Great post from our friends at Source link
2. Adopting a least privilege strategy and strictly enforcing access control.
The least privileged strategy has been around for many years, but because of the complexity, it was difficult to enforce. Before the DevSecOps culture, teams engaged in software delivery used to manage privileges as teams or groups where anyone belonging to a group would have uniform access. But Zero Trust adopts compliance-based access where privileges are not limited to a particular group but to a role, they have to play. The DevSecOps teams must frame compliance policies that will consistently manage access across locations and resource types and at both the network and application layer.
Current security solutions can either cater to a network or application layer. Bridging the disconnect between them has been difficult. Users with their devices gain broad access to a network but rely on applications for authentication. For example, anyone can log in to a banking website, but only a user with banking access can access the application. This security flaw lets attackers use DDOS to stall servers and services.
With Zero Trust If users are not authorized to access a service (e.g., having credentials to SSH into a server, or to authenticate to a VPN), they must not have the ability to connect to that service at a network layer.