Zero Trust uses "The Kipling Method". It is named after English poet Rudyard Kipling, who wrote about "six honest serving men" - Who, What, When, Where, Why and How.
As described by Steve King and John Kindervag, here is how these six principles apply:
- Who should be allowed to access resources? This is determined through "asserted identity" - a validated and authenticated statement.
- What application is the asserted identity allowed to use to access the resource?
- When is the asserted identity allowed to access the resource? It should be limited to the time the user is typically on the computer system.
- Where is the resource located?
- Why is the user allowed to access the resource? There should be a "need to know" and sensitive information must be protected from unauthorized users.
- How should traffic be processed as it accesses a resource?