What Is Zero Trust: Security, Principles & Architecture

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Zero Trust is a security framework that assumes your network is already compromised and therefore users and devices shouldn’t be trusted by default. By following the “never trust, always verify” philosophy and implementing strict access controls, organizations can reduce their attack surface and the risk of data breaches. Zero Trust redefines IT security by replacing the old firewall-perimeter defense model as modern data and security practices evolve.

Implementing a Zero Trust Architecture, especially in a remote work environment, can help companies minimize the potential damage caused by successful breaches and provide greater visibility into network activity by limiting access based on user authentication and device status requirements.

Featured Partners: Zero Trust Software

eSecurity Planet may receive a commission from merchants for referrals from this website

How Zero Trust Works

Zero Trust focuses on protecting resources and continuously evaluating the trust between users and assets. It provides an end-to-end approach to enterprise resource and data security that encompasses authentication, authorization, access management, operations, and the interconnecting infrastructure or network.

Companies that incorporate a Zero Trust follow three pillars, including operating with the belief that their network is compromised, granting users the least amount of access to the network based on their job responsibilities, and validating all requests to resources:

  • Assume a breach: Zero Trust assumes that the network has already been breached and all users and devices should not be trusted or implicitly granted access to network assets and resources.
  • Follow the principle of least privilege: Users should only be given the least privileges required to complete their tasks. Zero Trust believes that threats and network compromise can come from both inside and outside the organization.
  • Allow no implicit access: No resource or network traffic should be inherently trusted, and every connection request must be verified and validated before they’re granted permission to access your network, regardless of whether they’re an internal or external device. This can be done through authentication and continuous monitoring.

This may seem like a culture change within organizations with traditional cybersecurity practices in place. However, companies can benefit from the advantages of combining the mindset and the right tools to effectively protect themselves from modern threats.

What Are the Core Principles of Zero Trust?

The National Institute of Standards and Technology (NIST) publication SP 800-207 follows seven core tenets that provide guidance on implementing ZTAs. These include treating devices as resources, securing all network traffic, requiring users to authenticate for any and every session, defining access given to resources, monitoring assets and the network at all times, only allowing access under the right circumstances, and gathering and reviewing data often.

Consider All Data Sources & Services to Be Resources

This rule states that regardless of the size and class of the device on the network — or where the data is going or being transmitted to — if the device transmits data on the network and can access the enterprise, it is a resource. Additionally, an enterprise can classify a personally owned device as a resource if they can access resources belonging to the enterprise.

Secure Communication Regardless of Network Location

The location of the device requesting access should not imply trust. Access requests from devices located on an enterprise network must meet the same security requirements as access requests and communications from any other network.

In other words, all communication should be done in the most secure manner available regardless of whether the request is from an internal or external device. This protects the confidentiality and integrity of the data, and provides source authentication.

Grant Access to Resources on a Per-Session Basis

This tenet follows the rule of least privilege, which states that users should only be granted the least privileges needed to complete their task. NIST builds on this by requiring that every request is evaluated before access is granted to any resource. This means that authentication and authorization to one resource doesn’t automatically grant access to a different resource.

Establish a Policy That Defines the Access Given to Resources

By properly defining their resources, the users who need to access them, and the levels each user should be assigned, an organization can better protect their resources. In addition, a client’s identity can include the user account or service identity and any associated attributes to that account assigned by the enterprise. These attributes include:

  • Device characteristics: Information like software versions installed, network location, time/date of request, previously observed behavior, and installed credentials.
  • Behavioral attributes: This can include automated subject and device analytics and measured deviations from observed usage patterns.
  • Policy: The set of access rules based on attributes that an organization assigns to a subject, data asset, or application.
  • Environmental attributes: These are factors such as requestor network location, time, reported active attacks, etc.

These rules and attributes are determined by the needs of the business and their acceptable level of risk. As a result, resource access and action permission policies can vary based on the sensitivity of the resource/data. Additionally, least privilege principles are applied to restrict both visibility and accessibility.

Monitor & Measure Integrity & Security Posture of Assets

NIST states that no asset should be inherently trusted and that the enterprise should evaluate the security posture of the asset during every resource request. Furthermore, an enterprise implementing a ZTA should establish a continuous diagnostics and mitigation (CDM) or similar system to monitor the state of devices and applications and should apply patches/fixes as needed.

Any assets or devices that are discovered to fail the diagnostic checks, like having known vulnerabilities, missing patches, and/or are not managed by the enterprise, should have limited access or be blocked from all connections to network resources than devices that are deemed “secure.”

Enforce Authentication & Authorization

Zero Trust is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust. Therefore, it is expected that enterprises implementing a ZTA would have identity, credential, and access management (ICAM) and asset management systems in place. These may include:

  • Multi-factor authentication (MFA): Require users to present two or more forms of authentication to access some or all enterprise resources with possible reauthentication and reauthorization depending on user transactions.
  • Continuous monitoring: Systems must provide real-time monitoring of user activity across IT systems, devices, and networks, and alerting administrators of abnormal behaviors that deviate from a defined baseline.
  • Enforced policies: Security measures that are taken if any anomalous activity is detected. For example, a user requesting a resource outside of their normal business hours can trigger a time-based alert, and the security team should be notified.

Organizations should strive to use these systems to achieve a balance of security, availability, usability, and cost-efficiency.

Collect & Review Data

Enterprises should collect data about asset security posture, including network traffic and access requests, process that data, and use any insight gained to improve policy creation and enforcement. In order to improve the protection of your assets, collect as much information about your infrastructure as possible, and test your controls to identify any weaknesses.

Zero Trust is a continuous process and will not be satisfied by adopting specific tools or products. However, it can help protect organizations from several common cybersecurity challenges.

How Zero Trust Addresses Modern Cybersecurity Threats

By assuming that a breach is already happening and following the seven core principles, Zero Trust can address modern threats in the ways below:

  • Reduces phishing and ransomware attacks: Zero Trust can prevent phishing attacks by limiting user privileges and requiring additional verification steps, regardless of the device, the user’s role, or their level of access.
  • Minimizes insider threats: By implementing least privilege and actively monitoring user activity, Zero Trust can detect and prevent potential threats from internal users.
  • Reduces attacker’s foothold: Verifying user access for every resource, implementing MFA, and continuous monitoring can restrict or even block an attacker or advanced persistent threat actor’s access to a compromised network.

Zero Trust limits user access to only what is necessary and constantly monitors all resources on your network, reducing points of entry for attackers and lessening the impact of a successful attack.

Misconceptions About Zero Trust

While companies have adopted Zero Trust, there are two major misconceptions about it that can cause organizations to struggle with its adoption:

  • Small organizations don’t need Zero Trust: Some believe that Zero Trust is too complex or unnecessary for small organizations. But the reality is that Zero Trust is important for organizations of all sizes and while Zero Trust security does require planning to set up, it simplifies security management in the long run.
  • Zero Trust is product-focused: The biggest misconception about Zero Trust is that it’s a tool. However, Zero Trust is a framework, and frameworks require a change in thinking and infrastructure. This mindset is equally as important as implementing the tools.

To adopt a Zero Trust mindset, IT staff must buy into the concept that there are no more perimeters or trusted networks — everything is assumed compromised by default. They should create a comprehensive approach and a detailed protection plan that includes users, devices, technologies, policies, and procedures.

For example, instead of firewalls, gateways, or intrusion detection and prevention solutions (IDPS) that provide a single point of screening for the whole organization, also focus on authorization, authentication, malware detection, and monitoring of endpoints, containers, and applications.

The goal of ZTA is to strategically create layers of protection that can be managed centrally and deployed locally to replace traditional layers of defense. Each application, container, database, and system must become a fully functional castle of defense on their own.

4 Steps to Practical Zero Trust Strategy Implementation

Now that you’ve developed the proper mindset, it’s time to implement your Zero Trust strategy. To do this, identify critical assets and attack surfaces, implement controls to protect them, define a Zero Trust policy, and continuously monitor network activity.

1. Identify Your Resources & Attack Surface

Regardless of your network infrastructure, defining your attack surface should be the first item you address. Focus on all the areas you need to protect, including critical services and applications, assets, and data.

  • Protect sensitive data: Implement controls and security measures to protect the data of customers and employees and other sensitive information you don’t want accessed by an unauthorized user or attacker.
  • Identify critical applications: Any applications or services that play an integral role in your day-to-day operations and business processes should be identified and secured.
  • Monitor physical assets: Physical assets like medical devices, point-of-sale (PoS) terminals, industrial control systems and components, and other critical infrastructure must be located, protected, and monitored.

2. Build Your Architecture

Once you’ve identified your critical assets, design your architecture to minimize your attack surface. There’s no one-size-fits-all solution, but all solutions must adhere to the concept of ”never trust, always verify.”

Zero Trust architecture should involve the familiar mechanisms below:

  • Implement least privilege: Limit access to only the resources required to perform the job function and restrict services or applications that may provide broad access to networks and assets that are not needed.
  • Use multifactor authentication (MFA): Using multifactor authentication adds an additional layer of authentication for users and defends against a malicious actor stealing a user’s credentials and authenticating to the network.
  • Create policies for users and devices: Require users and devices to run a “health check.” All devices, operating systems, and applications must meet a required minimum health state before being granted access to the network or resource.
  • Perform routine checks: Conduct regular audits and assessments to validate changes made to the network, confirm devices and applications are working properly, identify any gaps in coverage, discover any vulnerabilities or misconfigurations or confirm they have been remediated, and get a clear picture of your network’s overall security posture.

3. Create a Zero Trust Policy

After you have identified the critical assets and developed the architecture, document your Zero Trust policy. Clearly define the principles of the Zero Trust strategy and details surrounding the different elements like identity verification, network infrastructure, access controls, data security, and the expectations for personnel.

  • Identity and access management (IAM): In this section of the policy, detail the user authentication and authorization methods, user verification processes, or role-based access controls in the organization.
  • Network segmentation: Include any network zones, IP ranges, segmentation details, and access permissions for users and devices on each network segment.
  • Device management: Document device information, including operating systems, application versions, patches, etc.
  • Data protection: Include encryption methods, user permissions, and access controls.
  • Compliance requirements: List any standards and regulations that the policy must comply with, like HIPAA or PCI-DSS. Also include any employee training or assessments that are required to adhere to these standards.

To create an effective policy, ask who, what, when, where, why, and how for every user, device, application, service, and other resources looking for access.

4. Continuously Monitor Your Network

Continuously monitoring activity on your network using network monitoring tools means IT and security teams will observe network activity, be notified of any potential issues, and gather information on the overall health of your network.

  • Analyze traffic: Collect detailed logs of network and user actions in real-time to recognize baselines, patterns, or anomalies.
  • Alert security teams: Network monitoring tools can alert personnel of any suspicious activity or abnormal user behaviors on the network.
  • Gain insight: Organizations can use the reporting tools to assess the effectiveness of your Zero Trust strategy and find opportunities for improvement.

Test your Zero Trust implementation extensively to verify that all infrastructure has been identified and addressed, policies have been created, and any tools, services, and applications have been integrated into the organization’s network without creating any gaps or vulnerabilities.

Get more information on some of the best network monitoring tools available, including their features and how they compare to others on the market.

Advantages of Zero Trust Architecture

Adopting a ZTA significantly minimizes potential attack vectors while increasing the logging and verification requirements and increasing the chances of catching internal and external malicious activity.

  • Reduce your attack surface: Following the “least privilege” principle and implementing strict access controls on devices and resources reduce the attack surface as well as the damage from a successful breach.
  • Improve your security: The continuous monitoring and logging of user and device access on the network increases the visibility and positively impacts the organization’s security posture.

ZTA is a vast improvement on traditional security methods because of robust security tools and features that can be implemented. For example, organizations can incorporate features into their architecture like IAM, network access controls (NAC), or MFA checks to search for a device’s originating IP address and run checks to see if the user’s device might be compromised.

Zero Trust Challenges & Considerations

Organizations face constant resource challenges, which can contribute to the primary Zero Trust challenges below:

  • Replacing existing infrastructure: ZTA can be adopted for a sub-group of users or key assets. However, maintenance of multiple technologies can add additional cost and burden on IT and security staff. Ideally, ZTA should replace entire elements of traditional security (network access, authentication, etc.) to minimize the complexity of supporting overlapping tools and obsolete equipment.
  • Finding sufficient budget: ZTA vendors note that adopting ZTA will reduce expenses over time because their solution can replace several separate products and services, and the supporting infrastructure. However, in reality, this will be a significantly more nuanced calculation.
  • Planning ahead: Many traditional IT security tools have years of life left in them and most organizations cannot afford to start over from scratch. IT and security managers must analyze which ZTA tools integrate with the current infrastructure they don’t intend on replacing to create cost-effective transitions.

Adoption of ZTA has many benefits, but it also may create a cascading requirement to upgrade legacy components or to create compensating controls, which can be challenging and costly. IT and security managers should thoroughly explore different Zero Trust solutions and work with vendors in advance to identify and plan for this possibility.

3 Best Zero Trust Solutions

When looking for a Zero Trust solution, some products provide true value while others can be all hype. The true value of a solution depends upon the organization’s understanding of their infrastructure and the capabilities of the solution they are implementing. While there are many to choose from, there are three that stand out: NordLayer, Twistedgate, and ManageEngine AD360.

NordLayer

NordLayer offers a turnkey SASE and Zero Trust solution that embodies Zero Trust principles, prioritizing user, device, and connection authentication. It follows a “trust none, verify all” approach and integrates IAM and network segmentation to establish robust security.

NordLayer offers several plans with the Lite version starting at $8 a month per user. However, their other plans offer more features and start at $11 and $14 a month per user. There is also an Enterprise option that costs $7 a month per user for organizations that have a minimum of 50 users (all price offers are when they are paid annually).

NordLayer dashboard.
NordLayer dashboard (Source: NordLayer)

Twingate

Twingate delivers a multi-step authentication process that helps fast-growing companies easily implement a secure Zero Trust Network Access solution without compromising on usability or performance. Twingate’s Identity-First Networking solution combines enterprise-grade security with a consumer-grade user experience.

Twingate offers a free plan; however, its functionality is very limited compared to their other plans that start at $5 a month per user for the team license and increase to $10 a month per user for the business license (when paid annually).

Twingate access graph.
Twingate access graph (Source: Twingate)

ManageEngine AD360

ManageEngine AD360 is an integrated IAM solution that assists organizations to manage and secure user identities, facilitate identity governance, and ensure compliance. Core features include secure single sign-on, automated identity lifecycle management, historical audit reports, and more.

Pricing is not available on the ManageEngine website. However, customers can contact them for a quote.

ManageEngine AD360 dashboard.
ManageEngine AD360 dashboard (Source: Manage AD360)

For our comprehensive list of 80 Zero Trust solutions spanning six categories, check out our best Zero Trust solutions article.

Bottom Line: Zero Trust Is a Culture Change, But Delivers Results

A Cloud Security Alliance (CSA) survey found that 77% of executives plan to increase their spending on Zero Trust. However, IT and security teams should have a full understanding of their current infrastructure and the critical assets they need to protect, define specific and clear goals before making a large investment, and never trust, always verify. Proper implementation and embracing the principles of Zero Trust can have a significant impact on your organization’s security posture and create a more efficient and resilient network environment.

Next, learn how to use Zero Trust to enhance your network’s IAM.

Davin Jackson Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required