What is Zero Trust?

How to Achieve Governance and Operational Agility
with a Zero Trust Architecture

What is Zero Trust?

Zero trust is an innovative security model that assures secure connectivity by eliminating transitive trust and continuously identifying and authenticating every device, user and identity before providing them with access to network apps. Based on the premise of “never trust, always verify”, trust and app access are granted according to the users’ IDs. These are validated each and every time they want to access a network component. In addition, the network is cloaked for users, preventing network visibility.

As opposed to the legacy castle-and-moat approach, the zero trust security model moves defenses from network-based parameters to identity-based parameters. Attributes like originating network and domain membership are no longer valid for granting access or gaining network visibility. As a result, zero trust reduces the attack surface and improves the security posture. The term was coined by John Kindervag, Forrester Research analyst and thought-leader.

Why do Enterprises Need Zero Trust?

The advancements of networks and technologies have created complex enterprise architectures with multiple security controls and policies to manage. These include NAC, network segmentation, CASB, application security, and more. This architecture is operationally heavy, making it difficult for security and IT teams to provide secure access to employees, whether in office or remote. Covid-19 has accelerated the business need for IT teams who can provide immediate secure connectivity to an entire workforce working remotely, from managed and unmanaged devices.

The perimeter-based security approach cannot answer today’s business needs. Insufficient maintenance, a lack of integrations between security controls and security flaws make the network’s entry points vulnerable, and VPNs can tunnel perpetrators in. As a result, hackers can enter the network with relatively little effort. Enterprises are subject to more data breaches, lateral movement, and leaks, than ever before.

Zero trust answers this gap. The zero trust model blocks attackers both inside and outside the network, enables easy monitoring and management of security policies in one place, provides service segmentation and enables visibility and audit capabilities.

In the MITRE Att&ck model, zero trust prevents most reconnaissance techniques, thus significantly reducing the attack surface of any organization implementing zero trust. In the case of a hacker who is already inside the network, zero trust can help prevent many of the attack techniques in all remaining 13 MITRE tactics. Learn more.

Zero Trust Principles

The idea of zero trust is based on seven main principles, or pillars. Many ZTNA providers have access to all of the network’s vulnerability points. In these cases, ZTNA is zero trust with an exception, because you do have to trust your ZTNA provider. This is quite the paradox. 

Here are 7 questions to ask your provider, to ensure that you don’t have to trust anyone  – even your ZTNA provider:

  • Never trust

    Zero trust is based on the premise of never trusting any user or device until they are authenticated. The originating network or source is not enough to establish trust and provide access. This prevents attackers who have infiltrated the system from gaining access to valuable data.
  • Always verify

    All users and devices are continuously verified and authenticated before they are granted access to apps and systems. This authorization process happens each and every time. Authentication takes place through measures like MFA or SSO. This ensures unauthorized devices don’t have access to sensitive data.
  • Identity is the new perimeter

    Legacy perimeter security leaves networks vulnerable, by providing unsolicited access to anyone in the network, including attackers. On the contrary, zero trust validates a user’s unique identity. MFA and additional identity verification measures ensure only approved devices can access the enterprise systems.
  • Asset protection

    Zero trust protects assets, not networks, because those are the crown jewels. While network entry points are secured, it’s assumed that at some point, attackers will be able to breach them. The question is, what happens next? Protecting apps and components by validating users and devices before entering them, organizations are still kept safe, even after a breach.
  • Simplicity

    Zero trust enables security management in a simple manner. Setting up is a matter of hours, and user policies can be updated in seconds through a centralized dashboard.
  • Monitoring and Auditing

    Zero trust enables security teams to monitor and control users from anywhere. They can see a clear view of logins, user locations, app usage, access logs, and more. Session recordings and full audit trails enable post-incident investigations.
  • Don't trust your ZTNA provider

    Many ZTNA providers have access to all of the network’s vulnerability points. In these cases, ZTNA is zero trust with an exception, because you do have to trust your ZTNA provider. This is quite the paradox. Here are 7 questions to ask your provider, to ensure that you don’t have to trust anyone, even your ZTNA provider:
    • Is the users’ data exposed?
    • Who has control of the access rules?
    • Where are our secrets (passwords, tokens, private keys) kept?
    • How is the risk of internal threats mitigated?
    • What is the scope of secure access? Does it include users, networks, apps, etc.?
    • What is the ZTNA provider’s infrastructure? Are the servers located in the cloud or in a data center? Who can access it?
    • The last but very important question - What happens if the ZTNA provider is compromised? Is the organization still secure?

Zero Trust Architecture

An enterprise network diagram consists of multiple types of external users and their devices (managed or unmanaged), applications running from SaaS platforms, applications and resources running from public and private Clouds, Data Centers or co-location sites.

A zero trust architecture with a true zero-trust deployment is shown below. All applications and resources are hidden from users, including attackers who are performing reconnaissance or moving internally. No inbound network traffic is allowed from the outside, and the zero trust component secures and validates access from within. Such a component can even be used for networks that aren’t connected to the internet and for remote access.

This implementation supports any application and protocol (including legacy applications). Security and verification measures include multi-factor authentication, single sign-on, privileged access management capabilities and more. Various session controls are enforced in real-time. Session recording, risk-based access and audits provide another layer of security.

Zero Trust vs. VPNs

VPNs are virtual secure tunnels between network points, creating private connections. In other words, the VPN is another perimeter, more managed and secure, but still another perimeter.

As a result, VPNs have multiple shortcomings:

  • VPNs lack agility – adding new devices to VPNs is a bulky process. This hampers business growth when the entire workforce is remote.
  • VPNs are resource intensive – VPNs create a heavy server load and utilize heavy encryptions. This creates latency that frustrates employees and makes it difficult to work. Lots of DevOps and IT resources are required.
  • VPNs aren’t fit for modern business needs and use cases – VPNs can’t handle the loads of remote employees, third parties, M&As, and more.
  • VPNs aren’t secure – VPNs tunnel users into the network, including perpetrators. In addition, VPNs are based on the insecure perimeter-based approach, which trusts any user in the network, including attackers.

On the other hand, zero trust provides enterprises with:

  • Agility

    ABAC (attribute based access control) and RBAC (role based) enable IT Managers and DevOps to easily provide user access based on immediate business needs.
  • Cost-effectiveness

    ZTNA (Zero Trust Network Architecture) can be implemented in less than an hour, and access policies can be set up in seconds.
  • Broad use-case fit

    The zero trust security model is ideal for remote work, PAMs, third party access, M&As and more.
  • Security

    The zero trust architecture provides real granular security that protects networks, externally and internally. Measures like MFA are implemented before providing access to each application. No trust is given, so no perpetrator is allowed access. Learn More

What is ZTNA?

ZTNA (Zero Trust Network Access) is the most common implementation of the Zero Trust model and often used interchangeably with “Zero Trust”. ZTNA is also called SDP – Software Defined Perimeter. The ZTNA architecture enables users to access assets and systems in the network after authentication.

Additional architectural versions of Zero Trust include ZTAA (Zero Trust Application Access), which opens access to applications, not networks, and ZTA (Zero Trust Access), which provides access that isn’t bound to specific networks and provides zero trust even for unique networks like OT, SAP and ERP.

Zero Trust Use Cases

Zero trust can answer multiple business requirements no other security solution can:

  • Remote Employees

    Zero trust securely connects the remote workforce to the business network to ensure business continuity and employee productivity.
  • Third Party Access

    Zero trust connects suppliers, partners and customers to business systems without compromising the network's security and while ensuring governance. Learn More
  • Privileged Users

    Zero trust monitors and manages PAM users and their unique access rights while enabling control and supervision.
  • M&As

    Zero trust provides access to all new users in seconds without operational overhead. This allows IT teams time to adjust while still providing resource access.
  • Developer Access

    Zero trust provides developers and DevOps with access to the company’s most important intellectual property: the source code and production environments, while ensuring a native experience and removing the risk of IP management access.
  • OT Operations

    Zero trust isolates OT networks and systems while enabling connectivity that complies with regulatory requirements. Learn more here

How to Get Started with Zero Trust

Implementing Zero Trust is a simple 5-step process that can take less than an hour.

  1. Choose your ZTNA provider

    Choose a provider you can trust. Most providers will terminate TLS sessions but still have access to your sensitive data, such as keys, passwords, tokens, etc. Make sure your zero trust provider complies with the zero trust security principles.

  2. Add a ZT connector

    The Zero Trust connector is the key component in your zero trust strategy and connects you to the cloud broker. You will manage access and segmentation from the connector, to ensure only authorized IDs have access to your network assets.

  3. Configure your identity provider

    Configure your identity provider and users, import your servers and applications and configure the entities and connections. Create policies network assets.

  4. Create Policies

    Map the connections between identities and applications. These include systems, applications, protocols, identities, privileged users, mission critical assets, 3rd parties, OT networks, and more. Then, build policies to determine which devices and users can access which systems and applications.

  5. Run

    You can run zero trust side by side with your VPN, or switch completely or gradually. Update policies easily from a single UI, audit user actions, monitor in real-time and view user actions.

Learn More About Zero Trust