A zero-trust model is a security framework that fortifies the enterprise by removing implicit trust and enforcing strict user and device authentication throughout the network. This guide goes in-depth into the origins of zero trust, its architecture, the technology and products that comprise a zero-trust model, as well as how to implement and manage zero trust. Links enable readers to dig even deeper and become experts in this critical security strategy.
What is zero trust?
The main tenet of zero-trust security is that vulnerabilities often appear when companies are too trusting of individuals or devices. The zero-trust model suggests that no user, even if allowed onto the network, should be trusted by default because they could be compromised. Identity and device authentication are required throughout the network instead of just at the perimeter.
By limiting which parties have privileged access to each segment of a network, or each machine in a secure organization, the number of opportunities for a hacker to gain access to secure content is greatly reduced.
The term zero trust was introduced by an analyst at Forrester Research in 2010, with vendors, such as Google and Cisco, adopting the model shortly after.
Why is a zero-trust model important?
Traditional IT security strategies, such as VPNs and firewalls, create a perimeter around the network that enables authenticated users and devices to traverse the network and access resources with ease. Unfortunately, with so many users working remotely and so many assets being placed in the cloud, relying solely on the perimeter approach is becoming less effective, less efficient and more dangerous.
A zero-trust model, conversely, provides strong protection against the types of attacks that plague businesses today, including the theft of corporate assets and identities. Adopting zero trust enables organizations to do the following:
- protect company data;
- boost the ability to do compliance auditing;
- lower breach risk and detection time;
- improve visibility into network traffic; and
- increase control in a cloud environment.
A zero-trust model supports microsegmentation -- a fundamental principle of cybersecurity. Microsegmentation enables IT to wall off network resources so potential threats can be easily contained and not spread throughout the enterprise. Organizations can apply granular policies enforced by role-based access to secure sensitive systems and data.
How does ZTNA work?
Zero-trust network access (ZTNA), part of a zero-trust model, uses identity-based authentication to establish trust and provide access while keeping the network location -- i.e., the IP address -- hidden. ZTNA adapts access to specific applications or data at a given time, location or device, and provides IT and security teams with centralized control and improved flexibility to secure highly distributed IT environments, according to Lee Doyle, principal at Doyle Research.
As organizations scale their remote user and IoT environments, ZTNA secures the environment, identifying anomalous behavior, such as attempted access to restricted data or downloads of unusual amounts of data at unusual times.
Planning for zero trust
In an interview with SearchSecurity Site Editor Sharon Shea, IEEE Senior Member Jack Burbank explained the reality of zero-trust adoption and planning. "Zero trust is not a single product, nor is it a single approach or technique. It is a mindset, a decision. It is an organization saying, 'Network security is a priority' and then putting resources behind that statement," he said.
Independent analyst John Fruehe said that zero trust makes sense for high-profile targets -- such as government agencies, critical infrastructure and financial institutions. Adopting it elsewhere could be overkill. Some experts contend that zero trust could be an excellent model to adopt for new companies, however, because they are unencumbered by legacy infrastructure.
Zero-trust can require more resources than a traditional perimeter-based approach, and if not monitored carefully, can cause productivity delays. For instance, if employees switch jobs but their access isn't updated promptly, then they might not be able to access the resources necessary for their new roles.
Whether on premises or in the cloud, adopting a zero-trust model requires strong authentication mechanisms; systems to define, enforce and adapt user access policies; and tools to create and adapt software-defined security perimeters.
The following five principles set the scope of a zero-trust model:
- Know the protect surface (users, devices, data, services and the network).
- Understand the cybersecurity controls already in place.
- Incorporate new tools and modern architecture.
- Apply detailed policy.
- Deploy monitoring and alerting tools.
To begin to plan for zero trust, organizations will need a dedicated, cross-functional team drawn from different groups -- such as applications and data security, network and infrastructure security, and user and device identity. Security operations personnel also will play an essential role in launching zero trust because they can help assess risk.
Companies will need to quickly figure out the dedicated team's knowledge gaps and fill them by making sure team members get specialized zero-trust training and certification.
Zero-trust use cases
As organizations begin planning for zero trust, they should look to existing use cases to determine what elements they want to incorporate into their own zero-trust architecture.
Andrew Froehlich, president of West Gate Networks, offered three clear examples of how zero trust can help protect the enterprise:
- Secure third parties working inside the corporate network.
- Protect remote workers accessing public cloud resources.
- Provide IoT security and visibility.
GitLab, a DevOps firm with a 100% remote employee base, is a case study for zero trust. Users were working in a SaaS environment and the security team wanted every host and every asset in the network to be protected. The company began by classifying data into four distinct categories and moved on to create a roadmap for implementation and cost evaluation.
Understanding zero trust's key capabilities can help in determining optimal use cases. A 2020 report on zero trust from Cybersecurity Insiders and Pulse Secure found the top three zero-trust capabilities that organizations found most compelling:
- continuous authentication or authorization;
- trust earned through user, device or infrastructure verification; and
- data protection.
Zero trust vs. SDP vs. VPNs
Zero trust, software-defined perimeter (SDP) and VPNs are all types of network security that protect corporate resources. Although these three approaches might seem to oppose one another, they can work in concert for a more comprehensive security strategy.
SDP is an overlay network that conceals network resources within a perimeter. SDP controllers authenticate and connect authorized users to corporate network resources or applications through a secure gateway. The technology helps reduce network-based dangers, such as denial-of-service or man-in-the-middle attacks.
For their part, VPNs encrypt tunnels between corporate networks and authorized end-user devices. Although VPNs are helpful for increased remote access, they don't easily handle more modern IoT devices, which also require network access.
Organizations can pair SDP, which can use zero-trust concepts -- such as no implicit trust -- and VPNs to delineate a clear network perimeter and then to create secure zones within the network with microsegmentation.
John Burke, CIO and principal research analyst, wrote that, with its granular management of access, SDP is an implementation of zero trust. The difference is that while zero trust calls for a dynamic trust map that responds to behavior, SDP does not consider that foundational.
How to "buy" zero trust
Zero trust is not available in a single product; rather, it is built through a collection of technologies. Forrester's Zero Trust eXtended Ecosystem lays out the categories of tools to consider when constructing a zero-trust model.
- workforce security;
- device security;
- workload security;
- network security;
- data security;
- visibility and analytics; and
- automation and orchestration.
Companies have a choice of two ZTNA architectures: endpoint-initiated or service-initiated. In an endpoint-initiated scenario, software agents dispatched to endpoints feed information to a software-based broker for authentication and authorization. A service-initiated architecture uses a connector appliance to initiate an outbound connection to the ZTNA provider's cloud where identity credentials and context requirements are assessed, eliminating the need for an endpoint software agent.
Learn what as-a-service and standalone products are available to help build out a ZTNA framework.
While some zero-trust vendors attempt to broaden the zero-trust umbrella to include capabilities such as data loss prevention, user behavior analytics, cloud access security brokers and security gateways, experts disagreed. The litmus test for products are whether organizations can say in advance, with these tools, who gets to talk to whom. If not, then experts warned they are not zero trust.
As organizations begin to assemble their zero-trust models, they should ask potential vendors if they have adopted zero trust for their own networks. The answer should be "yes," proving they can offer real-world guidance.
Implementing and managing zero trust
The most important aspect of implementing and managing zero trust is the assignment of duties among security and network teams.
Security teams will lead the development and maintenance of zero-trust architecture, while network teams will oversee the network aspects -- such as configuration and management of networking components, such as firewalls, VPNs and monitoring tools. The security team should be prepared to conduct regular audits to ensure network adherence to the policies and protocols they establish.
Organizations will have to identify the workloads that could benefit from zero-trust security -- for instance, any workloads that are critical to the business and the level of risk they can tolerate. Without this information, it will be impossible to know the granular level of control needed to protect those resources. Critical, sensitive workloads will require far more scrutiny of the users and devices that can access them compared to other less-important workloads.
Johna Till Johnson, CEO and founder at Nemertes Research, identified three on-ramps from which to start a zero-trust journey: applications and data; the network; or user and device identities. Where an organization starts will determine the technologies they will focus on. For example, entering zero trust at the network level will require attention to automation, deep network segmentation, network encryption and secure routing, among other technologies. Entering at the applications and data level will shift focus to data classification and container security. Biometrics, multifactor authentication and identity and access management are the centerpieces of the user and device identity on-ramp.
Eventually, organizations will have to tackle all three of the paths, but it is best to start with one to properly upgrade technology, deploy new technology and launch operational initiatives.
As this guide shows, zero trust might be a simple concept -- no users or devices can be implicitly trusted -- but creating an underlying architecture to support that is far more complicated.