As mobile users begin to connect uncontrolled devices and business applications to the Internet, there is a growing need for trust-free security. Security models designed to protect the perimeter leave network-penetrating threats uncontrolled, invisible, and can change and move at will, extracting valuable and sensitive business data.
Zero-Trust (ZT) is a term for an evolving set of cybersecurity paradigms that move defense away from static network-based environments and focus instead on users, assets, and resources.
Zero Trust believes that assets and user accounts receive implicit trust due to their physical network location (e.g. Local networks, Internet-based assets) and ownership (corporate assets). The original Department of Defense (DoD) Zero Trust reference architecture was designed to reduce the DoD's attack area and ensure that devices, networks, and users can be compromised, but the damage can be limited. It describes seven pillars of Zero Trust (user devices, network environment, application use, data visibility, analytics, automation, and orchestration) and outlines how Zero Trust capabilities are aligned.
On 20 February 2015, the Swiss Federal Institute of Intellectual Property published a new architecture based on networks of trust and trust. In 2019 the National Technical Authority and the National Cyber Security Centre of the UK recommended that network architects consider a zero-trust approach to new IT deployments with significant cloud services and plans.
Zero Trust, Zero Trust Network, or Zero Trust Architecture refers to a security concept in which the threat model no longer assumes that actors, systems, or services operate within a security area that can be trusted to ensure that anyone who tries to connect to their systems has access to it. On the contrary, your starting point is to consider all potential threats to be subject to verification. Zero trust is a security framework that requires all users on an enterprise network to authenticate, authorize, and validate security configurations and attitudes before granting or retaining access to applications and data.
In this philosophy, any device, user, or application that tries to interact with your architecture is considered not safe. Only untrusted devices and users can gain privileged access.
Zero Trust requires a traditional network, an edge network, a local cloud, or a combination of hybrid resources and work sites. The zero-trust architecture focuses on the business needs and functions of an organization and implements a network-centric data security strategy that provides specific access to those who need it.
A network without trust uses a positive model of security enforcement with specific rules for access to resources. Zero Trust prevents attacks on access with the least privileges, which means that the organization gives users and devices the least access possible. In old networks, organizations have little visibility and control over the use of network data, but in a zero-trust architecture, all network traffic is seen via segmentation gateways that contain granular policies on data, applications, and asset access that are strictly enforced.
In the event of an infringement, these subsidies help to limit lateral movement in the network and minimize the target area. Protection is environment agnostic, so applications and services can be backed up while communicating with the network environment without requiring architectural changes or political updates. The zero-trust model uses micro-segmentation, a security technology that involves dividing the perimeter into smaller zones and maintaining separate access to parts of the network to contain attacks. This can be achieved through next-generation firewalls with decryption features.
Zero Trust is a strategic initiative to prevent successful data breaches by removing the concept of trust in an organization's network architecture. It is based on the "never trust, always check" principle to protect the modern digital environment by leveraging network segmentation to prevent lateral movement, prevent Level 7 threats and simplify granular user access control.
A broken trust model assumes that the identity of a user cannot be compromised unless he or she acts in a manner of trust. The value of using zero trust in the cloud is not only to enhance an organization's cloud security but also to enable them to use enterprise applications without compromising performance or user experience. Gartner estimates that by 2022, 75% of global organizations will be operating container applications that benefit from faster release cycles and increased scalability, reliability, and resilience. This is all the more important as more and more employees work with data that has migrated to the cloud.
On the other hand, The Zero Trust Architecture (ZTA) is an enterprise cybersecurity plan that leverages the Zero Trust concept and encapsulates all components of relations, workflow planning, and access policies. Zero trust in the infrastructure of corporate networks (physical, virtual, and operational) exists in all enterprise products and in plans for a zero-trust architecture. ZTA is designed in response to corporate networks used by remote users, user-owned devices (BYOD), and cloud-based assets that are not within the company's original network boundaries. ZTA focuses on protecting resources within a protected network segment. This means that by default, only one person of trust and network verification is required to gain access to resources within the network.
In a nutshell, Zero Trust assumes that there is no implicit internal trust that assets and user accounts are privileged due to the physical location of the network, that property, authentication, and authorization of assets is between a person or device on the network, and that discreet functions performed during sessions within the company's network-wide resources.
According to Microsoft Zero Trust components;
- Identities: Verify and secure each identity with strong authentication across your entire digital estate.
- Endpoints: Gain visibility into devices accessing the network. Ensure compliance and health status before granting access.
- Apps: Discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, and monitor and control user actions.
- Data: Move from perimeter-based data protection to data-driven protection. Use intelligence to classify and label data. Encrypt and restrict access based on organizational policies.
- Infrastructure: Use telemetry to detect attacks and anomalies, automatically block and flag risky behavior, and employ least privilege access principles.
- Network: Ensure devices and users aren’t trusted just because they’re on an internal network. Encrypt all internal communications, limit access by policy, and employ micro-segmentation and real-time threat detection.
Cited Sources
https://www.infradata.com/resources/what-is-a-zero-trust-architecture/ https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/ https://edge.siriuscom.com/security/4-major-myths-of-zero-trust-architecture https://gcn.com/articles/2021/05/17/disa-zero-trust-architecture.aspx https://www.forcepoint.com/cyber-edu/zero-trust
https://www.mcafee.com/enterprise/en-us/security-awareness/cloud/what-is-zero-trust.html https://www.fedscoop.com/nist-zero-trust-architecture-definition/ https://www.jdsupra.com/legalnews/zero-trust-architecture-is-officially-2104792/ https://csrc.nist.gov/publications/detail/sp/800-207/final https://www.zscaler.com/resources/security-terms-glossary/what-is-zero-trust https://www.nccoe.nist.gov/projects/building-blocks/zero-trust-architecture https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/ https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture https://doubleoctopus.com/security-wiki/network-architecture/zero-trust/ https://en.wikipedia.org/wiki/Zero_trust_security_model