How to Achieve Governance and Operational Agility
with a Zero Trust Architecture
Zero trust is an innovative security model that assures secure connectivity by eliminating transitive trust and continuously identifying and authenticating every device, user and identity before providing them with access to network apps. Based on the premise of “never trust, always verify”, trust and app access are granted according to the users’ IDs. These are validated each and every time they want to access a network component. In addition, the network is cloaked for users, preventing network visibility.
As opposed to the legacy castle-and-moat approach, the zero trust security model moves defenses from network-based parameters to identity-based parameters. Attributes like originating network and domain membership are no longer valid for granting access or gaining network visibility. As a result, zero trust reduces the attack surface and improves the security posture. The term was coined by John Kindervag, Forrester Research analyst and thought-leader.
The advancements of networks and technologies have created complex enterprise architectures with multiple security controls and policies to manage. These include NAC, network segmentation, CASB, application security, and more. This architecture is operationally heavy, making it difficult for security and IT teams to provide secure access to employees, whether in office or remote. Covid-19 has accelerated the business need for IT teams who can provide immediate secure connectivity to an entire workforce working remotely, from managed and unmanaged devices.
The perimeter-based security approach cannot answer today’s business needs. Insufficient maintenance, a lack of integrations between security controls and security flaws make the network’s entry points vulnerable, and VPNs can tunnel perpetrators in. As a result, hackers can enter the network with relatively little effort. Enterprises are subject to more data breaches, lateral movement, and leaks, than ever before.
Zero trust answers this gap. The zero trust model blocks attackers both inside and outside the network, enables easy monitoring and management of security policies in one place, provides service segmentation and enables visibility and audit capabilities.
In the MITRE Att&ck model, zero trust prevents most reconnaissance techniques, thus significantly reducing the attack surface of any organization implementing zero trust. In the case of a hacker who is already inside the network, zero trust can help prevent many of the attack techniques in all remaining 13 MITRE tactics. Learn more.
The idea of zero trust is based on seven main principles, or pillars. Many ZTNA providers have access to all of the network’s vulnerability points. In these cases, ZTNA is zero trust with an exception, because you do have to trust your ZTNA provider. This is quite the paradox.
Here are 7 questions to ask your provider, to ensure that you don’t have to trust anyone – even your ZTNA provider:
An enterprise network diagram consists of multiple types of external users and their devices (managed or unmanaged), applications running from SaaS platforms, applications and resources running from public and private Clouds, Data Centers or co-location sites.
A zero trust architecture with a true zero-trust deployment is shown below. All applications and resources are hidden from users, including attackers who are performing reconnaissance or moving internally. No inbound network traffic is allowed from the outside, and the zero trust component secures and validates access from within. Such a component can even be used for networks that aren’t connected to the internet and for remote access.
This implementation supports any application and protocol (including legacy applications). Security and verification measures include multi-factor authentication, single sign-on, privileged access management capabilities and more. Various session controls are enforced in real-time. Session recording, risk-based access and audits provide another layer of security.
VPNs are virtual secure tunnels between network points, creating private connections. In other words, the VPN is another perimeter, more managed and secure, but still another perimeter.
As a result, VPNs have multiple shortcomings:
On the other hand, zero trust provides enterprises with:
ZTNA (Zero Trust Network Access) is the most common implementation of the Zero Trust model and often used interchangeably with “Zero Trust”. ZTNA is also called SDP – Software Defined Perimeter. The ZTNA architecture enables users to access assets and systems in the network after authentication.
Additional architectural versions of Zero Trust include ZTAA (Zero Trust Application Access), which opens access to applications, not networks, and ZTA (Zero Trust Access), which provides access that isn’t bound to specific networks and provides zero trust even for unique networks like OT, SAP and ERP.
Zero trust can answer multiple business requirements no other security solution can:
Implementing Zero Trust is a simple 5-step process that can take less than an hour.
Choose a provider you can trust. Most providers will terminate TLS sessions but still have access to your sensitive data, such as keys, passwords, tokens, etc. Make sure your zero trust provider complies with the zero trust security principles.
The Zero Trust connector is the key component in your zero trust strategy and connects you to the cloud broker. You will manage access and segmentation from the connector, to ensure only authorized IDs have access to your network assets.
Configure your identity provider and users, import your servers and applications and configure the entities and connections. Create policies network assets.
Map the connections between identities and applications. These include systems, applications, protocols, identities, privileged users, mission critical assets, 3rd parties, OT networks, and more. Then, build policies to determine which devices and users can access which systems and applications.
You can run zero trust side by side with your VPN, or switch completely or gradually. Update policies easily from a single UI, audit user actions, monitor in real-time and view user actions.