Zero-Trust Security

Zero Trust Security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. ZTNA is the main technology associated with Zero Trust architecture; but Zero Trust is a holistic approach to network security that incorporates several different principles and technologies.

Traditional IT network security is based on the castle-and-moat concept. In castle-and-moat security, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default. The problem with this approach is that once an attacker gains access to the network, they have free rein over everything inside.

This vulnerability in castle-and-moat security systems is exacerbated by the fact that companies no longer have their data in just one place. Today, information is often spread across cloud vendors, which makes it more difficult to have a single security control for an entire network.

Zero Trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. This added layer of security has been shown to prevent data breaches. Studies have shown that the average cost of a single data breach is over $3 million. Considering that figure, it should come as no surprise that many organizations are now eager to adopt a Zero Trust security policy.

Core Principles of the Zero Trust Model

• Terminate every connection: Technologies like firewalls use a “passthrough” approach, inspecting files as they are delivered. If a malicious file is detected, alerts are often too late. An effective zero trust solution terminates every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real time—before it reaches its destination—to prevent ransomware, malware, and more.
• Protect data using granular context-based policies: Zero trust policies verify access requests and rights based on context, including user identity, device, location, type of content, and the application being requested. Policies are adaptive, so user access privileges are continually reassessed as context changes.
• Reduce risk by eliminating the attack surface: With a zero trust approach, users connect directly to the apps and resources they need, never to networks (see ZTNA). Direct user-to-app and app-to-app connections eliminate the risk of lateral movement and prevent compromised devices from infecting other resources. Plus, users and apps are invisible to the internet, so they can’t be discovered or attacked.

How Does Zero Trust Security Work?

As a core concept, zero trust assumes every component or connection is hostile by default, departing from earlier models based on secure network perimeters. This lack of trust is technologically defined by:

• The underlying architecture: Traditional models used approved IP addresses, ports, protocols for access controls and remote access VPN for trust validation.
• An inline approach: This considers all traffic as potentially hostile, even that within the network perimeter. Traffic is blocked until validated by specific attributes such as a fingerprint or identity.
• Context-aware policies: This stronger security approach remains with the workload regardless of where it communicates—be it a public cloud, hybrid environment, container, or an on-premises network architecture.
• Multifactor authentication: Validation is based on user, identity, device, and location.
• Environment-agnostic security: Protection applies regardless of communication environment, promoting secure cross-network communications without need for architectural changes or policy updates.
• Business-oriented connectivity: A zero trust model uses business policies for connecting users, devices, and applications securely across any network, facilitating secure digital transformation.

Use cases for zero trust

Multicloud security

Because zero trust architecture enforces access control based on identity, it can offer strong protection for hybrid and multicloud environments. Verified cloud workloads are granted access to critical resources, while unauthorized cloud services and applications are denied.

Regardless of source, location or changes to the IT infrastructure, zero trust can consistently safeguard busy cloud environments.

Supply chain security

Organizations often need to grant network access to vendors, contractors, service providers and other third parties. Hackers take advantage of this situation to carry out supply chain attacks, in which they use compromised vendor accounts and workloads to break into a company's network.

Zero trust applies continuous, contextual authentication and least-privilege access to every entity, even those outside the network. Even if hackers breach a trusted vendor's account, they cannot access the company's most sensitive resources.

Remote access for employees

Organizations traditionally rely on virtual private networks (VPNs) to connect remote employees with network resources. But VPNs don't scale easily, nor do they prevent lateral movement.

In a zero trust model, businesses can use zero trust network access (ZTNA) solutions instead. ZTNA verifies employee identities, then grants them access to only the applications, data and services they need to do their jobs.

IoT visibility

Because IoT devices connect to the internet, they pose a risk to enterprise security. Hackers often target IoT devices because they can use them to introduce malware to vulnerable network systems.

Zero trust architectures continuously track the location, status and health of every IoT device across an organization. Each device is treated as a potentially malicious entity. As with other elements of a zero trust environment, IoT devices are subject to access controls, authentication and encrypted communications with other network resources.