George WilkesOctober 16, 2021
What is Zero Trust Security?
The Zero Trust security model has become increasingly popular for good reason. But what makes up Zero Trust security and how does it relate to Zero Trust architecture and Zero Trust Network Access (ZTNA)? Understanding not just the underpinning Zero Trust paradigm, but how to apply it in different ways across your IT and security strategies, will improve your organization’s overall security posture, operational efficiencies and user experience.
The status quo for cybersecurity isn’t working, because inherently granting something or someone access to your systems without knowing if they are trusted is antithetical to being secure. Global hybrid workforce organizations need a strategy that can scale with the high-level threats and wide range of cyberattacks from nation state invasions to VPN hacks on major players such as Fortinet to ransomware attacks on healthcare systems. Enter Zero Trust security, a philosophy that’s sweeping the industry. In fact, the U.S. federal government has endorsed Zero Trust and issued an executive order mandating that federal agencies implement Zero Trust architecture.
But what exactly does it mean? The terminology gets used often and not always in the right way. The words “Zero Trust” could describe a methodology, a strategy to implement the principles of that methodology or a security tool, depending on the context. Gartner summarizes it nicely: “Zero trust is a misnomer; it does not mean “no trust” but zero implicit trust and use of risk-appropriate, explicit trust.”
Let’s clear things up with a deeper look at Zero Trust security, how to apply it and the technology that enables it.
What is Zero Trust security?
At its core, Zero Trust is a paradigm that creates a new way of thinking about cybersecurity. It challenges the conventional idea of “trust but verify” and changes the rules for how an organization surgically grants access for each user to only the resources they need to do their job … not the entire network. The National Institute of Standards and Technology (NIST) defines Zero Trust as “a set of guiding principles for workflow, system design and operations.”
Back in 2010, when the concept of Zero Trust was introduced by John Kindervag (a former principal analyst at Forrester), it was about eliminating the idea of a “trusted or untrusted network.” He surmised that all packets should be treated as untrusted. It was visionary and truly ahead of its time.
Zero Trust focuses on five attack surfaces to protect an organization: people, workloads, networks, devices and data. To keep those attack surfaces safe, according to Zero Trust Security: An Enterprise Guide, co-authored by Jason Garbis, our Chief Product Officer, Zero Trust abides by three core principles:
- Ensure all resources are accessed securely, regardless of location
No exceptions are made for resources that may have been previously regarded as inherently secure. It requires a holistic approach for organizations that eliminates the silos and barriers that have historically existed between security tools and teams. Another requirement is to disregard whether a resource is on-premises. Every asset is subject to an enforced policy model that sees no geographic perimeters.
- Adopt a least privilege strategy and strictly enforce access control
If users are not authorized to access a given service, they must not have the ability to connect to that service. There are far too many known and critical vulnerabilities that don’t require authentication to bypass something like a login page and can be remotely exploited. The ability to send network packets to a system is a privilege and must be managed as such. Least privilege in its simplest form means you can only see and connect to resources you’re entitled to and nothing else.
- Inspect and log all traffic
Networks are how distributed components connect and communicate with one another and the final core principle requires the inspection and logging of network traffic. Zero Trust systems should broadly examine and log network traffic metadata but be more judicious in the inspection of network traffic content due to processing and storage costs. That traffic content should be enriched by the Zero Trust system with identity and device context to enhance an organization’s ability to detect, alert, respond and support incident response.
What is Zero Trust architecture?
NIST defines Zero Trust architecture (ZTA) in Special Publication (SP) 800-207 as “an enterprise cybersecurity architecture that is based on Zero Trust principles and designed to prevent data breaches and limit internal lateral movement.”
Zero Trust architecture can be approached in multiple ways, including enhanced identity governance, logical microsegmentation and network-based segmentation. But at its core ZTA relies on Zero Trust principles including identity, credentials, access management, operations, endpoints, hosting environments and interconnecting infrastructure.
In fact, Appgate is participating in the Implementing a Zero Trust Architecture Project with the National Cybersecurity Center of Excellence (NCCoE) at NIST. The project’s goal is to develop practical, interoperable approaches to designing and building Zero Trust architectures that align with the tenets and principles of NIST SP 800-207. Example solutions will integrate commercial and open-source products that leverage cybersecurity standards and recommended practices to showcase Zero Trust architecture security features applied to enterprise IT use cases.
What is Zero Trust Network Access?
Zero Trust Network Access (ZTNA), also known as software-defined perimeter (SDP), applies Zero Trust principles to network security. ZTNA is rapidly becoming the enterprise standard of choice for secure access control as the cloud, hybrid IT and hybrid workforces turn the security perimeter inside out and solutions like VPNs create more risk with their flawed “connect first, authenticate second” approach.
With Zero Trust Network Access, a user is denied access to networks and digital assets by default. Identity is subject to an extensive authentication process that considers the user, device and context. Dynamic policies and entitlements are then granted to the identity, provisioning limited access to authorized resources. These surgical entitlements are conditional and based on context and risk tolerance defined by your organization.
This Zero Trust approach starts from a default deny posture and then extends limited, earned trust, which is continuously reevaluated. From this basis, ZTNA enables operational efficiencies with fewer tradeoffs between security, convenience and agility.
Start your Zero Trust journey with Appgate SDP
Appgate SDP is an industry-leading, enterprise-grade Zero Trust Network Access solution that can be delivered as a service and brings Zero Trust to the cloud. Benefits include:
- Strengthened security
- Reduced complexity
- Improved end-user experience
- Streamlined automation
Appgate SDP has been named a Leader in the The Forrester New Wave™ Zero Trust Network Access, Q3 2021 receiving a differentiated rating, the highest possible, in six criteria including deployment flexibility, non-web and legacy app support, ecosystem integration, client support, connector capabilities and product vision. Additionally, in the Nemertes Real Economic Value study, Appgate SDP customers reported a 119% average increase in accelerated digital transformation initiatives, a 9.5 out of 10 rating for “most strategic to Zero Trust” and an average 66% reduction in help desk tickets.