Zero Trust is simply a concept, a model which states that you really should not be trusting anyone or any device just because they reside on your network or within your perimeter.
All networks should be considered untrusted and hostile, regardless of whether we’re talking about a local network in a secure building or an unsecured public wifi network.
Applications in the zero trust model remain within your private, corporate environment, whether on-premise or in the cloud, and authorised users are granted access directly to those applications, never the network. You provide users with access to the resources they need to be able to do their work and facilitate that using device context and robust identity verification, fulfilling the principles of least privilege, need-to-know and need-to-use.
The zero trust model is a holistic approach to network security and is not reliant on any single, specific technology or vendor. Instead, zero trust micro-segments the network and enforces a granular perimeter to determine whether to allow a user access to company information or applications.
What are the drivers for implementing a zero-trust network?
The always-on, always-connected employee, wanting to work from anywhere, has given rise to a need for collaborative and dynamic infrastructures that will better support their ways of working.
The security and network communications stack has become complex to support and maintain, and expensive to implement and run. The network perimeter now extends far beyond our control.
Organisations are increasingly opening up their networks to give users access to the applications that they need to do their jobs. Although applications are steadily moving into the cloud and employees are increasingly mobile, access to these resources generally remains, routed via the corporate office through a VPN, technology that entered the mainstream at the turn of the millennium. With the increased reliance on working from home, businesses face having an almost entirely remote workforce, which is leading to increased pressure on companies’ internal infrastructure, especially where internet traffic is backhauled for the sake of security.
Where businesses are geographically distributed, traditional wisdom suggests implementing a hub and spoke network, with all resources at its core. These networks are costly to implement and maintain at scale, requiring leased lines, site-to-site VPNs or an MPLS, and expertise to keep these links working.
Networks are no longer confined to corporate offices and have expanded to encompass the needs of satellite and branch offices, remote workers and offshored services, such as developers and call centres. Users require flexible and secure access to applications and resources, wherever they are.
Why is it necessary?
Users want on-demand access to their applications and the approaches that we use today are not providing them with the secure, seamless access they expect. Security, unfortunately, often comes at the expense of usability.
The networks and infrastructure supporting today’s applications, systems and security weren’t designed to support these new ways of working and a mish-mash of point solutions have had to be developed to support our increasingly mobile workforce.
The outdated castle-and-moat or hub-and-spoke security model, where your perimeter is well guarded, assumes that those within the network do not pose a threat and can, therefore, be trusted, which is not necessarily the case. Organisations’ IT infrastructures often include third-party hardware and appliances, which can, and have, introduced vulnerabilities into networks. This was the case in the highly publicised Target breach, occurring in 2013, which originated in compromised HVAC equipment.
Traditional VPNs, although they are the established means of providing access to employees who are located outside the corporate network, present their own security challenges. Your VPN, no matter how securely it is configured, is a target for those who want to get inside your network and, as the number of remote users increases, so does the surface area of attack.
VPNs often give access to the entire corporate network devices, which may or may not be secure, with third parties often having the same access as employees. If a remote employee’s device becomes infected with malware, that malware can quickly spread through the network, even if the organisation implements access controls and network separation.
VPNs also have a reputation for being slow and for good reason, backhauling network traffic increases latency, adding to users’ frustration.
Smaller organisations, who are actively embracing a cloud-first strategy, don’t necessarily have a network. These organisations may be working in a distributed manner or be clustered in smaller hubs and co-working spaces, where they do not control their own network and may not even control the devices their employees are working from. Therefore, the security perimeter must exist at the application, as no network can be trusted and, in immature organisations, there may potentially be no corporate control over the devices accessing company data.
What are the benefits of a zero-trust network?
Zero trust networks don’t just bring usability improvements for employees and third-party users, they also bring significant security benefits for the business.
Users gain access to applications and information where and when they need it, which facilitates the modern working practices that employees are increasingly demanding. By eliminating the VPN, access to resources is faster and less frustrating. Increased employee satisfaction increases productivity, their applications just work.
Organisations benefit by reducing the number of point solutions they rely on, which reduces complexity, maintenance time and the organisation’s attack surface.
Organisations begin to look differently at how applications and information are presented and consumed, this means solutions that may not have been considered before become the right solution, accelerating digital and cloud transformation and improving employee experiences.
Organisations go from a default position of making applications available on the VPN, to asking “how do we best deliver this information, application or functionality to our users in a zero-trust environment?” Applications can then be hosted in the most appropriate environment, rather than organisations using specific or existing infrastructure, taking the path of least resistance, because that infrastructure is accessible to users via their VPN.
Solutions can often be delivered more quickly as, when networks and routes are defined in software, there is no requirement for dedicated connections, in turn making organisations more agile.
Conditional access based on device and user context, as well as moving security to the application layer, enables IT organisations to respond and recover more efficiently in the event of a security incident, quickly isolating and blocking traffic, devices and users.
You are effectively maintaining the security posture of your environment by managing compliance, regardless of where a user is working from.
How can businesses start to embrace zero trust?
It’s unlikely that businesses are going to replace their existing networking stacks with a completely new zero trust architecture. This means that for most organisations, the move to a zero trust model will be a gradual one; it may come from a desire to replace an ageing VPN or a desire to embrace the security benefits that zero trust offers.
Organisations should start by understanding their existing architecture, understanding the services that are offered to users and micro-segmenting their networks, moving the security perimeter to the application. A user or application with access to one network segment must not be able to access any other segment without performing separate authentication.
Having a single user identity and identity management which can authenticate to and manage user identities within the services you will be offering is foundational to success. Inventory your devices; efficient asset management is required to be able to assess the health and trustworthiness of both devices you own and those that your employees and service providers own and use.
Once you understand your architecture, users and devices, authenticate everywhere. No network is trusted, so the user must assert their identity in order to gain access to applications and information. Apply the principle of least privilege, giving access on a need-to-know and need-to-use basis.
No vendor can provide a one-size-fits-all solution and implementing zero trust into your organisation will be a process of change and continuous improvement, bringing in new technologies, new ways of thinking and new ways of working.
This article was written in collaboration with my colleague Jacques du Toit. For a personalised view of how your organisation can benefit from zero trust, please reach out to either of us via LinkedIn.