Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.
It is a framework for securing infrastructure and data for today’s modern digital transformation. It uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats. While many vendors have tried to create their own definitions of Zero Trust, there are a number of standards from recognized organizations that can help you align Zero Trust with your organization.
How Zero Trust works
Imagine the Zero Trust model like an extremely vigilant security guard — methodically and repeatedly checking your credentials before allowing you access to the office building where you work, even if they recognize you — then duplicating that process to verify your identity over and over.
The Zero Trust model relies on strong authentication and authorization for every device and person before any access or data transfer takes place on a private network, no matter if they are inside or outside that network perimeter. The process also combines analytics, filtering, and logging to verify behavior and to continually watch for signals of compromise. If a user or device shows signs of acting differently than before, it is taken note of and monitored as a possible threat.
For example, Marcus at Acme Co. typically logs in from Columbus, Ohio, in the United States, but today, he’s attempting to access Acme’s intranet from Berlin, Germany. Even though Marcus’ username and password were entered correctly, a Zero Trust approach would recognize the anomaly in Marcus’ behavior and take action, such as serving Marcus another authentication challenge to verify his identity.
This basic shift in approach defeats many common security threats. Attackers can no longer spend time taking advantage of weaknesses in the perimeter, and then exploiting sensitive data and applications because they made it inside the moat. Now there is no moat. There are just applications and users, each of which must mutually authenticate, and verify authorization before access can occur. Mutual authentication takes place when two parties authenticate each other at the same time, such as a user with a login and password, and an application they are connecting with through a digital certificate.
Core principles behind Zero Trust Network Access
The Zero Trust model is based on five basic principles:
- Every user on a network is always assumed to be hostile
- External and internal threats exist on the network at all times
- Network locality is not sufficient for deciding trust in a network
- Every device, user, and network flow is authenticated and authorized
- Policies must be dynamic and calculated from as many sources of data as possible
What are the components of Zero Trust?
The Zero Trust security model of today has expanded. There are many implementations of its principles, including Zero Trust architecture (ZTA), Zero Trust Network Access (ZTNA), and Zero Trust Edge (ZTE). Zero Trust security is also sometimes referred to as “perimeterless security.”
Don’t think of Zero Trust as one discrete technology. Rather, a Zero Trust architecture uses a variety of different technologies and principles to address common security challenges through preventive techniques. These components are designed to provide advanced threat protection as the boundaries between work and home disappear, and an increasingly distributed remote workforce becomes the norm.
Zero Trust Network Access capabilities:
- Control network flows between all assets
- Verify identity and grant access to the cloud
- Authentication and authorization, including multi-factor authentication (MFA)
- Application access vs. access to the entire network
- Least-privilege user access to all applications (IaaS, SaaS, and on-premises)
- VPN elimination
- Service insertion
- Security at the edge
- Improved application performance
- Improved security posture against advanced threats
Why a Zero Trust security model is needed
In summary, the modern workforce is becoming increasingly mobile, accessing applications from multiple devices outside of the business perimeter. In the past, many enterprises adopted a “verify, then trust” model — which meant if someone had the correct user credentials, they were admitted to whichever site, app, or device they were requesting. This resulted in an increased risk of exposure, dissolving what was once the trusted enterprise zone of control and leaving many organizations exposed to data breaches, malware, and ransomware attacks. Protection is now needed within specific digital infrastructures where applications and data, and users and devices, are located.
Compelling reasons to employ a Zero Trust model
- Users, devices, applications, and data are moving outside of the enterprise perimeter and zone of control, away from traditional data centers
- New business requirements driven by digital transformation increase risk exposure
- “Trust but verify” is no longer an option, as targeted advanced threats are moving inside the corporate perimeter
- Traditional perimeters are complex, increase risk, and are no longer compatible with today’s business models
- To be competitive, businesses need a Zero Trust network architecture able to protect enterprise data, wherever users and devices are, while ensuring that applications work quickly and seamlessly
“The Web as I envisaged it, we have not seen it yet. The future is still so much bigger than the past.”