Zero Trust Network Architecture (ZTNA)

What is Zero Trust Security?

Zero Trust is an IT security model that requires strict identity verification for every device and person wanting to access resources on a private network, regardless of whether they are sitting within or outside the network perimeter. ZTNA is the primary technology associated with Zero Trust architecture, but Zero Trust is a holistic approach to network security that incorporates several different principles and technologies

More simply put: traditional IT network security trusts anyone and anything inside the network. A Zero Trust architecture trusts no one and nothing.

Why do we need Zero Trust?

Traditional IT network security depends on the castle-and-moat concept. It is hard to obtain access from outside in castle-and-moat security, but network insiders are automatically trusted. The limitation is that once an attacker is inside the network, they have access to everything inside.

This vulnerability in castle-and-moat security systems worsens because companies no longer have their data in a single location. Today, information is spread across cloud vendors, making it more challenging to have a single security control for an entire network.

Zero Trust security trusts no one by default, either inside or outside the network, and verification is required from everyone trying to gain access to resources on the web. This added layer of security has prevented data breaches. Studies have shown that the average cost of a single data breach is over $3 million. Considering that figure, it should be no surprise that many organizations are now eager to adopt a Zero Trust security policy.

How Zero Trust Works

Execution of this framework combines advanced technologies such as risk-based multi-factor authentication, identity protection, next-generation endpoint security, and robust cloud workload technology. It verifies a user or systems identity, consideration of access at that moment in time, and the maintenance of system security. Zero Trust also requires care of data encryption, securing email, and verifying the hygiene of assets and endpoints before they connect to applications.

Zero Trust is very different from traditional network security, which followed the “trust but verify” method. The conventional approach automatically trusted endpoints and users within the organization’s perimeter, putting the organization at risk from legitimate credentials taken over by malicious actors and malicious internal actors, allowing compromised or unauthorized accounts wide-reaching access once inside. This model became obsolete with the acceleration of a distributed work environment and the cloud migration of business transformation initiatives due to the pandemic in 2020.

Therefore, Zero Trust architecture requires organizations to continuously monitor and validate that a user and their device have the proper privileges and attributes. It also requires enforcement of a policy that incorporates the risk of the device and user, along with compliance before permitting the transaction. It requires that the organization knows all of its services and privileged accounts and can establish controls about what and where they connect. One-time validation won’t suffice because threats and user attributes are all subject to change

Therefore, organizations should ensure that all access requests are continuously vetted before allowing access to your enterprise or cloud assets. That’s why enforcement of Zero Trust policies relies on real-time visibility into user and application identity attributes such as:

Credential privileges on each device
User identity and type of credential (programmatic, human)
Standard connections for the credential and device (behavior patterns)
Endpoint hardware type and function
Geolocation
Firmware versions
Authentication protocol and risk
Operating system versions and patch levels
Security or incident detections, including attack recognition and suspicious activity
Applications installed on an endpoint

The use of analytics is tied to broad enterprise telemetry, trillions of events, and threat intelligence to ensure better algorithmic ML/AI model training for a hyper-accurate policy response. Organizations should thoroughly assess potential attack paths and their IT infrastructure to contain attacks and minimize the impact of a breach. This can include segmentation by device identity, types, or group functions. For example, suspicious protocols such as RPC or RDP to the domain controller should constantly be challenged or restricted to specific credentials.

More than 80% of all attacks involve misuse in the network or credentials. With constant attacks against identity and credentials stores, additional protections for data and credentials extend to secure web gateway (CASB) and email security providers. This helps ensure greater password security, the integrity of accounts, adherence to organizational rules, and avoidance of high-risk shadow IT services.

Zero Trust Use Cases

Zero Trust has increasingly been formalized as a response to a range of complex, devastating threats and securing digital.

An organization can benefit from Zero Trust directly if:

It is required to protect an infrastructure deployment model containing:

Unmanaged devices
Multi-cloud, hybrid, multi-identity
Legacy systems
SaaS apps

Critical threat use cases:

Supply chain attacks – typically involve unmanaged devices and privileged users working remotely
Ransomware – a two-part problem involving identity compromise and code execution
Insider threats – especially challenging for remote users to analyze behavioral analytics

The organization has these considerations:

User experience (especially when using MFA)
SOC/analyst expertise challenges
Industry or compliance requirements (e.g., financial sector or US government Zero Trust Mandate)
Concern about retaining cyber insurance (due to the rapidly changing insurance market as a result of ransomware)

Every organization has unique challenges due to its business, digital transformation maturity, and current security strategy. Zero Trust, if appropriately implemented, can adjust to meet specific needs and still ensure an ROI on your security strategy.

Principles of the Zero Trust Model

1. Continuous Verification

Continuous verification means no trusted credentials, zones, or devices. Continuous verification of a broad asset range includes:

Risk-based conditional access. This ensures the workflow is interrupted only when risk levels change, allowing continual verification without sacrificing user experience.
Scalable and rapid dynamic policy model deployment. Since data, workloads, and users can move often, the policy must account for risk and include compliance and IT requirements. Zero Trust does not alleviate organizations from organizational-specific requirements and compliance.

2. Limit the Blast Radius

If a breach does occur, minimizing the breach’s impact is critical. Zero Trust limits the access paths or scope of credentials for an attacker, giving time for people and systems to respond and mitigate the attack.

Ways to limit the radius:

Least privilege principle. Credentials must be given access to the minimum capacity required whenever they are used, including for non-human accounts (such as service accounts). As tasks change, so should the scope. Many attacks leverage over-privileged service accounts, as they are typically not monitored.
Using identity-based segmentation. Traditional network-based segmentation can be challenging to maintain operationally as workloads, users, data, and credentials often change.

3. Automate Context Collection And Response

To make the most accurate and effective decisions, more data helps so long as it can be processed and acted on in real-time. NIST guides using information from the following sources:

Workloads – including containers, VMs, and ones deployed in hybrid deployments
User credentials –non-human (service accounts, non-privileged accounts, privileged accounts – including SSO credentials) and human
Network
Endpoint – any device used to access data
Data
Other sources (via APIs):
- Identity providers (like AD)
- SIEM
- SSO
- Threat Intelligence

Zero Trust Implementation Stages

Stage 1:Visualize – understand the access points and resources, and visualize the risks
Stage 2: Mitigate – detect and mitigate the impact of the breach in case a hazard cannot be immediately terminated
Stage 3: Optimize – extend protection to all resources of the IT infrastructure regardless of location while optimizing the user experience for security teams, end-users, and IT teams

Key Features of the Zero Trust solutions

Is each request verified on a case-by-case basis? If so, how does this work?
Does the solution use artificial intelligence and machine learning to predict potential bad actors or behavioral actions?
Does the vendor’s solution work with Multi-Factor Authentication (MFA) solutions and existing identity providers?
Is it integrable with Security Information and Event Management (SIEM) providers?
Can the solution be managed from a single portal? Is it hosted in-cloud, on-premises, or both?
Can defensive actions be automated? Is the vendor’s solution preventative or for visibility only?
Does the vendor’s solution support Single Sign On (SSO) across all departments, devices, geographic locations, and users using an open standard like Security Assertion Markup Language (SAML)?
Does it have logging APIs or syslog integration? What visibility is provided by the vendor’s context and logs?
Is it simple to operate and implement for administrators and users of all backgrounds? What is the user experience like?
How does it integrate into the broader cybersecurity ecosystem?