At its core, zero trust is built on three established security principles: least privilege, separation of duties, and defense in depth (DiD). However, it's important to use these principles correctly in order to achieve the benefits of zero trust, Forrester analysts noted.

“Zero trust continues to make waves, with U.S. federal agencies now publishing guidance, such as the OMB’s M-22-09 or the [Department of Defense's] zero-trust strategy for effective implementations, allowing for the government to be viewed as a source of trust in cybersecurity,” analysts wrote in a blog post.

They added that the foundation of zero trust includes common security practices and core principles, which will help organizations find the right path when it’s time to assess their zero-trust maturity.

First of all is least privilege, which is a practice that ensures individuals only have “just enough access” they need to do their jobs. This can be an effective way to improve security, but can become cumbersome if someone's role encompasses too much. In these cases, the security team may create too many permissions for a single role, increasing the chances of a poor decision that could negatively impact the organization's security, Forrester warned.

Another principle is the separation of duties, which can help make least privilege a reality, but it doesn't address access prevention. Through this principle, individuals should not have excessive privileges. For example, a sales rep would not be able to alter the pricing of a product, but would instead need approval from a manager.

“These two principles are focused mainly on permissions but don’t address access prevention,” analysts wrote.

This is where DiD comes in, which helps organizations focus on controls that prevent unauthorized access to systems that include administrative, technical, and physical control measures.

However, DiD has sometimes been misused, resulting in what's known as "expense in depth." Forrester explained this is when “problems were addressed by throwing more money to layer on more technology and security controls in the hopes of blindly preventing a threat after the fact."

Zero trust refocuses DiD in a more strategic manner, allowing security professionals to consolidate disparate controls, reduce the cost of management, and deter unauthorized access. By taking advantage of technological advancements and placing strategic access controls closest to valuable assets, organizations can make it more difficult for threat actors to gain access, while simultaneously mitigating insider threats.

“Zero trust as an information security model has come a long way. It has also faced much contention and doubt,” analysts wrote. “One thing is certain, though: if we focus on what [zero trust] is built upon we find that it provides a common goal for most (if not all) of these foundational principles to be effective in their application.”