# How to use Fleet for zero trust attestation ![Using Fleet for zero trust attestation](../website/assets/images/articles/fleet-for-zero-trust-attestation-800x450@2x.jpg) ### In this article - [What is zero trust?](#what-is-zero-trust) - [How does Fleet fit into a zero trust system?](#how-does-fleet-fit-into-a-zero-trust-system) - [Considerations for zero trust](#considerations-for-zero-trust) ## What is zero trust? Zero trust is a cybersecurity approach that encourages end users to meet configuration and posture guidelines. If end users don’t meet these guidelines, then they can’t access certain applications and data. An organization's security team will specify policies that a user's device must meet. Every time an end user tries to log in to a company-owned resource (e.g., the company email), the system checks whether the device complies with the policies. If the device does not comply, then the system denies the user access to the resource. When the user addresses the policy violation(s), then they may try again. ![Zero touch diagram](../website/assets/images/articles/zero-touch-diagram-800x353@2x.jpg) ## How does Fleet fit into a zero trust system? Fleet provides two pieces of the zero trust puzzle: the policy engine and self-remediation instructions for the user. These integrate with an authentication system to create a full zero trust system. ### The policy engine Fleet allows security teams to write policies that reflect the company's access requirements. Under the hood, osquery regularly checks these policies and sends results to the Fleet server. ![Create a policy modal in Fleet](../website/assets/images/articles/create-a-new-policy-800x450@2x.jpg) For example, many organizations need to encrypt their devices’ hard disks. In Fleet, this can be accomplished with the following policy: ``` SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT '' AND filevault_status = 'on' ; ``` The Fleet server will save the results of this policy. Then the system can check whether or not a user’s device is in compliance and will grant or deny access to protected resources accordingly. The relevant Fleet API endpoint is [`GET /api/v1/fleet/hosts/{id}`](https://fleetdm.com/docs/using-fleet/rest-api#get-host). This endpoint will respond with all of the policies for the supplied device ID and whether it passed or failed. ### Self-remediation communication with Fleet Desktop What happens if a user is blocked? A complete zero trust device posture implementation has to let users know why they were blocked and what they can do to address it. When writing a policy, Fleet includes a field called "remediation." This is where security and IT teams should include simple steps to resolve the issue. End users can find these remediation instructions in Fleet Desktop. [Fleet Desktop](https://fleetdm.com/announcements/fleet-desktop-says-hello-world) lives in the computer’s menu bar. Clicking the Fleet logo lets users access the My Device page, which provides timely data about their computer. For our purposes, we’ll focus on policies. In the Policies tab, users who have been denied access can see which policies have failed. They can select any failed policy to view remediation instructions. By providing easy access to simple instructions, IT and security teams can help users regain access to company resources. Plus, this self-remediation first approach reduces the volume of help requests. Learn more about [installing Fleet Desktop](https://fleetdm.com/docs/using-fleet/fleet-desktop).