Zero Trust Network Architecture Explained
A well-planned network architecture is the foundation of an effective security posture. However the traditional flat network architecture of the late 90s and early 2000s, still in widespread use in the present-day business landscape, is increasingly a security liability.
Meanwhile hackers and other malicious actors grow in sophistication every year.
They devise new ways to exploit human psychology with clever social engineering attacks over email and social media. To gain access to corporate networks they leverage a wide range of tools and techniques including polymorphic malware, advanced persistent threat strategies, zero-day exploits, and cutting-edge obfuscation or encryption tactics to evade detection.
Stakeholders must update outdated infrastructure to defend against these numerous and sophisticated threats. But, critically, they must also adapt in terms of mindset.
The days of a “set it and forget it” approach to network security are over. Survival in the modern threat landscape necessitates that networks must be both resistant to attack, and engineered to withstand and respond to the inevitability of a network intrusion.
Perhaps the most successful strategy to realize these goals is Zero Trust Network Architecture (ZTNA). In this article we’ll cover how the principles of Zero Trust, when correctly applied to network architecture, actually reduces security complexity while improving overall levels of security.
What is Zero Trust?
The Zero Trust methodology is decidedly different from the traditional cybersecurity approach, and so the process of implementation of Zero Trust requires a realignment of priorities. We’ll explore these differences throughout the course of this article.
First, let’s set the stage by contrasting basic concepts of the traditional approach to the Zero Trust way.
The traditional model is simple enough: it assumes a stance of trusting everything inside the organization’s network. However the core tenet of Zero Trust is to abandon implicit trust of users, devices, applications and networks. We summarize the concept into a sort of motto:
“Never trust, always verify.”
Hence the phrase, “zero trust.”
This security philosophy has important implications, and from it spring a number of core concepts that we can practically apply to meet real-world security challenges.
How does Zero Trust apply to network architecture?
Applying Zero Trust to your network results in the following principles:
- Identity verification: Users and devices must authenticate and prove their identity before they may access resources. This may include continuous authentication of the user identity and device trust throughout a session. Multi-factor authentication (MFA) is also strongly recommended.
- Least privilege: Grant authenticated users and systems only the minimum level of access necessary to perform their tasks. This reduces the extent of possible damage if an account security breach occurs.
- Micro-segmentation: Divide networks into smaller segments, and restrict access to each segment based on the least privilege principle. In the event of a breach, these contained threats now have limited capability for lateral movement within the network.
- Continuous monitoring: Monitoring of device, system and user behavior using helps detect anomalies or deviations from normal patterns. This helps to detect and respond to potential threats faster.
- Strict access control: Access to network resources are strictly controlled and dynamic permissions adjustments made to reflect the changing conditions of user roles, device health, user location, or network location. This dramatically reduces the potential for unauthorized access of resources.
- Encryption: Prioritize encryption of data in transit and at rest. Even in the event of a network breach, data is protected from unauthorized access. Such encryption procedures will enhance overall data security within the network.
- Assume breach mindset: While preventive measures are in place, do not rely exclusively on prevention of an intrusion; instead, assume a posture of rapid detection and response to an always-possible breach. This way both automated mitigation systems and blue-team interventions are always primed to respond to an incident.
The above points show how the architecture implied by a Zero Trust model is a substantial departure from the traditional flat network approach, which consists of hundreds of implicitly trusted devices connected to single huge network. The Zero Trust model emphasizes the continual verification of users and devices to ensure existence of proper authorizations to connect to applications, move across segments of the network, and access data.
Let’s explore these differences in more detail.
How is a ZTNA an advantage over traditional network security models?
Let’s begin with a clear definition of a “traditional network.” By this I mean a flat network, which is an architecture where all devices may connect to one another, unimpeded by strict boundaries and generally able to access to resources at will. This typically results in hundreds or thousands of users and systems all connected in a monolithic network.
The advantages of this approach are in its simplicity, speed, ease of use for users and devices, along with uncomplicated network management. Traditional security measures strongly emphasize prevention of external intrusion through isolation of the internal networks from the outside world.
Perimeter security is necessary but not sufficient. What happens once a breach occurs and an intruder is present inside the network?
In a traditional network, when a user logs in, they often have broad access privileges in the network. As a result, leaked or otherwise compromised credentials are immediately used to move laterally in a network in search of high-value data. The intruder is able to gain wide access to sensitive resources since the credentials are implicitly trusted.
In a Zero Trust architecture the network is segmented into many smaller networks, meaning a restricted scope of exposure and potential for damage. User roles are sharply defined to constrain access only to the specific resources required to complete certain tasks (i.e., least privilege), and so compromised credentials may access just a small subset of resources. Continuous monitoring systems and response automation then detects unusual behavior, triggers alerts, and facilitates coordination within the security team to enable a rapid response.
In total, the Zero Trust Network Architecture describes a coherent security approach which limits the potential for broad network access to critical systems in the event of a breach, constricts the value and abuse potential of leaked credentials, reduces time to response, and elevates the likelihood of effective mitigation of the attack.
What are some Zero Trust use cases?
The primary benefit of implementing Zero Trust architecture is that the security controls can prevent attackers from gaining access to sensitive resources or data even if they have breached the network perimeter.
So let’s examine how this applies to a few key use cases.
Use case: Data
First we’ll consider how Zero Trust principles apply to financial information, customer data, intellectual property. In this use case, ZTNA ensures strict control of access to data, reducing the risks of unauthorized access or data breaches.
The smaller attack surface of a micro-segmented network helps to contain potential threats, safeguarding broad exposure of sensitive information. In the event of a breach, real-time monitoring helps identify and respond to intruders before they can compromise high value data targets. And even with access to data, the at-rest encryption policy ensures that it remains unreadable without access to the appropriate encryption keys (also under strict security controls).
Use case: Applications
In this case web apps, databases, cloud applications, line of business applications, and so on.
A web application such as a customer portal or collaboration platform can implement Zero Trust principles by restricting access and employing security controls based on user identity, device health, and other contextual information like location. Continuous authentication would ensure that only authorized users have access.
Apply fine-grained access controls to the database, and restrict access based on user roles and responsibilities, alongside implementation of protocols to encrypt data at rest and in transit. Additionally, database monitoring tools can actively detect and respond to suspicious activity.
More generally, use Identity and Access Management (IAM) systems which adhere to Zero Trust principles to access web applications, web applications, or cloud systems. These IAM systems can implement a variety of monitoring and access restrictions to ensure only authorized users can access sensitive systems. Additionally, a Cloud Access Security Broker (CASB) can monitor and control data flowing between the organization and cloud.
Use case: Insider threats
Disgruntled current or former employees acting as intentional saboteurs, corporate spies carrying out espionage, and inexperienced or careless users accidentally causing damage are all examples of insider threats. A Zero Trust network architecture can help here too.
Continuous monitoring of network, user and device behavior can rapidly identify unusual or suspicious activity, providing an early warning for potential insider threats. Zero Trust tools often incorporate User and Entity Behavior Analytics (UEBA) which can flag anomalies or deviations from normal usage patterns. This can result in dynamic, real-time adjustment of access permissions and device trust, reducing the risk of an insider exploiting their privileges.
How is a ZTNA implemented?
Companies must navigate a complex and distributed way of working which includes cloud applications, a remote workforce, and mobile devices. This greatly expands the potential attack surface.
Let’s examine the tools we can use structure the network to better support the requirements of the modern workforce in the context of a Zero Trust network architecture. (Note that this is not an exhaustive list of vendors, but rather just examples of common choices.)
- Network micro-segmentation — implemented using some combination of network firewalls, software-defined networks, VLANs, routers and switches.
- Hardware vendors: Cisco, Juniper Networks, Palo Alto Networks
- Software Vendors: VMWare NSX, Cisco TrustSec, Tufin, Illumio, vArmour
- Identity and Access Management provides strong security controls for authentication, including single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, and identity governance. Relevant vendors include Okta, Microsoft Azure AD, Amazon AWS, Ping Identity, and ForgeRock.
- Access Control vendors enforce secure access to resources through policy-based controls. Products offering network or application access control solutions include Palo Alto Networks Prisma Access, Zscaler Private Access, Akamai Enterprise Application Access, Netskope Private Access, and Aruba Clearpass
- Endpoint Security solutions focus on protecting individual devices, and may combine endpoint detection and response (EDR), antivirus, threat intelligence and intrusion prevention capabilities to protect endpoints. EDR vendors include CrowdStrike, VMWare Carbon Black, Broadcom, Microsoft, and SentinelOne.
- Continuous Monitoring and analytics tools
- SIEM systems: including Splunk, LogRhythm, IBM QRadar, ArcSight, collect, analyze and correlate log data from various systems across an organization’s IT infrastructure. They can provide real-time insights into events and activities generated by applications within the IT perimeter.
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS): Snort, Suricata, Cisco Firepower. An IDS monitors network and system activities for malicious behavior and policy violations. IPS actively prevents malicious actors from persisting in a potential attack. These systems alert and block suspicious activities.
- Network Traffic Analysis (NTA) tools: Darktrace, Vectra AI, ExtraHop. These tools detect abnormal patterns and potential security threats in the environment.
- Vulnerability Scanners like Tenable Nessus, Qualys, OpenVAS assess and identify security vulnerabilities in systems and applications.
- User and Entity Behavior Analytics (UEBA) such as Exabeam, Securonix, Splunk UBA analyze user behavior and activities to detect anomalous behavior or deviations in usage patterns to identify potential threats or compromised accounts.
- Security Orchestration, Automation and Response (SOAR) tools play a crucial role in supporting ZTNA by automating and orchestrating security processes. They integrate with other security tools and enable automated workflows for incident response. Relevant products here are IBM QRadar SOAR, Splunk Phantom, Palo Alto Networks Cortex XSOAR and Devo SOAR.
Considerations ahead of Zero Trust architecture adoption
In the introduction of this article I suggested that implementing Zero Trust in a network reduces security complexity — and then I proceeded to elaborate on how ZTNA requires a vast array of changes to the network architecture. These changes amount to a complete overhaul of the network and its approach to security. I get that.
So let’s be clear: nobody said it would be easy! Implementing Zero Trust in your network architecture necessitates a considerable investment of time, money, resources and buy-in from leadership to see the journey through to the end.
Everything in your infrastructure, including routers, switches, clouds, IoT devices, and the supply chain, should adhere to the Zero Trust methodology where possible. It will require a substantial effort to see it through to the end.
However this investment does enhance security while reducing complexity.
I’ll elaborate. Let’s consider how an attack might play out in a traditional network.
If an attacker successfully intrudes into the network, they have broad capacity to move laterally through systems, access resources unimpeded, and potentially wreak havoc. Under these conditions determining precisely when, where and how an intrusion happened and the specific data or systems compromised by the intruder becomes significantly more difficult.
In contrast, a Zero Trust architecture drastically limits the “range of motion” within the network. The intruder’s permissions and access levels are dynamically modified based on suspicious behavior detected. Layers of protection prevent data from breach or exfiltration.
Soon enough access control systems clamp down on the intruder’s permissions based on unusual deviations from expected behavior patterns, while automated systems alert the internal security team to contain the attack.
In the aftermath of the breach, security teams can examine the logs from systems which tracked every step the intruder took. This makes assessing scope of the intrusion, remediating incurred damages, and writing an incident post-mortem report very straightforward.
A Zero Trust architecture plan of action
Let’s envision a plan of action to deploy a Zero Trust architecture in an organization.
Begin with a careful assessment of your existing network architecture, your security policies, and access controls. Gather a list of critical assets and potential vulnerabilities.
Consider obtaining a thorough risk assessment by a third party vendor — it helps to view your existing organization’s current security strengths and weaknesses with the perspective a security expert.
Identify the highest value applications, data and user groups to cover under the policy first. Give priority to the most likely targets of a breach. After the ZTNA roll-out, include applications, users and data that are less critical at a later date.
Embrace the principle of least privilege, defining access policies that grant users, automated systems and devices only the minimum level of access required to complete their tasks.
Consider whether there are any compliance requirements to meet in your ZTNA architecture and align your organization with those regulations. This may include GDPR, HIPAA or industry-specific regulations.
Design with scalability, growth and user experience in mind. Ensure the network design and products selected to implement the ZTNA can accommodate both growth and evolving threats.
At the same time, you must balance the deployment of Zero Trust in the organization with the continued performance and productivity of your users. Strongly emphasize usability for your most impactful teams — for instance, how might this affect your development lifecycle? A positive UX should be a key end result.
Wrapping Up
We’ve covered a lot of ground. We’ve explored the fundamental principles and key components of Zero Trust Network Architecture, and I’ve offered advice about Zero Trust adoption. As organizations navigate a landscape fraught with security perils, movement towards Zero Trust is a crucial step toward a robust defense of critical assets and sensitive data.
In this article I’ve conveyed just how important to adapt both technology and mindset to meet present and future security threats. A holistic and modern approach to security challenges the traditional paradigms and paves the way for a more proactive defense against ever-more-sophisticated adversaries.
The core principles of Zero Trust, such as prioritizing continuous monitoring, least privilege access, and dynamic access controls, enable businesses to establish a strong security posture that can adapt to the volatile cybersecurity environment.
And organizations that embrace these Zero Trust principles are better positioned to secure their networks, protect valuable data and face emerging security challenges with confidence.
One Comment