# Zero trust

**What is zero trust?**

Zero trust is a security model in which every request for access is verified on its own, including requests that come from inside the company network. The check covers who is asking, from which device and for which data. Permissions are limited to what the task requires.

For a long time company networks followed the picture of a castle. The firewall guarded the perimeter, and inside it devices and users could reach each other almost freely. Home working, cloud services, company phones and remote maintenance access have dissolved that perimeter, because requests now arrive from everywhere. Zero trust draws the conclusion that every request is verified on its own, whether it comes from the office, from a home desk or from the internet.

Three principles carry the model. The first is identity: every account is protected by a strong login, usually two-factor authentication, meaning a second confirmation in addition to the password. The second is least privilege: each person and each system holds exactly the rights the task requires. The third is separation: the network is divided into zones so that one compromised device reaches only a small part of it.

For a company without an IT department, zero trust is a direction that individual decisions can follow. Buying a product on its own does not create the model. The first steps stay manageable: two-factor authentication on every account reachable from the internet, meaning email, remote access and cloud services. Separate accounts for daily work and for administrative tasks. A dedicated network for guests, cameras and machines. Once a year, a review of who may open which folders.

Familiar situations show where the work is needed. A single remote access route puts a service provider into the entire network. Every employee can open every folder, because permissions were never set up. A supplier's maintenance access exists permanently and with full rights. In cases like these, one stolen password is enough for an attacker to reach the whole business.

The vetosec IT Check records which access routes exist, how they are protected, how permissions were granted and whether the network is divided into zones. The findings lead to an action plan ordered by urgency that you can work through step by step. The first conversation of 20 minutes is at no charge.

## Related terms
- [Permission model and least privilege](https://vetosec.at/en/it-security/berechtigungskonzept/)
- [Two-factor authentication (2FA)](https://vetosec.at/en/it-security/zwei-faktor-authentifizierung/)
- [Network segmentation](https://vetosec.at/en/it-security/netzwerksegmentierung/)
- [Attack surface](https://vetosec.at/en/it-security/angriffsflaeche/)

## Source
https://vetosec.at/en/it-security/zero-trust/ (vetosec, grundlagen)
