Pre 2020, companies worldwide predominantly adopted a trust-based, perimeter-focused IT security strategy. By deploying security solutions at the network perimeter, they aimed to ward off threats outside the network — assuming that anyone inside the network was trustworthy and should have full access to a company’s resources.
In today’s world, workforces are more agile and distributed. Where the network perimeter is becoming more blurred, and corporate networks grow more complex, legacy security models and controls are becoming less effective. The modern enterprise network spans multiple environments, including on-premise, cloud-based, and remote resources. Protecting these environments against cyberattacks requires the deep visibility and granular protection that Zero Trust provides.
But what is Zero Trust? The term, coined by John Kindervag, is a way of describing an IT security approach where implicit trust is removed from all computing infrastructure. Instead, trust levels are explicitly and continuously calculated and adapted to allow access to a business’s IT resources.
“Zero Trust is a way of thinking, not a specific technology,” says Gartner Distinguished VP Analyst Neil MacDonald. “It’s really about zero implicit trust, as that’s what we want to get rid of.”
Why implement Zero Trust?
Zero Trust security is designed to address shortcomings of legacy networks by transitioning to a model based on the principle of “trust none, verify all.” Instead of granting unlimited access to corporate resources, a Zero Trust security strategy provides access on a case-by-case basis. These access decisions are based on Role-Based Access Controls (RBAC), where users are only assigned with the access and permission necessary to deliver their job roles effectively.
Moving from concept to reality requires implementing a Zero Trust architecture strategy and selecting the right tools to enable adequate rules across a business.
Benefits of Zero Trust
There are a number of key benefits that come with moving to a Zero Trust approach that both technical and business leaders should be motivated by. As well as the more obvious cybersecurity benefits such as enhanced security and mitigation of new and existing cyber security risks, Zero Trust solution can also have a positive effect on a company — reducing the impact on a business’ credibility and commercial bottom line if a breach occurs.
Enhancing network security
Deploying a Zero Trust security approach will strengthen visibility across a network. If you can see users, devices, locations, and reputations of access requests then you are able to prevent or repair issues that may present themselves. Tools like NordLayer grant you the visibility and control that you need to set permissions for certain resources and spot where any pain points or malicious threats present themselves.
If a user, device, or behavior is not recognized then the user identity in question will be denied access. Network segmentation, therefore, limits users moving laterally across a network - often associated with system breaches - as opposed to being restricted to only the resources they need to complete their job function.
One of the key functions of a network’s value is ensuring data that is stored or moved across a network is done so in a secure way. Zero Trust regards the importance of data traversing the network or being stored securely as paramount and this is typically achieved through traffic encryption, VPN, and data loss prevention capabilities.
Improved protection against new & existing threats
Zero Trust networks aim to lower both the external internet discoverable and internal insider threat attack surfaces. Components such as behavioral trust scores, location ID, and micro-segmentation strengthen the decision to permit users onto the network or not — even if the multi-factor authentication process has been carried out with the likes of 2FA, it’s hard for attackers to move laterally. Once on the network, these capabilities also prevent the user from roaming to other areas of the network where they could cause further damage.
Reduced impact from breaches
Network segmentation, combined with the fact that users are given limited access to the resources they need as part of a Zero Trust model, means that if a breach does occur, it’s likely to have a much smaller impact on business disruption. Consequently, smaller impacts are less likely to have a domino effect on the damage to a company’s financials, reputation, and maintenance of trust by their customers and stakeholders.
Enhanced compliance & visibility
Applying the Zero Trust approach to your network and implementing micro-segmentation means that reaching full compliance can often be tackled in smaller, more relevant audits allowing companies to speed up the process. There are also benefits from improved visibility with ZTNA (Zero Trust Network Access) — enabling network administrators to log behavior on the who, what, when, and where potential threats are coming from.
Potential cost reductions
Zero Trust must simplify your security strategy in order to save money. Lower costs can result from using more integrated tools that are compatible and work in tandem with the rest of your network infrastructure. Avoidance of stolen data, damage from an attack on the network, and a decline in customer confidence can also go some way to justifying Zero Trust implementation and delivering ROI in the business’s future.
The 6 pillars of Zero Trust
It’s important to note that Zero Trust isn’t a product you can buy — it’s a framework built on a set of principles. When combined, it provides a model that enables decision-makers and security leaders to achieve a pragmatic and reliable security strategy. The framework itself comprises a combination of policies, practices, and technological tools working together to give businesses a more robust security model.
Pillar #1 — Users
Constant authentication of user identities, monitoring and validating user trustworthiness is critical to the success of Zero Trust — incorporating tools such as Identity, Credential and Access Management (ICAM) and multi-factor authentication to govern access privileges. Securing and protecting users’ interaction with traditional web gateway solutions are also key factors to be considered.
Pillar #2 — Devices
Real-time trustworthiness of devices is fundamental to Zero Trust — mobile device management solutions provide data that can be useful for device trust assessments and should be in place to verify every access request. Determining whether devices are trusted hinges on examination of their compromised status, software versions, protection status, and encryption enablement.
Using capabilities such as IP allowlisting (whitelisting) allows admins to put device IPs on an allowlist or deny list. IT admins have a simple starting point to conduct permission controls and enhanced visibility of devices permitted to access certain areas of a company network.
Pillar #3 — Network
The ability to segment, isolate and control the network is essential for Zero Trust network security. The traditional ‘castle and moat’ or ‘wheel and spoke’ firewall perimeter approach is no longer sufficient, as the network perimeter needs to be less focussed on the network boundary and instead, closer to critical data stored on the network. Using micro-segmentation and access permission controls, the network perimeter is still in effect but it’s far more granular and closer to the end-user in a Zero Trust model.
Transitioning to ZTNA (Zero Trust Network Access) or Software Defined Perimeters (SDP) gives you the ability to control privileged network access, manage internal and external data flows, prevent lateral movement on the network, and have the visibility to make dynamic policy and trust decisions on network data and traffic.
Pillar #4 — Applications
Having the ability to control access permissions at the application level is also paramount when implementing Zero Trust. Multi-factor authentication options such as 2FA are increasingly vital tools when managing access to apps in such environments — providing an additional layer of security when verifying user trust.
Pillar #5 — Automation
Having tools at your disposal that automatically detect and report suspicious behavior or threats ensures real-time reporting to IT admins. They can immediately act to combat and prevent serious cyber attacks. Using tools that work in an integrated fashion means manual monitoring and overall costs are reduced, and reaction times are increased.
Pillar # 6 — Analysis
Mitigating cyberthreats is made simpler when you can have more visibility and understanding of what is happening on a day-to-day basis across your network. For example, security analytics that monitor user behaviors goes some way in being able to distinguish what a potential threat could look like. The intelligence this data provides can also aid IT admins in putting preventative measures in place, making them more proactive to the threats, as opposed to reactive to a breach. That could make a huge difference to a business on a socio-economic level.
Zero Trust summary
If you’re looking to implement Zero Trust at your organization, the following short summary provides the basis for a robust methodology from identifying users and devices through to responding to threats or attacks.
An effective approach requires in-depth knowledge of a business's IT environment and how it is used. This includes identifying devices within a company’s network and their interactions to build effective Zero Trust policies.
A Zero Trust strategy protects against cyber threats by managing access to corporate resources. Blocking suspicious or unauthorized actions from users or devices can help to stop attempted intrusions to sensitive resources. Implementing automated monitoring notifications with regular analysis of network behavior can set you up to be proactive, rather than reactive, in your approach.
Zero Trust solutions provide a holistic view of a company’s environment and activities. Drastically improved network visibility can help an organization detect potential intrusions based upon blocked requests or other anomalous activities and behaviors.
Once a threat has been detected within an organization’s environment, Zero Trust solutions can also help with incident response. For example, new access controls can be put into place to block malicious activities or potential abuse of privileges.
Challenges of Zero Trust
Many organizations have acknowledged the value of Zero Trust but implementation can be challenging for a number of reasons. That said, it’s estimated by Gartner that 60% of enterprises will phase out their VPN solutions for ZTNA by 2023.
Designing a Zero Trust Approach
An effective Zero Trust strategy is one that enforces its principles consistently across the entire IT environment. Without the right solutions, this can be difficult to achieve and results in a complex and challenging to manage security architecture.
Phasing Out Legacy Solutions
Many organizations have invested in an array of security products designed to support perimeter-focused security strategies. Although designed to be phased into your existing security setup, Zero Trust may require eventually phasing out particularly old solutions you may have in place. Making the move to this new way of working can require transitioning away from your legacy products, which may be difficult due to investment in the technology, incumbent contracts, and the migration process itself.
Defining Access Controls
Zero Trust architecture is built on access controls and permissions. When designing a Zero Trust approach, organizations require solutions that give them the visibility needed to learn how their resources are being used and to define access controls accordingly.
These areas can be challenges for an organization looking to deploy Zero Trust security. — however, with the right tools and strategy in place, these can all be overcome and with significant benefits and peace of mind that comes with Zero Trust capabilities.
Deploying Zero Trust with SASE
Implementing a Zero Trust approach provides an organization with several security benefits. However, effectively implementing and enforcing its principles within an organization requires access to the right security tools.
ZTNA is just one component in the SASE (Secure Access Service Edge) framework which simplifies wide-area networking and security by delivering both as a cloud service directly to the source of a connection, rather than via the enterprise data center.
The other key components of SASE infrastructure include:
Secure Web Gateway (SWG)
Cloud Access Security Broker (CASB)
Firewall as a Service (FwaaS)
Possible Zero Trust deployment scenarios
When it comes to deploying Zero Trust onto your network, you have a few options available. These, primarily, are:
Enterprise with satellite facilities
Collaboration across enterprise boundaries
Multi-Cloud / Cloud-to-Cloud Enterprise
While these are the most commonly found deployment options, this definitely isn't an all-inclusive list. Zero Trust can be deployed on a plethora of network configurations.
Threats associated with Zero Trust architecture
While Zero Trust is certainly superior to traditional or legacy network security architectures, it isn't without issues.
A gradual approach may create gaps
A model based on Zero Trust will, in all likelihood, lead to far superior security – the issue is that along the way it may put companies at risk.
Since most companies customize or modify their strategies using a gradual approach, gaps or cracks in the strategy may develop.
In addition – simply transitioning from a legacy model in the first place may come with unexpected challenges.
Productivity can suffer
Introducing a model based on Zero Trust can, potentially, affect employee productivity. Some workers need access to business-critical/sensitive data to do their jobs, as well as communicate and collaborate with each other.
If somebody changes roles they may find themselves locked out of certain apps or files for a time – causing productivity to take a nose-dive.
Zero Trust requires a dedication to continuous administration
Access controls should be updated each time to ensure that the correct employees have the correct access to specific pieces of information/data. Keeping these permissions up-to-date and accurate requires active and ongoing input from network admins.
This can be problematic as if controls aren't updated promptly, unapproved individuals could gain access to sensitive information.