Zero trust re-addresses the way in which users, devices, and services are treated. Rather than inheriting any trust from parental devices or users, zero trust continuously verifies the identity and integrity of every element.
This is achieved by three key protocols:
This article will aim to summarize exactly which pieces of network architecture need to change to achieve zero trust, and briefly outline a few tools in each field.
Zero Trust requires flexible access to applications, systems, and data, without sacrificing security for both users and the resources they need to do their jobs. However, to adhere to these rules, each user and device needs to:
Even from this, it’s clear that your VPN’s typical password and username combo is vastly outgunned.
So, one alternative is to up the ante when granting authorization. This describes the basic tools that are very easy to implement, as they just sit on top of your current approaches. Take Multi Factor Authentication (MFA). By demanding two or more authentication factors, an organization can be vastly safer in the knowledge a remote user is who they claim to be. Even better, MFA tools generally slot in with your current authentication approach.
However, note that an MFA alone doesn’t support the two other components to zero-trust identity management: you still need to keep tabs on each user as they browse, and keep access locked down to the minimum they require.
The foundation for this capability is largely provided by Identity and Access Management (IAM) systems. Because so many business applications are SaaS-based and remotely accessed today, it’s essentially impossible for IT teams to manage individual user access rights in-house. Instead, IAM systems provide a single platform through which IT can manage swathes of users’ access rights.
It’s within these trust solutions – such as Okta, and ManageEngine’s – that the Role Based Access approach has prevailed (more on that in a moment).
For now, though, understand that by grouping all access and trust policies into a unified system, IAM solutions allow IT to make use of a centralized – and perhaps most importantly, scalable – approach to onboarding, managing, and offboarding identity. It’s with this you’re finally able to start seeing who’s accessing what – making it yet another step toward zero trust IAM.
Segmentation is the IT version of not keeping all your eggs in one basket. Traditionally, this was achieved with perimeter-based firewalls, and the emphasis was placed primarily on the resource itself.
For each group of resources, a hardware-based firewall would assess whether the user matches a RBAC whitelist before granting access. This approach is still in use today by many VPNs. It works impeccably – about half of the time. Stolen credentials offer a direct, no-fuss route for exploitation; plus, the focus on placing individual resources in a safe zone very quickly became unscalable.
This allowed attackers to develop an MO that persists today: gain unauthorized access via an unrelated, less-protected app or resource, and then move laterally (risking a lateral movement).
An inherent weakness that has rapidly snowballed into full-blown supply chain attacks.
Instead of static access policies, the focus of the burgeoning zero trust movement started to shift onto the data itself. Identity provider tools started to split at the seams. To see the data that needed protecting, security teams needed a comprehensive overview of the entire network – not just user login groups.
And so, the Zero Trust Network Access (ZTNA) tool began to solidify.
Rather than assuming that authenticated data, workloads and users were inherently safe, ZTNA tools offered a new approach to privilege: it’s granted only if the device, user, or workload is assessed to be safe – and only issued for as long as this stays true. This describes Just in Time (JIT) access, which you may have seen bandied about. And thus, we reach the final pillar of zero trust tooling: continuous monitoring.
As zero trust strips almost all inherited trust out of your network, it becomes vital to continuously assess every access request, transaction, and interaction. Whether merging PDF files or adding items to a database, every action and user demands verification and validation.
Any decent ZTNA solution should offer a degree of this natively. Alongside assessing the security posture of a device or workload, a ZTNA should also provide ways in which this can then change how traffic flows between users and apps.
The depth of data that goes into each access request is largely up to your organization’s size and budget.
However, it’s worth noting that the higher resolution each picture of an access request is, the better. This, in turn, demands more data points. This is why integration with other security toolings is a must: SIEM (Security Information and Event Management) tools, for instance, provide deeper analysis of applications and network events, and thus offer even greater security.
It’s this reason that the best ZTNA tools are part of Secure access service edge (SASE) architecture.
By integrating both with your identity provider of choice and the security tooling that currently drives your analytics, Perimeter 81 grants lightning-fast, hyper-secure access, no matter where your user is.
Do you have contractors that need their own, piecemeal access to internal resources?
Agentless access allows browser-based logins without exposing the corporate network – and still granting access analytics. Get in touch with Perimeter 81, and overhaul your approach to access without throwing your current architecture out with the bathwater.