basis. Unlike VPN, it grants access only to specific services rather than the entire network.

※ VPN provides network-level access, while IAP provides user- and service-level access.

2.2.5. Security Monitoring & Data Analytics

  • SIEM (Security Information and Event Management)
    • An integrated security operations system that collects and analyzes logs from various systems to detect and respond to security events.

2.2.6. Cloud & Web Security

  • SWG (Secure Web Gateway)
    • A security gateway that inspects web traffic and blocks access to malicious sites.
  • CASB (Cloud Access Security Broker)
    • A security solution that provides visibility into cloud service usage and enforces data protection and access control.
  • DLP (Data Loss Prevention)
    • A technology that prevents sensitive data from being leaked outside the organization. It includes data identification, monitoring, and blocking capabilities.