Security Experts:

Demystifying Zero Trust

Zero Trust security architecture information

While many vendors use terms that include "zero trust," they often use it to mean different things

The pandemic increased the need to secure remote and hybrid workers, and a side-effect has been a surge in interest, hype, and confusion surrounding zero trust concepts. Vendors have been quick to put out a wide range of messaging on zero trust, which has led to a lot of misunderstanding as to what zero trust actually is.

A neutral place to start is the NIST Special Publication 800-207, which says, zero trust "is not a single architecture but a set of guiding principles for workflow, system design, and operations.” NIST refers to these principles as the “tenets” of zero trust.

In other words, zero trust is not simply a product. If someone says it is, they probably either don't know what they're talking about or have watered down their marketing to the point of making it misleading. 

The Zero Trust Security Model and Principles

Zero trust is a cybersecurity model based on a simple premise: by default, nothing can be trusted until proven otherwise. The name is based on the "default deny" posture for everyone and everything (zero trust).

The zero-trust model turns the concept of "implied trust" based on network location or IP address on its head. Instead, trust is evaluated on a per-transaction basis and explicitly derived from a mix of identity and context-based aspects.

The concept of zero trust came about because the idea that “inside the network means trusted” and “outside means untrusted” no longer works because it grants excessive implicit trust. Once someone or something is connected, whether directly or using a VPN, it is trusted. It doesn't take much imagination to consider what a cybercriminal can do with unfettered access to the entire network.

With zero trust, when a user or device requests access to a resource, they must be verified before access is given. The verification is based on the identity of the users and devices in conjunction with other attributes and context, such as time and date, geolocation, and the device security posture.

After verification, access is given based on the principle of least privilege, which means access is given to that resource and nothing more. For example, if a user requests access to a payroll application and is verified, access to that application is the only access the user is granted; they can't see anything else anywhere on the network. Trust also is continually reevaluated. If the attributes of the user or device change, the verification may be revoked and access removed.

Deciphering Zero Trust Acronyms

Part of the mystery surrounding zero trust relates to the many terms that include those two words. Even though many vendors use terms that include "zero trust," they often use it to mean different things. It doesn't help that the terms zero trust access (ZTA) and zero-trust network access (ZTNA) are often used interchangeably. 

None of these terms apply to a single product. They describe what a collection of products working together do in terms of security. Here are a few names and acronyms you're likely to see and what they mean from a practical standpoint.

• Zero trust access (ZTA) is about knowing and controlling who and what is on your network. Role-based access control is a critical component of access management. ZTA covers user endpoints with a least access policy that grants users the minimum level of network access required for their role.

• Zero trust network access (ZTNA) is a way of controlling access to applications regardless of where the user or the application resides. And unlike a VPN, ZTNA extends the zero-trust model beyond the network and reduces the attack surface by hiding applications from the internet.

• Zero trust edge (ZTE) is an architecture described by Forrester that converges networking and security but isn't limited to the cloud like Secure Access Service Edge (SASE). Based on zero-trust principles, it starts on-premises with a software-defined wide area network (SD-WAN), firewalls, and ZTNA. It ends in the cloud with routing, secure web gateways, and cloud security gateways. 

Once you have a better understanding of what the terms mean, you can start investigating the types of products you need to develop an architectural strategy and implement specific projects. 

Developing a Zero Trust Strategy

Because the network edge is more dynamic and dispersed than ever before, organizations are exposed to more new, advanced threats. Edge environments may include WAN, multi-cloud, data center, Internet of Things (IoT), and home and other remote workspaces. Secure Access Service Edge (SASE) has been touted as the best way to extend security beyond the traditional data center. This cloud-delivered service combines network and security functions with wide area network (WAN) capabilities and often includes ZTNA functions. The problem with SASE is that security is only delivered using the cloud, which doesn't make sense for organizations with hybrid IT architectures where access is needed to both cloud and on-premises resources.

Organizations need to take a systematic approach to replace implicit trust for network edges and remote users with consistent convergence of networking and security across the organization. Unlike SASE, the Forrester Zero Trust Edge approach includes both on-premises and cloud with:

• Software-defined wide area network (SD-WAN) to securely connect to every environment. 

• A next-generation firewall (NGFW) 

• Cloud-delivered security to securely connect remote users. 

• ZTNA for secure application access

Zero Trust Edge helps ensure that everyone and everything everywhere on the network remains protected in hybrid IT environments and is a sound zero trust strategy for organizations that work on-premises and in the cloud. 

Implementing Zero Trust Initiatives

Because zero trust is more of a mindset, not a specific product, you can enhance security through zero-trust security approaches and frameworks in multiple ways. For example, you may want to allocate budget for specific projects such as:

• Network microsegmentation, so each device is assigned to an appropriate network zone. The assignment may be based on several factors such as device type, function, and purpose within the network. Cloud-based SASE solutions have difficulty delivering this level of control on-prem.

• User identity with a “least access policy” using authentication, authorization, and account (AAA) services, access management, and single sign-on (SSO) to identify and apply appropriate access policies to users based on their role within the organization.

• ZTNA using a firewall-based client-initiated ZTNA solution, which works whether users are accessing cloud-based or on-premises resources. It is important that ZTNA policies are universal and not only for remote workers. Migration from a VPN can be simplified if you have the same agent for both VPN and ZTNA.

Contrary to what some vendors may imply, zero trust is not a "one and done" type project. It's a journey to improve your overall security posture using zero-trust principles.

Zero Trust Everywhere

At the most basic level, the zero-trust security model is simple. Don't assume anyone or anything that has gained access to the network can be trusted. The hard part is figuring out the technology to make it happen. It requires multiple products, so it's important to step back and look at the big picture rather than attempting to throw a bunch of potentially incompatible point products at the problem. 

You may already have some elements of zero trust in place, such as multi-factor authentication that are working well. If you're researching options and it gets confusing, refer to the principles outlined in neutral sources like the NIST report. And remember that if something sounds too easy or too good to be true, it probably is.

Related: A Deeper Dive Into Zero Trust and Biden's Cybersecurity Executive Order

Related: NSA Publishes Guidance on Adoption of Zero-trust Security

Related: Zero-trust, We Must

Related: The VC View: Identity = Zero-trust for Everything

view counter
John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.