Zero Trust Solutions: 5 Solution Categories and How to Choose

Zero trust solutions are security toolkits that incorporate network access controls and security measures to implement the principle of zero trust, which regards all users and entities as potentially malicious until proven safe. Implementing zero trust networks often requires organizations to combine multiple tools and processes.

Zero trust security solutions offer a range of security and monitoring features that protect a network from security breaches. For instance, a zero trust security solution combines multiple processes to authenticate a user, offering additional security measures such as multi-network management, segmentation, and monitoring.

Zero trust is not a technology—it is a security paradigm. This means that many existing technologies can be used to implement a zero trust architecture. In addition, new solution categories are emerging that are built from the ground up for a zero trust security model.

1. Multi-Factor Authentication (MFA) and Single Sign On (SSO)

An important part of a zero trust implementation is to ensure that trust is not based on the network segment the user operates in, but on explicit identity verification. In addition, usernames and passwords can be easily compromised by attackers and are no longer suitable as a single form of authentication. To enable zero trust, you can leverage:

• MFA—combines multiple forms of authentication to ensure robust authentication of user identities, and reduce the impact of credential theft.
• SSO—allows users to sign in with one set of credentials and access all enterprise applications, according to their account’s authorization. This removes the need for multiple passwords, enables central control over user accounts, and is also more convenient for users.

2. IAM

A key requirement of zero trust is identity-driven security. This is powered by the identity and access management (IAM) systems, which are typically cloud-based. An IAM system provides capabilities such as:

• Lifecycle management for internal and external users
• Central identity governance
• Privileged access management (PAM)
• Role-based and attribute-based access controls (RBAC and ABAC)
• Just-in-time (JIT) access enabling personnel to access systems on an as-needed basis, allowing for emergency or exception-based access

Using these capabilities, modern IAM systems can help you enforce least privilege access across the organization. You can also enforce permissions based on time and location of the user to reduce the attack surface. This ensures every user—whether an in-house employee, third-party contractor, or customer—has access only to the systems and operations they actually need for their role.

3. Zero Trust Network Access (ZTNA)

ZTNA, previously known as software-defined perimeter (SDP), is an advanced access solution that only allows users to connect to an application if they need it to perform their roles. User permissions are defined using roles that directly map to the employee’s organizational role.

A ZTNA solution first authenticates a user, verifies its identity, and links it to roles defined in the organization. All access to systems on the internal network pass through the ZTNA system. ZTNA allows traffic to pass to a specific system, or blocks access, depending on the result of authentication and the user’s predetermined roles.

ZTNA solutions are a replacement for virtual private networks (VPN). VPNs offer a secure way to connect to a network, but give users access to the entire network and all its resources, which is not compatible with zero trust. ZTNA creates a software-based perimeter that granularly defines which data centers, environments, and specific applications a user should have access to.

4. Secure Access Service Edge (SASE)

Secure Access Service Edge (SASE) is a cloud-based service that provides wide access networking (WAN), remote access, and security functionality. SASE extends networking capabilities to wherever the organization operates—in the local data center and in one or more public clouds.

SASE is a service that packages several technology solutions within it:

• ZTNA—described above.
• SD-WAN—a virtual WAN architecture that improves agility and reduces costs for wide area networks, leveraging any available data service including MPLS, broadband, and wireless.
• Firewall as a service (FWaaS)—provides a managed firewall wherever the organization runs software services.
• Secure web gateway (SWG)—manages remote access for users.
• Cloud access security broker (CASB)—performs security policy enforcement for on-premises resources or users accessing the cloud.

Virtual Private Networks (VPNs) allow users to remotely access a corporate network. Client software deployed on the user’s device communicates with a VPN server or appliance in the corporate network via an encrypted channel.

While VPN enables communication over a secure channel, its weakness is that it assumes the user’s device is trusted. If the user provides correct credentials, they are allowed complete access to the network. Therefore, if the device or the user’s account is compromised, or attackers exploit a VPN vulnerability, they can move laterally across the corporate network.

VPNs are not compatible with a zero trust security model. To achieve zero trust, ZTNA replaces VPN, allowing granular access to resources on the network. Each user is allowed access based on their role and the current security context – for example, the device they are using and the time of day. ZTNA authorizes each access request, continually verifying that users are authorized to access network resources.

To determine which zero trust solution works best for you, consider these key points:

• Vendor support—do you need to install an endpoint agent and support all operating systems and mobile devices? Monitor the agent’s behavior in the presence of other agents and verify what devices and operating systems the vendor supports.
• The type of zero trust technology—for instance, a ZTNA broker that you need to install and manage or zero trust network access as a service (ZTNAaaS).
• Security posture assessments—does the vendor allow you to assess the security posture of managed and unmanaged devices or do you need to use a unified endpoint management (UEM) tool?
• User and entity behavior analytics (UEBA)—does the solution include UEBA functionality to identify suspicious activity within the protected network?
• Global distribution—the geographical diversity of entry and exit points (i.e., edge locations and POPs). Determine what edge/physical infrastructure providers or colocation facilities the vendor uses.
• Legacy application support—determine if there is security support for legacy applications in addition to web applications.
• Compliance with industry standards—prefer a vendor that meets stringent security standards. A zero trust provider should at least have ISO 27001 certification, and preferably should meet SOC2 security requirements.
• The licensing model—check the license type (i.e., by bandwidth or per user) and verify the protocol for exceeding usage during the term of the contract (i.e., whether there is a grace period, requirement to provide a true-up payment, or loss of access).