What does the "zero trust" model in IT security reject?

The "zero trust" model in IT security fundamentally rejects the notion of automatically trusting any user or device, regardless of whether they are internal to the organization or not. This approach is based on the premise that threats can originate from both external and internal sources. In a zero trust environment, every access request must be verified, irrespective of the user's location or origin within the network.

By not automatically trusting users or devices, the zero trust model emphasizes the need for continuous authentication and strict access control measures. This means that even if a user is inside the network perimeter, they must still authenticate themselves and adhere to the principle of least privilege, meaning they only have access to the resources necessary for their role.

This rejection of automatic trust helps organizations mitigate potential risks from malicious insiders or compromised accounts, aligning with a proactive security strategy that limits exposure and minimizes vulnerabilities.