Zero Trust & Zero Trust Network Architecture (ZTNA), Explained

Historically, when it comes to cybersecurity, organizations long relied on the castle-and-moat approach. Also known as the perimeter security model, it assumes that a network inherently trusts everyone - users and devices -inside the perimeter, thus giving gives them complete access while directing all suspicion to those outside.

However, this location-based model is seriously risky: it focuses only on who goes in and out of the network, not what occurs inside it. The result? Costly data breaches, as hackers or threat actors could penetrate and move freely undetected within the network and wreak havoc once they somehow managed to gain access through the perimeter.

The perimeter-based model originally served organizations whose data resided in on-premise data centers, with only a few users needing remote access.

Today, of course, that has all changed: users today rely on remote access.

Cybersecurity changes in the cloud

As organizations and businesses move their applications to the cloud, they now distribute data and other resources across multiple data centers in various regions. Users around the world can connect to these networks, which is great, but this also introduces new security vulnerabilities and attack surfaces specifically related to cloud infrastructure. Some of these include:

• Unauthorized access
• Malware and ransomware
• Denial of service (DoS) attacks and distributed denial of service (DDoS) attacks

These cloud threats are very dynamic. Unfortunately, traditional security measures, like perimeter security, cannot withstand such a hostile environment. Old ways of securing are no longer effective in protecting cloud-based assets. DevSecOps teams now have to safeguard apps against known vulnerabilities and also against zero-day attacks. They do it with an identity-based security model called zero trust.

So, what is zero trust?

The concept of zero trust was first introduced in the 1990s by a group of security professionals called the Jericho Forum, who proposed a new security approach that eliminated the need for a trusted internal network.

Only later, in 2010, was the term "zero trust" coined by a former Forrester Research analyst John Kindervag. Today, it's been adopted by the industry at large.

In 2020, attackers exploited SolarWinds software. This lets attackers access hundreds of the company's customers. Later that year, and likely in response, the U.S. National Institute of Standards and Technology (NIST) established a definition of Zero Trust approach in Special Publication 800-207, as part of a rejuvenated effort to mitigate malware, ransomware, and other types of global cybersecurity threats, defining:

[Zero trust as a] "term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources."

In May of 2021, President Joe Biden signed Executive Order 14028 known as "Improving the Nation's Cybersecurity," to improve supply chain security in the US and prevent similar incidents from occurring.

(See how Splunk supports CISA's zero trust strategy.)

Identity is the new perimeter

The zero trust model operates on the concept of "never trust, always verify." It's not a specific architecture, product, or software solution. Instead, it's a methodology for secure access and a critical part of enterprise security.

Zero trust requires that every user and device that attempts to access an organization's resource, including employees of the organization, must continuously undergo identity verification. This means that Security and DevSecOps teams should assume that an attacker might already be present inside the network.

Every time a user tries to access a new resource, the system reassesses trust, ensuring that no connection is trusted, even if it has previously accessed the network. Zero trust also places limits on all user's accounts in the network, such that if an attacker compromises an account, they won't be able to move laterally around the entire network.

How zero trust works

Any organization today - any size, any stripe - stores data in a variety of locations and apps, both on-premises and in cloud environments. This allows wide access to a variety of folks: employees, vendors, contractors, partners, and other authorized users (and all their personal devices).

For example, Tina is authorized to use her company's case management system from her personal laptop. Tina makes a request from that device and is granted access. Eventually, she downloads software from an unauthorized source. This could be something as simple as a printer driver or a photo.

In a zero trust environment, security teams continuously monitor the device, flagging any unauthorized downloads.

This newly added component has altered the configuration - and, therefore, the trust score - of the device in question. When the employee attempts to connect to the system, their access might be denied or downgraded depending on their new trust score and associated policy.

In this way, looking at the trust across multiple factors (the user, their device, and the downloaded resource) helps security teams understand dynamic risks in the enterprise. Layering this information together provides more context.

Principles of the zero trust model

To be successful, a Zero Trust framework entails several core underlying principles, including:

• Assume the network is always hostile. The traditional assumption that your network is relatively secure has disappeared. With Zero Trust, you assume it's not.
• Accept that external and internal threats are always on the network. Assuming that there are always threats changes your cybersecurity approach to proactive.
• Do not trust a network simply because of the location of a corporate network or cloud provider. Traditional security rules, based on IP addresses, are no longer reliable.
• Authenticate and authorize every device, user, and network flow. A zero trust model authorizes and authenticates user access by least-privilege access on a per-session basis.
• Implement dynamic, data-driven policies with multiple data sources. Establish end-to-end data analytics, providing monitoring and threat detection across the entire architecture.

For decades, individually authenticating every object requesting access to a network was basically impossible. Today, multiple technologies specialize in various models of access control - that is, a set of rules to determine who should be granted access to a restricted location and/or critical information. A Zero Trust architecture can stitch these systems together, reducing the complexity of managing multiple controls independently.

(Related reading: role-based vs. attribute-based access control: what's the difference?)

Some misconceptions about zero trust security

Zero trust has garnered a lot of attention in recent times, but there have also been a lot of misconceptions. Let's debunk some popular myths surrounding it:

Myth: Zero trust means no trust at all

Reality: Zero trust doesn't mean no trust - it means intelligent and smart trust. Contrary to popular belief, zero trust doesn't imply a total absence of trust but rather a more enlightened and very conditional trust.

Myth: Zero trust is only for large enterprises

Reality: Zero trust is relevant and beneficial for organizations of all sizes and industries. From small startups to large enterprises, everyone needs to ensure secure access to their resources.

Myth: Zero trust requires a complete overhaul of existing infrastructure

Reality: Zero trust is not necessarily a complete replacement for traditional measures and controls. Instead, regard it as a complementary solution that involves gradually adding security controls to the existing infrastructure.

Myth: Zero trust is a product

Reality: Zero trust is a security framework for protecting information and data. It's not a single product but a comprehensive approach that requires technologies, security policies, and procedures.

Myth: Zero trust is only for the cloud

Reality: Organizations can implement zero trust security in all environments, including on-premises, cloud-based, and hybrid cloud settings.

What is zero trust network architecture? The 6 pillars

Zero trust architecture (ZTA) or zero trust network architecture (ZTNA) is a cybersecurity architecture based on the principles of zero trust. The American Council for Technology and Industry Advisory Council (ACT-IAC) outlines the six pillars of a Zero Trust security model, each built upon a foundation of data. These pillars are:

• Users. Continuously authenticating trusted users and user identity, continuously monitoring and validating user trustworthiness to govern their access and privileges.
• Devices. Measuring the real-time cybersecurity posture and trustworthiness of devices.
• Network. Isolating and controlling the network, including software-defined networks, software-defined wide area networks, and internet-based technologies.
• Applications. Securing and properly managing the application layer, as well as cloud services, containers, and virtual machines.
• Automation. Automating tasks across products and workflows, such as you can with security automation, orchestration, and response (SOAR) solutions.
• Analytics. Observing what's happening to appropriately orient your defenses. Visibility and analytics tools like security information and event management (SIEM), advanced security analytics, and user and entity behavior analytics (UEBA) are significant here.

Zero trust network architecture vs. VPNs: what's the difference?

In virtual private networks (VPNs), an "implicit trust" model grants users access to resources once verified, even if they don't need them for a specific task. Because VPNs route all user traffic through a central gateway, latency issues for globally distributed teams are common, regardless of the resource's location.

In contrast, ZTNA continuously validates users' identities for every access request, whether internal or external.

Plus ZTNA enables direct-to-resource access, connecting users directly to the service they need, no matter where it is hosted. This approach improves performance, especially when working with resources across different regions.

Similarities between VPNs and ZTNA

While the two technologies differ in approach, they do share some key commonalities:

• Encryption. They both make use of encryption to secure sensitive data in transit. VPNs make use of encryption tunnels (e.g., IPSec or SSL/TLS) to protect communication between the user's device and the corporate network. While ZTNA uses HTTPS and some other modern protocols for application-level traffic.
• Access control. Both enforce access control with VPNs, typically using credentials (username/password, certificates, etc.) for authentication and ZTNA using a more granular and policy-based approach that goes beyond users' identity and considers factors like location, health, etc.
• Logging and monitoring. Both VPNs and ZTNA systems offer logging and monitoring capabilities to track access attempts, user activities, and potential security threats.

Getting started with zero trust

Implementing a Zero Trust architecture depends on many variables based on your current network setup. In a Zero Trust security model, access to a network is achieved based on a user's or device's identity, location, and permissions. A comprehensive guide to getting started is beyond the scope of this post, but below is a high-level overview of how it works.

Step 1: Identify the attack surfaces

First, identify and evaluate all your organization's most critical assets in order of priority, including endpoints, users, applications, servers, and data centers that hackers might target. Properly understanding the posture of protected assets - as well as the systems used to access these resources - helps with risk scoring and security incident prioritization. For example:

• User systems with missing or insufficient system patches can have their access to critical systems limited.
• Security incidents connected to known vulnerabilities can be prioritized.

Step 2: Verify identity

Authenticate users and devices using single sign-on (SSO) or multi-factor authentication (MFA) methods such as passwords or biometrics. This adds extra layers of security to protect all sensitive data from malicious actors, even if one authentication method is compromised.

Step 3: Access control

After authenticating users and devices, grant them access only to the specific data and resources they need to complete their tasks based on their assigned permissions and roles. In the cloud, use role-based access control (RBAC) or attribute-based access control (ABAC) to enforce least-privilege access to cloud and cloud-native applications, containers, and microservices.

You can also perform network segmentation: Divide the network into smaller segments or regions that are properly isolated from one another to reduce lateral movement and minimize the surface area of potential attacks.

Step 4: Monitoring, analytics, and logging

Monitor user and device activities in real time and analyze them carefully for potential threats. If a threat is detected, log it and alert the appropriate teams.

Implementation challenges with zero trust network architecture

With any implementation, there are some challenges to be aware of:

Compatibility issues. You might experience compatibility issues because legacy applications likely won't integrate with modern security measures like zero trust, creating security gaps in the system that may require you to implement strategic updates or replacements.

Culture shift. Implementing zero trust in the cloud brings about stricter access controls and requires a shift in the already existing security culture of an organization. This shift can put a strain on the overall work experience.

For example, in an organization, employees accustomed to seamless access to resources may encounter authentication hurdles like multiple verification steps, potentially impacting their productivity.

(Related reading: organizational change management.)

Cloud compliance and governance. Many organizations often operate in regulated industries like healthcare and finance, which have to comply with strict data protection regulations like HIPAA and PCI DSS. Implementing zero trust in the cloud can challenge compliance with these rules, as multiple users may access sensitive data scattered across multiple locations. Organizations should:

• Apply encryption techniques for data at rest or in transit.
• Set up access control measures.
• Implement effective logging of all access points to sensitive data.

Risk of vendor lock-in. Implementing zero trust in the cloud often means choosing what cloud vendor to work with. Vendor lock-in can be a real challenge: businesses may become overly dependent on a particular vendor, which can limit flexibility, become costly over time, or hold you back from emerging features you need. To tackle vendor lock-in, organizations should:

• Prioritize open standards and interoperability when selecting security solutions.
• Consider adopting a multi-cloud approach.

Cost of implementation. Setting up zero trust security in the cloud can be quite resource-intensive. From hiring skilled personnel and training internal staff to acquiring new technology and other cloud costs.

Overcoming the challenges

Fortunately, you can prepare overcome these challenges with some smart preparation.

Adequate planning

Create a strategic plan that includes an inventory of all sensitive and non-sensitive data and resources in the cloud infrastructure. The plan should:

• Provide a detailed roadmap for implementing zero trust.
• Specify the technology solution(s) to be used.
• Outline the strategy to educate employees about the changes and their importance.

Phased implementation

Gradually introduce zero trust into your security system and avoid overwhelming users in the process. Prioritize critical assets first and continue until you've secured the entire system.

Collaboration

Both IT/DevSecOps and security teams need to work together effectively. As a result, IT teams should provide comprehensive information about cloud design and infrastructure. Meanwhile, security teams must identify potential risks and, subsequently, develop solutions to mitigate them.

The key to a successful Zero Trust network, therefore, is understanding who is making access requests and from which devices. Consequently, this understanding enables organizations to map those requests to access policies specific to each application or asset. Ultimately, it requires CISOs, CTOs, and CIOs to consider and possibly update the security strategy and network architecture.

Public link

Please use the above public link if you want to share this noodl on another website.