The Evolution of Zero Trust Security and 5 Key Components
What is Zero Trust Security?
The starting point of zero trust security is that all systems should control access, and deny access by default. Zero trust means designing security controls without implicit trust under the assumption that all accounts and devices are potentially compromised.
In the past, most organizations had a trusted corporate network, with employees connecting via on-premises workstations or remotely via VPN. Connections from outside were considered untrusted, while accounts authorized to access the network were considered trusted. This is no longer effective in today’s distributed IT environment. The zero trust mentality says that organizations can no longer afford to implicitly trust any entity within the network perimeter.
Recent changes to the security landscape, such as the transition to remote work and the growth in supply chain attacks, emphasize the need for zero trust. Components that were previously trusted, like an organization’s own employees and IT management components, can now be an instrument of attack. This makes it critical for organizations to adopt zero trust security models and supporting technology solutions, primarily Zero Trust Network Access (ZTNA).
Why has Zero Trust Security Emerged?
Traditional security techniques used location as an indicator of trust. An employee in an office was automatically trusted, given that this employee went through ID checks to enter the office and provided the right credentials to connect to the network. Everything within the perimeter of the organization and its network was trusted, and everything else was considered hostile.
However, threats can infiltrate the network and move laterally. Attackers can compromise a user account or otherwise gain access to a system within the perimeter. They can then gradually gain access to additional accounts and systems. Social engineering, malware, and malicious insiders are all common ways by which attackers can breach the network perimeter—violating the implicit trust model.
While it was always true that attackers could lurk inside the corporate environment, it is a much more serious concern in modern IT environments. The introduction of cloud services, mobile applications, and remote workers further undermines traditional border-based security models.
Related content: Read our guide to zero trust principles.
Zero Trust Security Drivers
Here are a few trends in the modern IT environment that are driving adoption of the zero trust security model.
Cloud Adoption
In the early days of the cloud, cloud migration raised serious security concerns. Organizations were hesitant to outsource IT infrastructure to a third party, concerned that they would lose control.
However, today the cloud has become ubiquitous, even for sensitive and mission critical workloads. Cloud adoption continues to grow, especially in the wake of COVID-19. Research shows most organizations increased their use of the cloud with the transition to remote work.
Cloud computing is changing the dynamics of enterprise access and security. A decentralized infrastructure means that any security technology based on peripherals or endpoints is no longer effective. A firewall cannot protect a SaaS application because the application is not hosted on the corporate network, and the server is outside the organization’s control. Security and access control must be implemented where data, users, and devices reside.
Bring Your Own Device
BYOD is a strategy that allows an organization’s employees to use their personal devices for work-related activities. These activities include tasks such as accessing email, connecting to a corporate network, accessing corporate applications and data.
BYOD devices may be laptops, smartphones, other mobile devices, and storage equipment like USB drives and external hard drives. BYOD has strong benefits for both employees (who enjoy improved productivity with devices of their choice) and companies (who eliminate the cost of purchasing and maintaining hardware). But it also poses serious security risks.
Organizations implementing BYOD must have a robust method for authenticating users on personal devices and performing contextual assessment of access requests. For example, users connecting from a personal device at 3 am should be treated differently than if the same users would connect from a workstation at the office at 2 pm.
Zero trust is highly suited to BYOD use cases, and provides a solution for granular, secure remote access to applications while reducing management overhead. Zero Trust Network Access (ZTNA) is a security solution that can address security, manageability, and user experience challenges for BYOD devices.
Modern Mobility
In today’s work environment, employees can work from anywhere and commonly perform work tasks outside business hours. This improves productivity but complicates security and access.
It is extremely common for employees to cross network boundaries, including networks that are considered hostile, on their route to accessing corporate systems. How can organizations allow secure, remote access to company resources?
Remote access services such as virtual private network (VPN), remote desktop service (RDS), virtual desktop infrastructure (VDI), and desktop as a service (DaaS) are commonly used. But these solutions are not designed for a mobile-first environment and are not sufficiently secure.
Zero trust solutions like ZTNA help organizations regulate and standardize remote access. On the one hand, they give employees the freedom to access the network from different locations at different times without being restricted to specific interfaces such as clunky virtual desktops. On the other hand, they smartly authenticate employees and limit access to sensitive resources in risky scenarios.
Related content: Read our guide to zero trust access.
5 Key Components of the Zero Trust Security Architecture
The proponents of zero trust emphasize that it is a paradigm, not a technology. Each organization may implement zero trust in different ways. However, there are five technology components emerging as essential components of zero trust.
1. Zero Trust Network Access (ZTNA)
A ZTNA solution is designed to implement and enforce a zero trust strategy across the corporate network. Users attempting to connect to an organization’s systems and applications are only allowed to connect if they specifically need access to perform their roles.
ZTNA can take several forms:
- Gateway integration—ZTNA functionality can be implemented as part of a network gateway. Traffic crossing network boundaries is filtered by the gateway according to the defined access control policies.
- SD-WAN—SD-WAN optimizes networking across an enterprise WAN. Secure SD-WAN solutions integrate a full security stack into the network infrastructure, and this can include ZTNA functionality. SD-WAN with built-in ZTNA can provide sophisticated, centralized access control.
- Secure Access Service Edge (SASE)—SASE is a broad solution that includes a secure web gateway (SWG), firewall as a service (FWaaS), cloud security access broker (CASB), and ZTNA. SASE provides a holistic solution to enterprise networking, which strongly supports the zero trust model.
2. Multi-Factor Authentication
MFA is the use of multiple methods to verify user identity before granting access. These checks may include security questions, email verification, text messages, security tokens, biometric ID checks, and more. Implementing MFA at every access point—both for ingress traffic flowing into the network and for connections within the network—is a foundation of zero trust.
3. Real-Time Monitoring
Real-time monitoring continuously evaluates the network to detect intruders and limit damage if internal systems are compromised. Effective monitoring can reduce “breakthrough time”—the amount of time a hacker needs to move laterally or escalate privileges, after initially penetrating an application or device.
Zero trust monitoring strategies must include automated components, typically based on behavioral profiling and anomaly detection, and rapid triage and response of incidents by security analysts.
4. Microsegmentation
Another important aspect of zero trust is network microsegmentation. Microsegmentation is the ability to create isolated perimeters within the network, allowing connections within each perimeter, but blocking access between them. This means that once a user or entity is authorized to access the network, they are limited to a specific, isolated space, with limited ability to move laterally and access other systems.
A crucial aspect of microsegmentation is that it is automated and centrally controlled by the zero trust solution. Zero trust technology must be able to adjust microsegmentation dynamically in response to changing security policies and current security conditions.
5. Trust Zones and Default Access Controls
Trusted Internet Connection (TIC) 3.0 is the latest version of an initiative by the US federal government aimed at standardizing management of external network connections. TIC lets an organization divide the network into trusted zones, allowing users to share data within zones, with centrally-defined default access controls but prohibiting access between zones.
Trust zones can only be used if all network traffic is encrypted and access to all systems is centrally controlled using a zero trust solution.
Zero Trust Security with Cato SASE Cloud
Cato’s zero trust solution – Cato SDP – provides a zero trust network for securely accessing on-premises and cloud applications via any device. With a Cato Client or Clientless browser access, users securely connect to the nearest Cato PoP using strong Multi-Factor Authentication.
Built into Cato’s SASE platform, Cato SDP delivers the following key capabilities:
- Scalability: Cato SDP instantly scales to support optimized and secure access to an unlimited number of users, devices, and locations, without requiring additional infrastructure.
- Access and Authentication: Cato SDP enforces multi-factor authentication and granular application access policies, which restrict access to approved applications, both on-premises and cloud. Users don’t get access to the network layer, reducing risk significantly.
- Threat Prevention: Cato SDP provides continuous protection against threats, applying deep packet inspection (DPI) for threat prevention to all traffic. Threat protection is seamlessly extended to Internet and application access, whether on-premises or in the cloud.
- Performance: Cato SDP enables remote users to access business resources via a global private backbone, and not the unpredictable public Internet. This delivers a consistent and optimized experience to everyone, everywhere.