Skip to main content

Zero Trust: what it is and what it is not

security
(Image credit: Shutterstock / Khakimullin Aleksandr)

1. How does Zero Trust technology work?

To respond to this question, we should understand what Zero Trust is and what it is not. Let’s start with the easy part and say that Zero Trust is not a technology. Some call it a paradigm. Others call it a model. I prefer to say that it is a concept.

Zero Trust was born in response to a borderless digital world. Innovations like the Internet of Things (IoT), Bring Your Own Device (BYOD), and cloud technologies have shaped the modern digital landscape of many organizations worldwide. Users can work from any device and collaborate online via cloud-based SaaS tools. Information is stored in the cloud and can be accessed from anywhere, while personal devices have flooded companies’ trusted internal networks. The world has become more interconnected, but this has led to the disappearance of borders. The trust perimeter has shifted to end-devices and user accounts.

The premise of Zero Trust is that there must not be implicit trust granted to any device or subject. Trust must always be verified before granting access to devices and must be regularly re-evaluated. Zero Trust consists of a set of technologies that facilitate constant trust evaluation and control of digital devices, services, and identities.

For example, a decade ago, you might have said that if a system is within your trusted network boundary, it can be trusted by default. The modern Zero Trust concept does not trust any device, no matter where it is hosted. Trustworthiness must be measured and constantly evaluated. The same goes for digital accounts and applications.

2. What does Zero Trust include? 

The building blocks of Zero Trust are algorithms that measure trustworthiness and policy enforcement. The policies use trust measurements to identify the level of access to provide to devices and subjects.

For example, if a user tries to access data in the corporate cloud from a corporate device with an installed compliance measuring agent, and the device is considered trusted and secure, then the user can access any files without limitation. But if a compliance agent detects deficiencies, the user will receive read-only access to the files. If a non-corporate device without a compliance agent is used, then access to data is denied.

In the example above, trustworthiness was measured by the compliance agent, and policy enforcement was used to apply the configured access restrictions based on the trust levels indicated by the compliance agent.

In real-world scenarios, policies can be more complex and based on dozens or even hundreds of different trust signals. Examples of trust signals might be: an EDR agent that detected a suspicious or malicious behavior; a user logged in from an IP address with a poor reputation or sanctioned geo-location; a user account breached; a device lacking a company-generated digital certificate; suspicious user behavior and many more.

3. What are the technology’s benefits over VPNs? 

Zero Trust is not a replacement for a VPN. Moreover, Zero Trust and a VPN might not even complement one another.

VPN technologies provide secure encrypted network access to remote locations. A traditional VPN service can check user authentication data and authenticate the device itself (e.g., using a digital certificate). No other trust signals can be used, and trust is not regularly re-evaluated. Some technologies allow the application of Zero Trust concepts to a VPN service [example]. Some VPN agents also have built-in security and compliance measurement capabilities (e.g., check whether the required services are running on the end-station; whether the end-station is updated; provide anti-malware and vulnerability scans; other functionality). They might be used to improve Zero Trust for remote users.

Security Access Service Edge (SASE) solutions might also be used to implement security and apply Zero Trust to access remote resources. Think of it as a cloud-based Unified Threat Management (UTM) service. The Zero Trust concept applies here by continually evaluating the security and compliance of remote devices, network traffic, and users and applying the restriction immediately when the corresponding policy is triggered. But still, VPN could be much cheaper and easier to configure, remaining a preferable solution when it’s needed to provide full network access to a remote employee.

Another way to secure access to remote web-services applying Zero Trust capabilities is to use a proxy solution. Such a proxy would allow access to web services no matter where they are hosted and even to services hosted in local corporate networks. Such an approach helps hide internal web apps and avoid posing them to the Internet, providing secure access via proxy. This eliminates the use of a VPN as web apps can be accessed from anywhere via proxy in a secure way applying Zero Trust alone. But this solution works only with web services and thus does not replace VPN.

4. What are the technology’s drawbacks? 

Even though there are many materials and technologies, it isn’t easy to achieve a full Zero Trust state. It’s hard or even impossible to find one technology or solution that would resolve all the issues involved in achieving Zero Trust in many cases. It’s a journey, not a one-and-done effort.

For example, micro-segmentation, which is one of the foundational concepts of Zero Trust, is very difficult to achieve, especially in on-premises networks managed by legacy firewall technologies. Moreover, many businesses today use mixed environments and have infrastructure hosted on-premises, in private and public clouds, and have remote employee devices hosted virtually anywhere. Companies need to adopt newer solutions that can solve the micro-segmentation problems in such mixed environments.

Legacy access to web service needs to be upgraded to a newer version that provides constant security and compliance evaluation for devices, users, and connections. The same kind of access security must be provided for all cloud applications used for corporate purposes. At times this means that some parts of existing applications can require re-writing, especially for apps that do not have a SAML SSO integration and cannot be configured to authenticate users via proxy.

Remote users must maintain easy and flexible access to corporate resources from anywhere they work. On the other hand, a company needs a solution that allows it to apply flexible policies with a permit, block, audit, control, or other action depending on security signals gathered about a user, a device, and a network connection. Traditional VPN solutions might require integration with a service that provides Zero Trust, or a SASE solution might be required.

It’s a challenge to resolve IoT device issues because many of the technologies used to provide Zero Trust require some form of an agent installed on an end device. In most cases, this is impossible with IoT devices.

There must be solutions that make it possible to control access and data security in the cloud. This can be achieved using Cloud Application Security Broker (CASB), but any solution must supplement your existing Zero Trust architecture.

Considering the diversity of technologies and solutions companies can apply, it’s necessary to consider integrating them to avoid overlapping functionality, minimize costs, and decrease support and maintenance complexity.

5. Is Zero Trust a good technology for securely connecting with remote workers? 

Zero Trust is a necessity in the modern technological world, especially now during the coronavirus pandemic with so many people working remotely from home offices. Zero Trust makes it possible to achieve significantly more granular risk management based on trust signals. Such an approach offer many advantages:

  1. The capability to configure more granular access policies to corporate information, systems, and services.
  2. More capabilities to automate remediation steps.
  3. Simplify security and risk management of BYOD systems.
  4. A unified and straightforward way for end-users to access remote services no matter where they are hosted.
  5. Simplified security orchestration.

6. What’s the best way to get started with Zero Trust? 

The best way to start with the Zero Trust approach is to use the path proposed by the industry. In 2020, NIST published SP 800-207 “Zero Trust Architecture”. This document describes the overall Zero Trust concept, the building blocks, and technologies that can be used to achieve Zero Trust, and how to employ it in your current digital environment.

Gartner’s “Zero Trust Architecture and Solutions” is also a great starting point.  It describes Zero Trust principles, models, benefits, risks, solutions, and much more

7. What are the pitfalls? 

Zero Trust is not a panacea. Applying Zero Trust practices makes it possible to significantly increase security, simplify technology risk management, and even improve the user experience.

You need to keep in mind that achieving Zero Trust is not a one-and-done effort but a journey, and there are many additional security areas that you need to manage.

Lastly, certain issues may arise when explaining the Zero Trust concept to the management to get the buy-in. Especially in organizations with a people-frist culture. The phrase “zero trust” might sound repulsive, so it might take some rephrasing at first. It can also be challenging to get the management to change how they see modern threats and security landscape. But in any case these talks must take place, for without the necessary support from the management this journey will end without even having started.

Vadim Chakryan, Information Security Officer, DataArt