ZTNA: Zero Trust Network Access

Zero Trust Security: Principles and Framework Explained

What is Zero Trust Security?

The starting point of zero trust security is that all systems should control access, and deny access by default. Zero trust means designing security controls without implicit trust under the assumption that all accounts and devices are potentially compromised.

In the past, most organizations had a trusted corporate network, with employees connecting via on-premises workstations or remotely via VPN. Connections from outside were considered untrusted, while accounts authorized to access the network were considered trusted. This is no longer effective in today’s distributed IT environment. The zero trust mentality says that organizations can no longer afford to implicitly trust any entity within the network perimeter.

Recent changes to the security landscape, such as the transition to remote work and the growth in supply chain attacks, emphasize the need for zero trust. Components that were previously trusted, like an organization’s own employees and IT management components, can now be an instrument of attack. This makes it critical for organizations to adopt zero trust security models and supporting technology solutions, primarily Zero Trust Network Access (ZTNA).

This is part of a guide series about data security.

Zero Trust Model Key Principles

Forrester coined the term “zero trust” to describe a new way of implementing a cybersecurity strategy. Some of the core functions of a zero trust architecture include:

  • Identify: An effective zero trust architecture requires in-depth knowledge of an enterprise’s environment and how it is used. This includes identifying devices within a company’s network and their interactions to build effective zero trust policies.
  • Protect: A zero trust strategy protects against cyber threats by managing access to corporate resources. By blocking illegitimate actions, it can help to block attempted intrusions or unauthorized access to sensitive resources.
  • Detect: Zero trust solutions have deep visibility into an organization’s environment and activities. This visibility can help an organization detect potential intrusions based upon blocked requests or other anomalous activities.
  • Respond: Once a threat has been detected within an organization’s environment, zero trust solutions can also help with incident response. For example, new access controls can be put into place to block malicious activities or potential abuse of privileges.

Why has Zero Trust Security Emerged?

Traditional security techniques used location as an indicator of trust. An employee in an office was automatically trusted, given that this employee went through ID checks to enter the office and provided the right credentials to connect to the network. Everything within the perimeter of the organization and its network was trusted, and everything else was considered hostile.

However, threats can infiltrate the network and move laterally. Attackers can compromise a user account or otherwise gain access to a system within the perimeter. They can then gradually gain access to additional accounts and systems. Social engineering, malware, and malicious insiders are all common ways by which attackers can breach the network perimeter—violating the implicit trust model.

While it was always true that attackers could lurk inside the corporate environment, it is a much more serious concern in modern IT environments. The introduction of cloud services, mobile applications, and remote workers further undermines traditional border-based security models.

Zero Trust Security Drivers

Here are a few trends in the modern IT environment that are driving adoption of the zero trust security model.

Cloud Adoption

In the early days of the cloud, cloud migration raised serious security concerns. Organizations were hesitant to outsource IT infrastructure to a third party, concerned that they would lose control.

However, today the cloud has become ubiquitous, even for sensitive and mission critical workloads. Cloud adoption continues to grow, especially in the wake of COVID-19. Research shows most organizations increased their use of the cloud with the transition to remote work.

Cloud computing is changing the dynamics of enterprise access and security. A decentralized infrastructure means that any security technology based on peripherals or endpoints is no longer effective. A firewall cannot protect a SaaS application because the application is not hosted on the corporate network, and the server is outside the organization’s control. Security and access control must be implemented where data, users, and devices reside.

Bring Your Own Device

BYOD is a strategy that allows an organization’s employees to use their personal devices for work-related activities. These activities include tasks such as accessing email, connecting to a corporate network, accessing corporate applications and data.

BYOD devices may be laptops, smartphones, other mobile devices, and storage equipment like USB drives and external hard drives. BYOD has strong benefits for both employees (who enjoy improved productivity with devices of their choice) and companies (who eliminate the cost of purchasing and maintaining hardware). But it also poses serious security risks.

Organizations implementing BYOD must have a robust method for authenticating users on personal devices and performing contextual assessment of access requests. For example, users connecting from a personal device at 3 am should be treated differently than if the same users would connect from a workstation at the office at 2 pm.

Zero trust is highly suited to BYOD use cases, and provides a solution for granular, secure remote access to applications while reducing management overhead. Zero Trust Network Access (ZTNA) is a security solution that can address security, manageability, and user experience challenges for BYOD devices.

Modern Mobility

In today’s work environment, employees can work from anywhere and commonly perform work tasks outside business hours. This improves productivity but complicates security and access.

It is extremely common for employees to cross network boundaries, including networks that are considered hostile, on their route to accessing corporate systems. How can organizations allow secure, remote access to company resources?

Remote access services such as virtual private network (VPN), remote desktop service (RDS), virtual desktop infrastructure (VDI), and desktop as a service (DaaS) are commonly used. But these solutions are not designed for a mobile-first environment and are not sufficiently secure.

Zero trust solutions like ZTNA help organizations regulate and standardize remote access. On the one hand, they give employees the freedom to access the network from different locations at different times without being restricted to specific interfaces such as clunky virtual desktops. On the other hand, they smartly authenticate employees and limit access to sensitive resources in risky scenarios.

Related content: Read our guide to zero trust access.

5 Key Components of the Zero Trust Security Architecture

The proponents of zero trust emphasize that it is a paradigm, not a technology. Each organization may implement zero trust in different ways. However, there are five technology components emerging as essential components of zero trust.

1. Zero Trust Network Access (ZTNA)

A ZTNA solution is designed to implement and enforce a zero trust strategy across the corporate network. Users attempting to connect to an organization’s systems and applications are only allowed to connect if they specifically need access to perform their roles.

ZTNA can take several forms:

  • Gateway integration—ZTNA functionality can be implemented as part of a network gateway. Traffic crossing network boundaries is filtered by the gateway according to the defined access control policies.
  • SD-WAN—SD-WAN optimizes networking across an enterprise WAN. Secure SD-WAN solutions integrate a full security stack into the network infrastructure, and this can include ZTNA functionality. SD-WAN with built-in ZTNA can provide sophisticated, centralized access control.
  • Secure Access Service Edge (SASE)SASE is a broad solution that includes a secure web gateway (SWG), firewall as a service (FWaaS), cloud security access broker (CASB), and ZTNA. SASE provides a holistic solution to enterprise networking, which strongly supports the zero trust model.

2. Multi-Factor Authentication

MFA is the use of multiple methods to verify user identity before granting access. These checks may include security questions, email verification, text messages, security tokens, biometric ID checks, and more. Implementing MFA at every access point—both for ingress traffic flowing into the network and for connections within the network—is a foundation of zero trust.

3. Real-Time Monitoring

Real-time monitoring continuously evaluates the network to detect intruders and limit damage if internal systems are compromised. Effective monitoring can reduce “breakthrough time”—the amount of time a hacker needs to move laterally or escalate privileges, after initially penetrating an application or device.

Zero trust monitoring strategies must include automated components, typically based on behavioral profiling and anomaly detection, and rapid triage and response of incidents by security analysts.

4. Microsegmentation

Another important aspect of zero trust is network microsegmentation. Microsegmentation is the ability to create isolated perimeters within the network, allowing connections within each perimeter, but blocking access between them. This means that once a user or entity is authorized to access the network, they are limited to a specific, isolated space, with limited ability to move laterally and access other systems.

A crucial aspect of microsegmentation is that it is automated and centrally controlled by the zero trust solution. Zero trust technology must be able to adjust microsegmentation dynamically in response to changing security policies and current security conditions.

5. Trust Zones and Default Access Controls

Trusted Internet Connection (TIC) 3.0 is the latest version of an initiative by the US federal government aimed at standardizing management of external network connections. TIC lets an organization divide the network into trusted zones, allowing users to share data within zones, with centrally-defined default access controls but prohibiting access between zones.

Trust zones can only be used if all network traffic is encrypted and access to all systems is centrally controlled using a zero trust solution.

Zero Trust Model: Practical Considerations

The 3 W’s – Workforce, Workplace and Workloads

Traditional security models implement security according to the location by setting up a perimeter and then protecting it by restricting who is allowed to enter. Modern networks are complex architectures without a clear perimeter and require a different security approach.

The zero trust model offers security mechanisms that do not rely on a perimeter. Instead, zero trust implementations aim to protect the network from the 3Ws—workforce, workplace, and workloads. None of the Ws should be trusted because they can threaten the network.

1. Workforce

The workforce is composed of employees, typically classified as insider threats. For example, threat actors can steal employees’ credentials to commit fraud or breach a system. Zero trust security can help minimize the risks posed by insider threats, mainly by protecting users and devices against identity-based attacks like phishing scams.

Here are several security best practices and technologies that can help protect the network against workforce threats:

  • Multi-factor authentication—helps verify the identity of users, offers visibility into all devices, and enforces policies that secure access to all applications. These capabilities help ensure only legitimate users and devices are granted access to the network.
  • Single sign on (SSO)—enables access to all enterprise systems through one authentication mechanism, accessible from any device or location. Modern SSO solutions can provide unified access to systems across hybrid infrastructure.
  • Device posture check—ensures that devices connecting to enterprise systems meet minimal security requirements. For example, verifying that a device is not running a vulnerable software version, has relevant security patches, and is running antivirus.

2. Workload

Workloads are susceptible to vulnerabilities caused by misconfigurations, malicious attacks, and other threats. A workload can introduce threats into the network, allowing malicious software (malware) to cause damage in specific locations or move laterally across the network. Zero trust security can help minimize the attack surface.

Implementing zero trust for workload protection usually involves protecting and controlling the flow of information moving across the network. However, application workload protection can be complex when implemented for modern architectures, like multi-clouds and hybrid clouds transmitting data between on-premises data centers to endpoints and cloud environments.

Here are several practices to consider when implementing zero trust for workloads protection:

  • Microsegmentation—helps contain threats within one segment of the network to prevent lateral movement.
  • Machine learning—provides automation and intelligence to identify abnormal workload behavior and reduce the attack surface proactively.

3. Workplace

Workplaces of the past were restricted to brick-and-mortar buildings. Today’s remote work paradigms have created a distributed workplace that is no longer restricted to a specific location. This type of workplace relies on connectivity to enable the workforce to access network resources, and each connected device can potentially introduce threats into the network.

The zero trust model protects the network against endpoint threats while allowing users to access network resources, typically by implementing software-defined access. It helps ensure that IT and security teams can still gain visibility into users and devices despite the lack of perimeter. This visibility enables teams and tools to identify threats and control all connections established within the network.

Leverage Modern Tools and Architecture

In many cases, traditional network security tools do not meet the requirements of an end-to-end zero trust model. This means traditional tools must be replaced, or complemented, by more advanced tools that provide additional layers of security.

Here are a few examples of tools commonly used to meet the requirements of a zero trust framework:

  • Network micro-segmentation
  • Next generation firewall (NGFW)
  • Single sign on (SSO)
  • Multi-factor authentication (MFA)
  • Advanced threat protection solutions such as eXtended Detection and Response (XDR)

Apply Detailed Policies

Once an organization establishes the skills and technologies needed to build a zero-trust framework, actual implementation comes down to defining and implementing policies that can be applied to a variety of security tools.

A zero trust policy is a set of rules that allows access to specific resources according to strict standards. The policy should describe precisely which users, devices and applications can access which data and services, from where, via which devices or networks, and when. Once policies are set, administrators can configure security tools to accept connections meeting the authorization rules in the policy and deny all others.

Monitor and Alert on Anomalies

The goal of zero trust is not only to minimize unauthorized access, but also to identify and stop anomalous access in real time. This requires putting robust monitoring and alerting in place, which enable security personnel to react to security incidents, understand whether current policies are effective, and identify exploited vulnerabilities.

It’s important to remember that even with a zero trust framework, nothing is completely secure. The organization must be able to capture malicious activity when it occurs. Leverage automated incident response capabilities, such as security automation and orchestration (SOAR), to run automated playbooks when zero trust systems detect an anomaly.

Learn more in our guide: How to implement zero trust?

Zero Trust Security with Cato SASE Cloud

Cato’s zero trust solution – Cato SDP – provides a zero trust network for securely accessing on-premises and cloud applications via any device. With a Cato Client or Clientless browser access, users securely connect to the nearest Cato PoP using strong Multi-Factor Authentication.

Built into Cato’s SASE platform, Cato SDP delivers the following key capabilities:

  • Scalability: Cato SDP instantly scales to support optimized and secure access to an unlimited number of users, devices, and locations, without requiring additional infrastructure.
  • Access and Authentication: Cato SDP enforces multi-factor authentication and granular application access policies, which restrict access to approved applications, both on-premises and cloud. Users don’t get access to the network layer, reducing risk significantly.
  • Threat Prevention: Cato SDP provides continuous protection against threats, applying deep packet inspection (DPI) for threat prevention to all traffic. Threat protection is seamlessly extended to Internet and application access, whether on-premises or in the cloud.
  • Performance: Cato SDP enables remote users to access business resources via a global private backbone, and not the unpredictable public Internet. This delivers a consistent and optimized experience to everyone, everywhere.