Successful Zero Trust Architecture (ZTA) deployment requires a heterogenous approach including both security control and visibility components, argues this expert.
Zero Trust Architecture (ZTA) is a trendy term touted by cybersecurity vendors, but actually, there is no single ZTA solution.
The architecture is composed of numerous components that, when taken together, form a new paradigm for dealing with cybersecurity in an era where corporate enterprises are no longer confined to a well-defined and trustworthy perimeter. Refer here for a primer by the National Institute of Standards and Technology (NIST).
In earlier times, traditional enterprise IT defended a network perimeter in a limited number of places using technologies such as firewalls. This is now sometimes referred to as the ‘North-South’ perimeter. Recently, due to the global need for remote-working—and previously emerging trends in remote and cloud access—that well-defined security perimeter is evaporating.
While traditional perimeter firewalls are still important, they alone are not sufficient in distributed, dynamic and increasingly software defined infrastructure. Assets can no longer be trusted simply because of their location on the network.
A policy of No Implicit Trust
The concept of Zero Trust began in a response to trends such as Bring Your Own Device and where cloud assets are not located within an enterprise-owned boundary. ZTA moves defenses from static network-based perimeters to focus on users, assets and resources.
No implicit trust is granted to assets or user accounts based solely on their physical location or asset ownership. Rather, ZTA authentication and authorization are performed before a session for any enterprise resource, with the primary focus to protect resources (assets, services, workflow, accounts etc.), not network segments.
With ZTA, components are added to secure inside the perimeter (sometimes referred to as ‘East-West’ or Internal perimeter), or wherever application resources that need to be accessed, such as Cloud.
These components control access to resources and include:
- management of identity authentication authorization and privileges
- policy enforcement points (PEP)
- micro-segmentation and implicit trust zones
- software defined perimeters, and compliance
Control components such as micro-segmentation may be accomplished by placing purpose-built policy enforcement points, or specially configured hardware or software such as Next Generation Firewalls, to protect communication between Internal resources. To simplify, ZTA control components are responsible to control who get access to which resources, regardless of where the latter are located.
The visibility aspect in ZTA
In addition to controlling access, there are additional ZTA components related to validating security such as asset discovery, network traffic monitoring, threat feeds, and continuous diagnostics and mitigation.
The job of these visibility components is to validate that the ZTA controls secure access as expected. I refer to these aspects of ZTA collectively as Zero Trust Visibility. These visibility components tend to get less attention than their control component counterparts, but they are equally important.
For example, policy enforcement depends on knowing what resources to control. There will always be new and unknown assets that appear, whether malicious or not. Asset discovery mechanisms are needed to find out what needs to be secured in the first place. Detection and response of threats on all known and previously unknown assets is critical: techniques such as network traffic monitoring, threat feeds, logging and metadata analysis are key. Related capabilities such as decryption are also important. Another example is the need to continuously validate security controls between endpoints, to ensure that potential breaches are discovered.
Emerging techniques such as breach and attack simulation help safely enact virtual attacks between endpoints and report on which of these simulated attacks succeed and which fail. Based on these reports, ZTA control components (e.g., rules on software defined micro-segmentation, policy enforcement configuration, and identify and privilege authorization) can be adjusted.
We therefore see that ZTA is a broad paradigm with no “one size fits all” solution. To be successfully deployed requires a heterogenous approach including both security control and visibility components. Additional components such as breach and attack simulation and continuous validation help minimize risk and prepare an organization for security breaches.