Just as the development of cannons and other weapons made walls obsolete as a form of defense, sophisticated cyber attacks have made the firewall-perimeter model of cybersecurity equally obsolete.
No longer is traffic inside the network automatically presumed to be from authorized and authenticated sources. And many users now work outside the safety of the network. Many don’t even use corporate networks to reach cloud resources, which also exist outside the defenses of corporate networks.
Meanwhile, Viruses regularly bypass firewalls through malicious emails or when users click on infected websites. Security teams also face sophisticated attackers that invade systems using advanced persistent threat (APT) techniques and zero-day vulnerabilities.
Modern data practices have outgrown the old firewall-perimeter defense model. In its place, “zero trust” has been one attempt to redefine IT security and address the needs of the modern distributed and “edge” IT environment. However, while many products claim to deliver zero trust capabilities, they usually do so without defining zero trust or explaining how they fit into the concept. Here we’ll take an in-depth look at what zero trust is – and what it’s not.
See the Top Zero Trust Security Solutions
Featured Zero-Trust Software
What is Zero Trust?
Forrester Research developed the formal concept of zero trust more than a decade ago:
Zero Trust is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero trust advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.
The National Institute of Standards and Technology (NIST) publication SP 800-207 provides a similar and consistent definition for zero trust. This publication includes seven basic tenets of zero trust:
- All data sources and computing services are considered resources
- All communication is secured regardless of network location
- Access to individual enterprise resources is granted on a per-session basis
- Access to resources is determined by a dynamic policy that considers the observable state of client identity, application/service, and the requesting asset and that may also consider other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
We can generally interpret these definitions as encouragement to treat all resources as if they are fully exposed to the internet and as if all users are attacking. Forrester also stresses that zero trust is a continuous process and will not be satisfied by adopting specific tools or products.
The Cybersecurity and Infrastructure Agency (CISA) and U.S. Office of Management and Budget (OMB) has since released additional guidance that complements Forrester’s zero trust eXtended (ZTX) concept, adding governance, workloads, and automation considerations. While the extended concept adds some additional concepts and considerations, it does not change any of the original ZTA fundamentals.
Why Does Zero Trust Matter?
Zero trust architecture (ZTA) addresses the modern reality that our assets and users no longer operate primarily within a controlled and secured enterprise network. Most organizations have data residing in uncontrolled environments such as: cloud resources, Software-as-a-Service (SaaS) applications, mobile devices, and remote users operating from within unprotected networks.
U.S. President Joe Biden issued an executive order last year that calls for the adoption of ZTA throughout the Federal Government, a stance reiterated a number of times since then. This order acknowledges the widespread adoption of cloud and -as-a-Service resources as well as the increasing risk to these assets using legacy IT security.
This order does not directly affect non-federal organizations. Yet we can expect for other regulations and compliance standards to begin requiring ZTA elements as they become more widely adopted.
Litigation will also play a part in pushing standards towards ZTA. No one wants to be in a data breach lawsuit and forced to sit on the witness stand to justify how their old technology should have been sufficient even though it failed.
Zero Trust Hype
As with all things IT, saying is much easier than doing.
For those wanting to adopt ZTA, they must navigate through aggressive vendor claims that often don’t make clear how products deliver ZTA capabilities. While ZTA definitions, principles, and guidelines have been published, there is no governing standard to verify or endorse ZTA claims for any vendors or products – a problem that exists for other security product categories too.
Until ZTA becomes more standardized, the burden of understanding zero trust and verifying ZTA claims falls to the IT teams implementing the technology. Also, IT managers must recognize that certain technologies might provide ZTA features in some circumstances but not deliver anticipated results for the organization’s specific use case.
Zero trust technology must be tested extensively in the anticipated use case. Additionally, security teams must verify that the products have been integrated into the existing security stack without creating gaps or vulnerabilities.
Also read: Most Security Product Buyers Aren’t Getting Promised Results: RSA Panel
Defense in Depth 2000 vs 2020
Zero trust hype endangers adoption, but behind the hype remains the real motivation for zero trust. The old castle-and-moat IT architecture no longer fits our reality.
We need new layers of defense that travel to where our users and our assets exist now. We must defend users at home or in a coffee shop while they access their cloud-based apps and our cloud-based data repositories.
To realize advantages in ZTA requires a shift in mentality. Of course, obtaining these advantages will come with real costs that must be weighed against resources.
Breaking the Walled City Mentality
A key difficulty for adoption will be adopting a ZTA mindset. Most seasoned IT professionals have decades of experience in picturing security and architecture as a castle with a secure network and a polluted exterior.
Zero trust architectures require new philosophies and mindsets. There are no more perimeters, or trusted networks – everything is assumed compromised by default.
Instead of firewalls, gateways, or intrusion detection and prevention solutions (IDPS) providing a single point of screening to protect the whole organization, ZTA pushes authorization, authentication, and malware detection to the endpoint, container, or even to within the application itself.
ZTA needs to create layers of protection that can be managed centrally and deployed locally to replace our traditional layers of defense. Each application, container, database, and system must become a fully functional castle of defense on their own.
Advantages of Zero Trust Architecture
MIT researchers note that the vast majority of attacks take advantage of misplaced trust such as stealing credentials and using them to attack an organization from within. Adopting ZTA increases the logging and verification requirements and adds opportunities to catch both malicious attackers and malicious insiders as they overstep their permissions.
Ideally, ZTA can also be set in a central location and then implemented throughout the organization. For those of us used to traditional security, the rough analogy would be that we set up the Active Directory (AD) user profiles and a firewall and we push it out to be implemented on each endpoint, application, container, etc.
Yet that analogy doesn’t capture that authentication can also be even more robust because ZTA can incorporate identity and access management (IAM), network access control (NAC), or multi-factor authentication (MFA) checks such as originating IP addresses or if the user’s device might be compromised.
If these features sound familiar, it is because they all exist for traditional IT security as well. Ultimately, ZTA attempts to implement existing concepts in more universal ways for easier implementation and in more detail.
Also read: A Few Clicks from Data Disaster: The State of Enterprise Security
Zero Trust Architecture Adoption
As with traditional IT security, no single tool or application provides universal security coverage. Organizations still need to obtain a full security stack, but now the security stack needs to default to the assumption of mistrust and continuous verification.
Network, Cloud, Identity, and App groups need to develop a mutual understanding of ZTA to develop and run test cases. To do so, these groups need to discuss specific technology and consider how changes might ripple through the existing processes and technology stack.
Current examples of popular ZTA solutions include zero trust Network Access (ZTNA), zero trust Authentication, and Application Firewalls.
Example: Zero Trust Network Access (ZTNA)
VPN access replacement makes a great place to start a transition to a zero trust architecture. ZTA naturally secures beyond the traditional network perimeter, and the existing remote access technology is under pressure.
VPNs and transit gateways do not scale easily and do not protect any specific assets. VPNs secure traffic between various endpoints and an internal network, but once the connection has been made, most VPN technology stops paying attention to the commands and data flowing through it.
For example, if organizations apply Zero Trust Network Access (ZTNA) universally, they gain two significant advantages.
The first advantage stems from a single process to follow that improves user experience and security. Users will no longer need to follow different processes inside and outside of the network (logging into VPNs, etc.).
With only one process, users will be less likely to forget or be confused about how to connect. Once trained properly, they only need to keep following that one method.
The second advantage comes from consistent policies that improve security and reduce risk. Many organizations establish one set of access rules for a firewall, a different set for a VPN server, a third set for cloud storage, and perhaps no rules at all may be implemented for an internal server.
Generally these rules are implemented separately and changes become difficult to manage even as some assets remain undefended. ZTNA can define universal least privileged access that is applied to all access points and assets efficiently and consistently.
While ZTA focuses on delivering enhanced security, Forrester Research notes that half of the organizations they examined adopted ZTNA for performance reasons. ZTNA no longer sends cloud traffic through the corporate network only to be rerouted back out to the cloud.
For example, if twelve remote employees need to be on a Zoom call, traditional architecture would have them connect into the local network through VPN and then connect to a cloud-based video conferencing service. All of the time-sensitive videoconference data flows through the corporate architecture twice for all 12 users and places an unnecessary traffic load on local IT resources.
ZTA can protect the users as they connect directly between their local machine and the cloud without any resource demand on the legacy IT network. In a counter-intuitive way, ZTA can extend the life of legacy IT architecture by decreasing operational demands on the components.
Practical Limitations to ZTA
Organizations face constant resource constraints. The promise of increased security or improved performance will be offset by the inevitable learning curve, budgets, time constraints, and the likely variance between expectations and actual performance.
This balance will challenge IT managers looking to strengthen security through ZTA adoption. This balance can be improved by a practical assessment of the existing architecture and IT resources.
ZTA and Existing Infrastructure
Zero trust architecture can be adopted for a sub-group of users or key assets; however, the maintenance of multiple technologies can add additional burden to the IT and security teams. Ideally, ZTA should replace an entire category of traditional security (network access, authentication, etc.) to minimize the juggling of overlapping tools, obsolete equipment, or adding complexity to support.
ZTA vendors note that adopting ZTA will reduce expenses because adopting their technology can replace several separate products, associated services, and the infrastructure needed to support them. However, in reality, this will be a significantly more nuanced calculation.
After all, many traditional IT security tools have years of life left in them and most organizations cannot afford to start over from scratch. IT and security managers need to analyze what ZTA tools integrate with the existing IT and security stack they did not intend to replace so they can create cost-effective transitions.
Adoption of ZTA may create a cascading requirement to upgrade legacy components or to create compensating controls. IT and Security managers should work with vendors in advance to identify and plan for this possibility.
Example: Legacy Switches and ZTA
When applying ZTA across the network, the network infrastructure should act as Policy Enforcement Points (PEP) for ZTA. However, legacy equipment may not have the PEP capabilities and may need modification or replacement.
Specifically, switches might have focused on traffic flow to optimize operational efficiency, but now a switch should inspect a packet’s originating node to verify the node has permissions to send packets through the switch. If the switch will not be capable of verification, it needs to send the packets exclusively to a node with those capabilities such as a gateway.
Also read: Best Network Monitoring Tools
No Easy Button
Keep in mind that obtaining ZTA tools does not automatically bestow zero trust to the organization. Flawed implementation will continue to undermine security.
For example, if an organization has never distinguished between types of users, then the additional controls of ZTA do not provide any additional benefits. Many smaller or security immature organizations do not make the time to differentiate between users and the warehouse worker has the same IT access as the VP of Operations.
Similarly, an organization must already understand their valued assets. An organization that doesn’t know where regulated or important data exists within their infrastructure may be protecting the wrong users and data with the wrong levels of security.
Before acquiring ZTA solutions, an organization must truly determine what capacity exists to implement additional granularity and if that granularity will be sufficient to require the investment in ZTA.
Showing ZTA Results
A Cloud Security Alliance (CSA) survey found that 77% of executives plan to increase their spending on zero trust. However, with ZTA labels applied without agreed-upon standards, many executives may believe the most outlandish vendor claims and expect a magic bullet.
IT will need to manage expectations and demonstrate effective improvement to validate additional investment. They also need to avoid disruptions because poor user experience or operational downtime during integration can cripple ZTA adoption before it can prove its security advantages.
When deciding to adopt ZTA, IT and security teams should define very specific and very clear goals. These goals should be measurable so that they can prove if the investment is paying dividends.
For example, stated goals could be:
- Ensure all traffic to cloud resources comes through ZTA for protection
- Reduce internal network traffic by 20%
- Reduce help desk calls for shared server access by 50%
Can Products Catch Up With Hype?
The history of IT is littered with technologies that failed to live up to their potential because the hype proceeded faster than the capabilities. Although some vendors may jeopardize the concept with reckless claims, the zero trust movement is fueled by legitimate needs.
Zero trust architecture eliminates trusted users and trusted networks to assume that all users may be compromised and resources exist in untrusted environments. These are good assumptions in a world with so many resources connected directly to the internet.
Hopefully this column will become obsolete within a year because ZTA becomes more robust and delivers on its potential. Perhaps standards will be developed or the technology will catch up to the marketing.
ZTA solutions are needed and some products are ready to provide true value – however, that value depends upon the context in which they are implemented. An organization must be ready and willing to do the work to verify that ZTA will integrate with their existing IT infrastructure and provide a true benefit.
Teams willing to take a hard look at themselves and the product will realize the advantages of zero trust architecture.
Read next: Microsegmentation Is Catching On as Key to Zero Trust