Zero Trust Fundamentals

As the saying goes, “Everyone loves a good story.” Want to convey something important to your audience? Then, put it into a story. The trouble with a subject like Zero Trust is that it doesn’t lend itself well to a story. Or, does it?

The hardest part of telling a story is determining where to begin. For Zero Trust, the most logical place to start is with the basics.

ZERO TRUST OVERVIEW

The National Institute of Science and Technology (NIST) defines Zero Trust as a “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”2 The premise behind this—and one supported by current cybersecurity statistics—is that the distributed nature of computing today means the traditional perimeter no longer exists, and whatever perimeter security you have, regardless of how strong it is, will be breached eventually.

A Zero Trust Architecture (ZTA), according to NIST, is one that “uses Zero Trust principles to plan industrial and enterprise workflows” where no implicit trust is granted, regardless of who the user is, where they are located, or what device they are using. The objective is to prevent data breaches and limit lateral movement within your network.

Zero Trust Network Access (ZTNA), a term often used when discussing Zero Trust, is the logical boundary created around an application or set of applications by a product or service that screens identities and context-sensitive requests based on security policy. A more appropriate name would have been Zero Trust Application Access. ZTNA is also typically considered an alternative to (or evolution of) traditional network-based VPN solutions.

What's Driving Zero Trust

There are many trends behind the need for Zero Trust. The most prominent are:

  • The distributed nature of applications: on-premises, cloud, and SaaS
  • Geographically-distributed hybrid workforces
  • The increasing number of non-user devices on networks
  • Increasing regulatory requirements
  • Growing threat of cyberattacks from sophisticated adversaries
  • Increasing risk of loss from data exfiltration

HOW IT WORKS

There are many different ways to implement Zero Trust, because it is not tied to specific hardware or software. Contrary to some marketing claims, you cannot simply purchase a product from a vendor and achieve Zero Trust. But there are common functions that must be in place.

One of the fundamental principles of a Zero Trust Network is that no session is automatically trusted for any reason. This means your network is separated into zones: untrusted zones and trusted zones. And any access request is governed by a policy decision point and policy enforcement point (PDP/PEP) as illustrated in Figure 1.

The policy decision point (PDP) consists of a policy engine and a policy administrator. This is where your enterprise policy resides—the function that ultimately governs access to systems, data, and applications. The policy is set by you and may be informed by (if you subscribe to the services) outside threat intelligence feeds, industry compliance systems, activity logs, and other security systems.

The policy enforcement point (PEP) watches over sessions and takes action based on your policy. This function communicates with the policy administrator, forwarding requests and receiving policy updates, and is responsible for terminating connections. One of the goals in a ZTA is to place the PEP as close to the resource as possible.

Situated behind the PEP are your enterprise resources. If a request is passed beyond the PEP, it now can access resources—but only those resources the user, device, or application is authorized to use.

Up Next:

Guiding Principals of Zero Trust

Next page