The essential zero trust (ZT) approach to networking is that no user, device, or asset connected to the network in any way is inherently secure. Every connection is untrusted until it is proven trustworthy. Zero trust (ZT) networking takes into account the way today’s enterprises work, incorporating BYOD devices, remote work, cloud elements, and as-a-service solutions into cybersecurity consideration with continuous monitoring and authorization of every access attempt.
The traditional approach to cybersecurity builds a “fence” of safety around networks that give access to essential business assets so bad actors cannot break in and introduce malware and ransomware. This is often called perimeter security. There are flaws in this approach, however. No matter how secure the gateway, once through, the hacker has access to everything behind the firewall. In addition, the network perimeter has blurred in recent years, going beyond the traditional enterprise perimeter to accommodate remote work and SaaS applications.
Strategies such as multi-factor authentication (MFA) have strengthened the gateway, and that has been important, but those strategies have not resolved the danger in diverse networks. It may take more work to get through, but once inside, hackers can move laterally across the network and introduce ransomware or steal information.
Albert Einstein said that, “Problems cannot be solved with the same mindset that created them.” ZT is a different mind set that approaches security differently.
Perimeter security assumes a user or connection is trustworthy until security systems flag a breach. ZT in its purest form assumes that attackers are always close by, and that whether it is within the enterprise perimeter or not, no connection attempt is secure until it is authenticated.
ZT is an approach to cybersecurity and not an event or a set of services or products. Migration to ZT network security is a process over time. As you convert, you will likely continue to use some of the same products and services you are using now, but will use them in a different way. Most networks will end up being hybrid for a time as the security operations center (SOC) implements modernization projects. The only “pure” ZT network is one built from the very beginning based on ZT principles.
Because of this, a plan for converting to ZT is an important beginning point. The plan begins with identifying all assets, subjects, business processes, traffic flows, and dependencies within the enterprise infrastructure. Building in incremental projects helps map your progress and track success.
The plan should include all enterprise assets:
It should also include all subjects:
Begin by cataloging all assets within your network, such as devices, applications, and data repositories. Classify these assets based on their sensitivity, criticality, and the potential impact of a security breach. By doing this, it will ensure that you have a clear understanding of what needs protection, and it will allow you to prioritize security measures accordingly.
Implement robust authentication mechanisms to verify the identity of both devices and users before allowing them to access network resources. Use multi-factor authentication (MFA) and device certificates to ensure that only authorized individuals can get access to the network. This step is crucial for preventing unauthorized access and maintaining the integrity of your zero trust framework.
Map out and analyze the workflows within your organization to understand how data moves across the network. Identify key processes and their dependencies to look for potential security vulnerabilities. By understanding these workflows, you can better design security policies that minimize risk while ensuring operational efficiency.
Develop and enforce security policies that regulate network access, data processing, and user activity. Automate these policies using advanced security tools to ensure consistent application and to reduce the risk of human error. Automation also enables real-time monitoring and quick reaction to potential threats, which aligns with the zero trust principle of continuous verification.
Continuously evaluate and monitor your systems in order to quickly detect and respond to security incidents. Use advanced monitoring tools and techniques to monitor network activity and identify anomalies. Consistently update and manage your security infrastructure to tackle new threats and vulnerabilities, ensuring your zero trust network remains resilient and effective over time.
Adopting the Zero Trust approach has a number of considerations as you migrate your network. The following sections discuss a few steps you can take to bring your infrastructure closer to a ZT framework.
One of the basic tenets of ZT networking is microsegmentation. It is the practice of isolating workloads and securing them individually to limit access. In perimeter security, a breach gives hackers access to the entire network. Microsegmentation reduces the attack surface and limits the damage from a single breach.
Often, information and communications technology (ICT) devices such as cell phones, personal computers, email, or television have fixed operating systems (OSs) that cannot be patched for vulnerabilities. Operational technology (OT) devices such as industrial robots or medical equipment present a similar challenge. Yet they are increasingly integrated into enterprise workflows. Devices such as these must be isolated using tight policies to reduce the possibility of a breach.
Subnets are a discreet part of a larger network. They can improve network security, performance, and resiliency. They also need to be part of your ZT strategy to stop malware and other malicious tools. Make sure alerts and logs for subnetworks report into your consolidated console for investigation and resolution.
Before ZT, the techniques to establish security for remote connections were considered trustworthy until flagged. But security flaws in the most common techniques became increasingly apparent. Networks became more software-defined and mobility increased, especially during COVID-19. This resulted in unmanaged endpoints, unsanctioned SaaS, and unsecured SD-WANs.
VPN connection safeguards stopped at the edge and yet granted the user access to the entire network. They created an illusion that they were trustworthy. VPN security also didn’t connect well with increasingly-used software-defined networks.
The main issue with CASB was the fixed nature of its security precautions. While software-defined networks were increasingly fluid and employees were more mobile, security precautions couldn’t flex as needed.
SWGs presented issues with employees who worked from anywhere.
Solutions for remote connections continue to evolve, but options are now available that offer cybersecurity solutions consistent with mobile work habits and the ZT approach.
SASE falls under the ZT umbrella and spells out ZT principles for particular sections of the enterprise. Analyst firm Gartner uses this term. SASE solutions components can vary but typically consists of CASB, SWG, ZTNA, and SD-WAN technologies to provide access to both private (within a corporate datacenter or IaaS) or public SaaS applications.
This is a different label for SASE. Analyst firm Forrester uses this term.
ZTNA falls within the definition of SASE or ZTE, and is a cloud-based ZT security solution that only gives users access to applications for which they are specifically authorized. Consistent with the ZT approach, this limits damage if there is a breach. Like VPN, ZTNA encrypts data for security, but it offers a significantly improved user experience and is much more flexible.