What is Zero Trust Architecture?

September 7, 2020

Zero trust has become one of the hottest buzzwords in network security. However, with all the hype, it can become difficult to separate the marketing fluff from the real value. Fortunately, unlike many buzzwords, there is plenty of substance around zero trust.

Earlier this year the National Cybersecurity Center of Excellence (a part of the United States Government’s National Institute of Standards and Technology) published their Implementing a Zero Trust Architecture project, a standards-based approach to implementing Zero Trust Architecture.

So, what exactly is the substance behind zero trust and how can you identify solutions that meet your enterprise’s needs? Let’s take a look.

What is Zero Trust Architecture? A crash course

In simple terms, zero trust is based on these principles: apply granular access controls and do not trust any endpoints unless they are explicitly granted access to a given resource. Zero Trust Architecture is simply a network design that implements zero trust principles.

Zero Trust Architecture represents a fundamental shift from traditional castle-and-moat solutions such as Internet-based VPN appliances for remote network access. With those traditional solutions, once an endpoint authenticates, they have access to everything on the same network segment and are only potentially blocked by application-level security.

In other words, traditional solutions trusted everything on the internal network by default. Unfortunately, that model doesn’t hold up well for the modern digital business. The reason zero trust has become necessary is enterprise networks have changed drastically over the last decade, and even more so over the last six months.

Remote work is now the norm, critical data flows to and from multiple public clouds, Bring Your Own Device (BYOD) is common practice, and WAN perimeters are more dynamic than ever. This means enterprise networks that have a broader attack surface are strongly incentivized to both prevent breaches and limit dwell time and lateral movement in the event a breach occurs. Zero Trust Architecture enables micro-segmentation and the creation of micro-perimeters around devices to achieve these goals.

How Zero Trust Architecture works

While the specific tools used to implement Zero Trust Architecture may vary, the National Cybersecurity Center of Excellence’s ‘Implementing a Zero Trust Architecture’ project calls out four key functions:

  • Identify. Involves inventory and categorization of systems, software, and other resources. Enables baselines to be set for anomaly detection.
  • Protect. Involves the handling of authentication and authorization. The protect function covers the verification and configuration of the resource identities zero trust is based upon as well as integrity checking for software, firmware, and hardware.
  • Detect. The detect function deals with identifying anomalies and other network events. The key here is continuous real-time monitoring to proactively detect potential threats.
  • Respond. This function handles the containment and mitigation of threats once they are detected.

Zero Trust Architecture couples these functions with granular application-level access policies set to default-deny.

The result is a workflow that looks something like this in practice:

  1. Users authenticate using MFA (multi-factor authentication) over a secure channel
  2. Access is granted to specific applications and network resources based upon the user’s identity
  3. The session is continuously monitored for anomalies or malicious activity
  4. Threat response occurs in real-time when potentially malicious activity is detected

The same general model is applied to all users and resources within the enterprise, creating an environment where true micro-segmentation is possible.

How SDP and SASE enable Zero Trust Architecture

SDP (software-defined perimeter) which is also referred to as ZTNA (Zero Trust Network Access) is a software-defined approach to secure remote access. SDP is based on strong user authentication, application-level access rights, and continuous risk assessment throughout user sessions. With that description alone, it becomes easy to see how SDP makes it possible to implement Zero Trust Architecture.

When SDP is part of a larger SASE (Secure Access Service Edge) platform, enterprises gain additional security and performance benefits as well. SDP with SASE eliminates the complexity of deploying appliances at each location and the unpredictability that comes from depending on the public Internet as a network backbone. Additionally, with SASE, advanced security features are baked-in to the underlying network infrastructure. In short, SDP as a part of SASE enables Zero Trust Architecture to reach its full potential.

For example, the Cato SASE platform implements zero trust and delivers:

  • Integrated client-based or clientless browser-based remote access
  • Authentication via secure MFA
  • Authorization based upon application-level access policies based on user identities
  • DPI (deep packet inspection) and an intelligent anti-malware engine for continuous protection against threats
  • Advanced security features such as NGFW (next-generation firewall), IPS (intrusion prevention system), and SWG (secure web gateway)
  • Optimized end-to-end performance for on-premises and cloud resources
  • A globally distributed cloud-scale platform accessible from all network edges
  • A network backbone supported by 50+ PoPs (points of presence) and a 99.999% uptime SLA

Interested in learning more about SDP, SASE, and Zero Trust Architecture?

If you’d like to learn more about SDP, SASE, or Zero Trust Architecture, please contact us today or sign up to demo the Cato SASE platform. If you’d like to learn more about how to take a secure and modern approach to remote work for the enterprise, download our eBook Work from Anywhere for Everyone.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.