Zero Trust Policy

Zero Trust Policy: Who, What, When, Where, Why, and How

What is a Zero Trust Policy?

Organizations are rushing to implement zero trust principles and technology in their organization. It is widely understood that zero trust can better protect a modern IT environment, prevent cyber attacks, and limit the damage caused by breaches when they occur. The zero-trust approach not only secures user access on the front end, but also workloads on the back end, ensuring that no connection is allowed without being authenticated and verified.

Zero-trust security policies allow organizations to define how user identities, device security posture, and fine-grained access control interact. They ensure that the principle of least privilege always applies, regardless of the device, location of the user, or location of the service they connect to. Upon successful authentication, end-to-end encryption is established and access is restricted to the user or device explicitly authorized.

A zero trust policy inspects a network request and attempts to answer six questions: who is trying to gain access, what they are trying to access, when the request is occurring, where the resource and user are located, why data is accessed, and how access should be provided. We’ll describe each of these steps in more detail below.

In this article:

Zero Trust Principles at the Basis of a Zero Trust Policy

Zero trust policies are based on the following key principles:

Continuous verification
Zero trust allows an organization to continuously monitor and verify the permissions and attributes of all users and devices. This is in contrast to the traditional approach of automatically trusting users and endpoints within organizational boundaries. Zero trust systems recognize that any resource, even if it resides within a corporate network or perimeter, could be compromised and used to carry out malicious activities.

Least privilege
A key component of zero trust is the least privilege principle—allowing a user or device to connect to a network or service only if specific conditions are met. Enforcing least privilege means that users are granted only the minimal access and privileges, set at the lowest possible level, that allow them to perform their role.

Visibility and control
By adopting zero trust, organizations gain visibility over all the services they use and the number of privileged accounts associated with each service. They can also control which devices are allowed to connect to which services and how. In many zero trust setups, connections from devices to the network are controlled by Network Access Control (NAC). This prevents devices from connecting to the network if they are unknown, unpatched, or do not have minimal security controls such as antivirus software.

Threat prevention
Zero trust leverages threat prevention technologies such as strong authentication, behavioral analytics, microsegmentation, endpoint security, and privilege control. All these can be used to identify potential attackers and restrict access when a breach has occurred. These controls can also be highly effective at preventing insider threats and accidental damage by privileged insiders. Zero trust policies can directly access security insights provided by these tools.

Related content: Read our guide to zero trust architecture

Key Elements of a Zero Trust Policy

A zero trust policy ensures that:

  • Users or service accounts are authenticated, authorized, and their security posture verified, before they connect to any service network.
  • Each connection request is granted access to specific resources depending on security policies and the current security context.
  • Access is denied by default. For example, when a new service account is defined, or a new employee joins a company, they initially do not have access to any systems. Administrators need to explicitly approve specific permissions and access levels for the new account.
  • Organizations have real-time visibility into user credentials and attributes and the ability to monitor both internal and external threats.

Related content: Read our guide to zero trust security

The 6 Questions a Zero Trust Policy Addresses

Technically, a zero trust policy is a set of “allow rules.” Each of these rules specifies conditions, and when these conditions are met, an account will be allowed to access specific resources at a specified time and place.

If a connection is evaluated and does not match a rule, the zero trust access mechanism blocks the traffic. This mechanism could be a next-generation firewall (NGFW) or a zero trust network access (ZTNA) system. This improves security because it focuses security efforts on traffic that was explicitly allowed—instead of a never-ending effort to block all types of unwanted access.

Each zero trust policy rule answers six questions. Let’s look at each of them in more detail.

1. Who Can Access a Resource?

Zero trust is based on strong user IDs, verified with multi-factor authentication (MFA). It also establishes robust device IDs, with device profiles that provide information about a device’s security posture—for example, whether it has encryption enabled, whether it has up-to-date antivirus, and whether its software has all required security updates.

Based on the verified user ID and device ID, the zero trust policy defines which resources a connection should be allowed to access. In line with the zero trust principle, access is only granted to a resource if a human or service account has a legitimate business reason to access it.

2. Which Application is Used to Access a Resource?

Zero trust systems can identify which application is being used to access a protected resource using information gathered from network layer 7, as well as the port, protocol, and IP used by the connection. This makes it much more difficult for attackers to spoof connections or use malicious applications, such as port scanners, to access corporate resources.

3. When Do Users Access the Resource?

Zero trust policies are sensitive to the time at which a connection occurs. It is possible to apply a fixed schedule for a resource, or use behavioral analysis to identify if the time is “unusual”—for example, if a user is logging in at a time that is outside their regular business hours.

4. Where Are the Resource and User Located?

A zero trust policy can take into account both the location of the protected resource and the user. For example, there could be different policies for:

  • On-premise resources
  • Cloud-based resources
  • Resources operated by partners or third parties
  • Users connecting across public networks
  • Users connecting from within the corporate network
  • Automated systems connecting via API

Related content: Read our zero trust network guide

5. Why Is Data Accessed and What Is Its Value?

Zero trust policies can leverage data classification to understand if the data being accessed is valuable or sensitive, and at what level. A zero trust policy can enforce different access controls for data that would cause damage if stolen by an attacker, as opposed to data that is publicly available.

6. How Should Access Be Allowed to the Resource?

A zero trust policy can regulate how entities access a specific resource. For example:

  • Allowing granular access only to the data and functionality of an application that a specific entity requires.
  • Detecting if a request, or data transferred during the connection, is being used to transfer known malicious payloads such as malware.
  • Determining if a request or connection is being used to transfer suspicious payloads that might be zero-day malware.
  • Identifying if a connection is being used to communicate with a command and control (C&C) center or to exfiltrate data outside the organization.
  • Decrypting encrypted connections to inspect their content.
  • Analyzing DNS signatures to detect DNS-level threats.

Zero Trust Security with Calico

Calico Enterprise and Calico Cloud enable a zero trust environment built on three core capabilities: encryption, least privilege access controls, and identity-aware microsegmentation.

  • Encryption – Calico utilizes WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Calico supports WireGuard for self-managed environments such as AWS, Azure, and Openshift, and managed services such as EKS and AKS.
  • Least privilege access controls – Calico implements least privilege access controls by denying all network traffic by default and only allowing connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster. Calico also integrates with native Kubernetes RBAC to provide authorization and authentication for various users and teams.
  • Identity-aware microsegmentation – Calico leverages its cloud-native model to divide workloads into smaller security segments and then applies security policies for these segments. This prevents lateral movement of threats by reducing and minimizing the attack surface.

Next steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!