What Is Zero Trust Security?

Whether “zero trust security”, “zero trust framework”, “zero trust network” or “zero trust security model”, the fundamentals are the same:

• The network is assumed to be hostile
• Threats, both internal and external, are assumed to exist on the network
• The location of the user or resource, whether “inside” or “outside” the network, is not considered when assuming trust
• Every device, user, and session is authenticated and authorized
• Policies govern access to any application or resource

Traditional network architectures place layers of security, such as a DMZ, between the internet and resources.  And in today’s computing landscape of digital transformation, that can be dangerous.  A zero trust architecture seeks to minimize access to applications while continuously authenticating and authorizing users and devices to raise the security profile of an organization by significantly reducing the possibility of data breaches and restricting lateral movement should an unauthorized user get access.

What Is Zero Trust Architecture?

Similarly, the term “zero trust architecture” refers to a framework or model that regards the network itself as intrinsically hostile and seeks to authenticate and authorize all users prior to establishing sessions.  Whether “zero trust architecture” or “zero trust framework”, the end result is the same – a much more secure network than the traditional perimeter-based network of today.

What Is The History Of Zero Trust Security? 

Zero Trust is a term popularized by John Kindervag, then of the analyst firm of Forrester Research, but coined earlier by Steven Marsh in a doctoral thesis at the University of Stirling, Scotland, in 1994.  In 2007, the Jericho Forum, an international security group concerned with increasingly complex network security, published its “commandments” that advocated many zero trust topics.  

Then, Google advocated and subsequently implemented BeyondCorp, publishing several papers outlining zero trust principles in 2014.  The term got additional boosts in 2017 with the publication of “Zero Trust Networks”, a book by Evan Gilman and Doug Barth, and in 2019 when Gartner published its Market Guide for Zero Trust Network Access.  

Zero Trust and NIST 800-207

In August, 2020, the US-based National Institute of Standards and Technology (NIST) published 800-207 “Zero Trust Architecture” that offers recommendations and deployment guidelines for planning enterprise and IoT networks.  Typically, NIST restricts its advocacy for technologies to federal departments, but 800-207 applies to organizations of all types.

Zentry Trusted Access has all of the key zero trust tenets that NIST recommends built-in, including MFA, SSO, end-to-end encryption, policy-based governance, and many more. 

How Zero Trust Works

It’s important to note that virtually every organization has some level of zero trust already deployed, likely MFA, identity platforms or integrations, SSO, or encryption at some level.  And it is entirely possible to deploy zero trust systems, like Zentry Trusted Access, alongside existing infrastructure.  The important part is identifying users, their patterns and workflows, and the resources they need access to.

Naturally, deploying a zero trust solution in a greenfield environment is easiest.  Identifying users, the resources they need access to, and defining the policies that will govern access can be quickly determined and implemented.  However, in virtually organizations that have an existing traditional infrastructure, this may only be a viable approach for specific workgroups.

Most deployments must be integrated into existing environments which will include perimeter-based security technologies.  However, the implementation process is similar – identify workflows, assets, and users and then identify policies to govern access to the resources you’ve identified.  Often, a good first step is to identify cloud resources and enable access for a group of specific users.  Gradually, as both the IT department and users become accustomed to this new workflow, you can expand usage more widely.

The Foundations Of Zero Trust 

Zero trust consists of several concepts and tenets: 

• Every user and the devices they use to access the network are authenticated and authorized to access resources before session establishment
• All sessions are established to specific applications and resources, unlike traditional VPNs which allow access to entire networks
• All sessions are encrypted end-to-end keeping data-in-motion secure
• All sessions are governed by centrally applied policies, and all policies follow users regardless of their location
• Should certain parameters of a session change, such as location or device type, that session will require re-authentication and re-authorization before being reestablished

Zentry Trusted Access is built from the ground up with these tenets in mind to ensure that your organization has secure remote access capabilities from Day 1.

Is Zero Trust Widely Accepted? 

Zero trust concepts and frameworks have gained significant interest among organizations of all types because perimeter-based networks can no longer defend against modern threats or prevent data loss and leakage.  Traditional VPNs were designed many years ago for a simpler threat landscape.  They offer broad, network-level access to users with implicit trust.

Zero trust solutions like Zentry Trusted Access are simple to deploy and use.  IT departments use Zentry’s natural language policies to govern access and users simply point their browser to a curated list of resources that have been identified.  That’s it.  ZTA is far simpler to manage and use over traditional IT infrastructure – and its far more secure.

Why Adopt A Zero Trust Security Model? 

Zero trust offers significant benefits over traditional architectures including simplicity and ease of use.  Zero trust solutions like ZTA are simpler for users – there are no complex clients to manage or maintain, and they simply point their browser at the resource and go.

ZTA solutions are also far more secure than traditional perimeter-based solutions like VPNs.  All users are authenticated and authorized before a connection is established, preventing unauthorized users from penetrating your network.  Moreover, since access is granted only for specific applications – and those are hidden from discovery – lateral movement is virtually impossible should an unauthorized user gain access.  And since data-in-motion is encrypted end-to-end, data loss and leakage is significantly reduced.

Zero Trust Security Benefits 

Over and above the benefits listed above, zero trust solutions like Zentry Trusted Access offer businesses the following: 

• Better security over traditional perimeter-based architectures:

  • Full authentication and authorization of users and their devices before a session is established

  • All sessions are fully encrypted end-to-end keeping data in motion secure

  • All sessions are governed by centrally deployed policies that follow users regardless of their location

• Better visibility than traditional layered security architectures:

  • All activity is logged and can be imported into SIEM systems to gain insights into user and application behavior

  • User location is logged to enable anomaly detection should a user’s device be misplaced or stolen and used by threat actors

• Better performance than traditional architectures

  • VPNs can “hairpin” traffic through a corporate data center when users are accessing cloud resources, adding delay and latency to the connection

• Better ease of use than VPNs

  • No complex clients to manage, maintain, or support by the IT department

  • User experiences are streamlined – they just point their browser at a curated list of applications and resources and go!

• Better cost optimization than traditional perimeter-based architectures

  • Because zero trust systems are cloud deployed, costs can be optimized through OpEx rather than CapEx budgets

  • Organizations can “pay as you grow” instead of having to manage complex licensing arrays typical of traditional infrastructure

What Technology Does Zero Trust Technology Replace? 

Zero trust can both enhance and replace existing perimeter-based architectures given its use of user authentication and authorization, end-to-end encryption, and policy-based governance.  Traditional security architectures have numerous weaknesses:

• VPNs allow network-level access to resources.  Even trusted users are allowed to traverse networks laterally, enabling them to “nose around” and discover applications and resources they are not necessarily allowed to use.
• Contractors, third parties, and partners can be difficult to set up using VPNs.  Zero trust solutions like Zentry enable rapid, secure collaboration and enhanced productivity for users and stakeholders “outside” your network.
• Generic VPNs do little device checking for security.  Zero trust solutions query devices for browser versions and other OS parameters to ensure that they’re up to date before establishing a session.
• VPNs can suffer in performance, especially when coupled with firewalls.  VPNs were designed for a limited number of trusted workers to access resources located in a corporate-owned data center.  Enabling wide-spread collaboration and productivity is much simpler with zero trust solutions like Zentry Trusted Access.
• VPN connections can be slow and suffer scalability issues when numerous users are loading the system.
• Configuring virtual machines that host VPNs adds to the overall burden that IT departments suffer.  Zentry Trusted Access simplifies the approach and only requires lightweight resource connectors for rapid application and resource access. 

Zero Trust Use Cases 

Typical use cases for zero trust network access include the following scenarios:

• Enterprises with remote or branch offices where workers need access to resources located in a corporate data center or cloud

• Organizations leveraging multiple public cloud providers

• Enabling contractors, 3rd parties, and partners to access enterprise resources

• Collaborating across organizations where data and information must be accessed across mutual networks

• Mergers and acquisitions where organizations need to quickly share information without the delays associated with tying traditional network architectures together

• “Comply to connect” networks where personal and non-corporate devices may be connecting to sensitive resources

• Rapid cloud migration – zero trust systems like Zentry Trusted Access are far easier to rapidly deploy and enable user connectivity and productivity than traditional architectures like VPNs

What Is Zero Trust Network Access (ZTNA)? 

Zero Trust Network Access (ZTNA) is a software-based, zero trust architecture focused on enabling trusted access to individual applications, not entire networks.  This makes them much more granular than VPNs.  Zentry Trusted Access can enable secure connectivity to applications in the cloud and data center.  It’s a perfect solution for enabling productivity and collaboration for modern workforces comprised of employees, contractors, and third parties.

ZTNA solutions are more secure than traditional perimeter-based architectures through their use of MFA, SSO, encryption, and policy-based governance.  All application and resource requests are authenticated and authorized before a session is established.  Access is granted on a “least-privileged” basis only to specific applications, not entire networks like traditional systems such as VPNs enable.  All activity is logged for increased visibility and management, and most importantly, user experiences are streamlined and simplified – users just grab their browser and quickly access the applications they’re entitled to, nothing more.

Stages of Implementing Zero Trust

Implementing zero trust can be viewed in terms of stages:

1. First, identify workflows.

   1. What applications and resources need to be accessed?

2. Next, identify and inventory users who will need access to those applications.

   1. The great thing about zero trust solutions like Zentry Trusted Access is that these users can be a mixture of employees, contractors, and third parties.  Trust is never granted outright and all users are authenticated and authorized prior to establishing any session.

3. Then, identify and define policies that will govern access.

   1. Do you want to limit access to specific times of day or based on locations?

   2. Do you want to restrict access to specific types of devices, such as corporate-owned devices?

   3. You can also enable access to both individuals and groups of users, such as enabling the entire engineering team to one or more applications.

4. And last, roll it out!

   1. 1. You can deploy it for small workgroups initially, but Zentry Trusted Access will show benefits within a few hours.  Unlike traditional systems that may take days or weeks, you can be up and running with small or even large teams within a single day.

      2. Zentry Trusted Access does not require a complex client for users.  They simply point their browser to applications that have been curated by IT.

What are the common challenges to adopting a zero trust network security Model?

• Briefly describe the most common challenges to adopting a zero trust model. For example; 

  • Zero trust is not an overnight strategy, there’s many parts to it

  • Lack of clarity/knowledge on how to implement it

  • Knowing where to start

  • IT teams getting buy in from management

  • Cost/anticipated cost
     

Common challenges in adopting a zero trust solution like Zentry are typically rooted in education (“how is this different from our existing VPN?” and “how does zero trust work?”) and understanding of implementation.  You’ve already learned a great deal about how zero trust systems work by reading this far.  And the good news is that zero trust solutions like Zentry can be deployed alongside existing infrastructure for increased security and productivity.  At Zentry, we even have a free trial that you can test drive in a matter of a few hours to see how quickly it can deliver value for your organization.

Is Zero Trust a long term security solution? 

Zero trust solutions like Zentry will be around for many years, ensuring your investment protection.  They promise to be a replacement for older-generation secure access technologies like VPNs.  In fact, Gartner predicts that solutions like Zentry will be used for more than 60% of deployments in support of contractors and third parties in modern workforces beginning in 2022.  

The security landscape has drastically changed since VPNs were designed – the time has come for a new architecture that can significantly increase your security profile while streamlining and simplifying secure access.

What are the key questions to ask when considering a Zero Trust provider?

When considering zero trust solutions, it’s important to ask a few questions to get a sense of how the solution will fit with your organization.  Here are some potential questions to ask:
 

• Does the solution require a client?

  • Many solutions, like Zentry, do not.  They only require an HTML5 browser.  That makes it easier for workers to be productive.

• What clouds does your system support?

  • Supporting public clouds like AWS, Azure, and Google are key.

• What end devices are supported?

  • Some vendors only support laptops and desktop systems.  Vendors who support smart phones, like Zentry, add flexibility so remote workers and “road warriors” can work using their device of choice.

• How are applications connected and enabled?

  • LIghtweight “resource connectors” that are quickly deployed are far easier and often more scalable than complex architectures that may require deeper configuration.

• How fast can I get up and running?

  • Cloud-deployed systems like Zentry only take an hour or two to demonstrate value.  If a vendor responds with longer duration cycles, that may be a red flag.

• How does your system integrate with my existing infrastructure?

  • Logging is critical in today’s environment.  Make sure that the system can integrate with your SIEM tool.

How To Get Started With Zero Trust With Zentry 

Zentry Security makes it easy to get started.  We have a free trial for 5 users where you can test drive Zentry Trusted Access and see how quickly it can deliver value.  We also have Professional and Enterprise editions with added features like SSO, MFA, and anomaly detection available.  Check out our pricing today for more information.

We also have numerous materials to get you further up to speed on zero trust.  Take two minutes and check out our “Why Zentry Trusted Access?” blog here.  Or read our Buyer’s Guide on how Zentry offers key zero trust features like MFA here.