The foundational principle of zero trust architecture (ZTA) is this: Assuming trust anywhere in network security is a flawed approach and no longer sufficient against today’s advanced cyberthreats, implicit trust should never be granted to a user, device, or application based only on that user, device, or application’s location on a secure network.
Zero trust is not a product, service, or technology; rather it’s a strategy and standard, and one that more enterprises are adopting in place of outdated security approaches.
In this article, we’ll discuss what ZTA is, why it’s augmenting traditional perimeter network security, and how to implement it.
Why Is Zero Trust Architecture Important for Cyber Resilience?
Modern threats have proven that traditional approaches are no longer sufficient in cybersecurity. In today’s landscape, trust should never be assumed. When it is, it opens enterprises up to cyberattacks that prey on human emotions and assumptions (e.g., social engineering). Trust is an inherently human concept, which makes it flawed in a digital scenario.
Networks are no longer fortresses in which anyone who gains access is automatically trustworthy, who they say they are, or working with good intentions. Cyber attackers can easily disguise themselves as trustworthy once inside a network, gaining access to systems within the network with ease.
But that’s not all: Network perimeters are getting harder to define and protect with remote work and hybrid cloud environments. The notion of a traditional network perimeter has given way to a blurrier, more complex attack surface area and security measures must evolve along with it.
Zero Trust Architecture: Never Trust, Grant Least Privilege, Assume the Worst
A zero trust architecture (ZTA) is not a catchall in cybersecurity, but it is a vast improvement on traditional network security techniques. ZTA assumes that threats may exist both inside and outside the network, then applies that logic to the access controls of everything within the network. Every user and system, regardless of their location, must authenticate and validate their identity before accessing network resources.
Put together, these essential components help enterprises address security gaps and risks from the inside out
- Data-centric security: Zero trust focuses on data protection rather than solely relying on network perimeter security. This approach ensures that sensitive data remains secure, regardless of where it resides or who accesses it. Encryption and tokenization techniques also ensure that sensitive data is protected both in transit and at rest.
- Identity verification: Multi-factor authentication is a fundamental aspect of zero trust. Before granting access, multi-factor authentication, biometrics, or other secure methods are used to identity verification.
- Micro-segmentation: Network segments are divided into smaller, isolated zones to limit the potential impact of a security breach. This means that even if one part of the network is compromised, the attacker’s access is limited.
- Least privilege access: Users and systems are given the minimum level of access or permissions necessary to perform their tasks. This principle restricts unnecessary access, reducing the potential attack surface.
- Continuous monitoring: Zero trust continuously monitors network activity and user behavior in real-time. Any suspicious activity or deviations from normal behavior can trigger alerts or automated security responses.
- Security automation: Automation is used to enforce security policies and respond to threats promptly. Automated systems can detect anomalies, assess risks, and take predefined actions without human intervention.
How Are Traditional Perimeter-Based Security Models Different From Zero Trust?
Perimeter security is still an important component to any security posture, but it’s no longer enough on its own. Why? Let’s look at a few ways traditional perimeter security falls short.
Perimeter security assumes trust inside the network. Traditional perimeter-based security models focus on the perimeter, then assume trustworthiness of the user, device, or application once it’s within that perimeter. From there, access privileges are granted regardless of identity, status, and other factors. Zero trust focuses on what’s inside the perimeter, requiring devices and users to authenticate and validate.
Access control inside the network can still be broad, not narrow. One inside the network, traditional perimeter security gives users broad access to resources. The zero-trust approach is more fine-grained. It does not grant access control across the board, instead granting the minimum level of access on a by-user basis, based on identity, device status (on or off the network), and other factors.
Network perimeter security measures don’t address security once inside. Firewalls, gateways, and other policies are the prevailing defense mechanisms in traditional perimeter-based security, but once inside, access is broad. Zero trust focuses on what is allowed once inside the network, assuming its defenses can be penetrated at any time.
Network segmentation isn’t always well isolated. Dividing networks into segments is a good practice for isolating breaches and preventing the spread of an attack. However, traditional network security can still be too broad. Zero-trust networks take a micro-segmentation approach that limits an attacker’s movements if they breach the perimeter.
Monitoring is limited to the perimeter, not internal activities. Modern cyber security relies heavily on real-time monitoring, automation, and log data to catch suspicious activity faster. But monitoring the perimeter alone is not enough. Zero trust continuously monitors internal activities to trigger alerts to anomalous activity.
It’s difficult to retrofit old security postures to modern IT environments. The introduction of cloud services, remote work, BYOD policies, and more have created a landscape that’s often too diverse for old methods to capture. Zero trust is more dynamic and adaptable at the outset, and more easily applied to today’s IT environments.
How a Zero Trust Architecture Can Mitigate Threats
We covered the shortcomings of traditional network security approaches vs. a zero trust architecture. What are some other advantages of implementing zero trust architecture in today’s threat landscape?
- Improved threat detection and rapid incident response. Continuous monitoring and automated responses can quarantine compromised systems or restrict user access, minimizing the time attackers have to access sensitive data.
- Addressing insider threats: By restricting even authorized users to the minimum necessary privileges, enterprises can head off accidental or intentional data breaches by employees or other trusted entities.
- Reduced attack surface area and lateral attacks. Micro-segmentation reduces lateral movement. Even if an attacker gains access to part of the network, containment limits the potential damage they can do from moving laterally.
- Vendor risk management: Enterprises can extend zero trust principles to third-party vendor access, ensuring that even external entities are subject to the same stringent security controls as internal users.
- Regulatory and compliance standards. For industries with stringent regulatory requirements regarding sensitive data, zero trust helps compliance by enforcing many regulatory standards such as strict access controls, audit trails, and continuous monitoring. Many regulations also mandate multifactor authentication and encryption, which ZTA frameworks can help to implement.
How to Begin Implementing A Zero Trust Architecture
Zero trust is a journey you undertake with outcomes that lead you closer to a zero trust environment. On that journey, you’ll likely visit and revisit the following steps numerous times:
Step 1: Assess Current Security Measures
This step often includes creating an inventory of all IT assets, identifying and classifying sensitive data, assessing access controls to evaluate if access is overly permissive and should be restricted, evaluating network segmentation, and reviewing authentication measures.
Step 2: Define Zero Trust Principles
To execute on the core principles, ensure users and systems have the minimum access necessary to perform their tasks, isolate network access controls with micro-segmentation, run continuous monitoring, MFA, and encryption and tokenization techniques to protect data in transit and at rest.
Step 3: Design and Plan Implementation
To design a custom ZTA, start with a roadmap, segment the network and apply access controls to each, and isolate critical assets into segments. Deploy IAM solutions to centralize user authentication and authorization processes, and integrate security tools for continuous monitoring, threat detection, and incident response. Implement automation to respond swiftly to security incidents.
Is Zero Trust Architecture the Answer to Modern Threats?
Yes and no. Enterprises absolutely must evolve constantly to stay ahead of threats. Zero trust is an important shift in cybersecurity strategy and an essential component for safeguarding sensitive data in today’s digital landscape.
Most importantly, it’s a data-centric strategy—something every policy should be in an era where data is so valuable and at high risk. At Pure Storage data protection is built into the platform via ActiveDR™, ActiveCluster™, and SafeMode™ Snapshot capabilities. By adopting zero trust principles and a resiliency architecture with Pure Storage, your organization can significantly enhance your security posture and protect sensitive data from the effects of cyber threats.
Learn more: What is a data resiliency architecture and how do you build one?
Written By: