To understand zero trust architecture, you must rethink your mindset of cyber security. For years, security teams were guided by a simple code: “Trust, but verify.“ But with zero trust, security is far less laid back — guided by a more skeptical philosophy of “Never trust. Always verify.”
In this article, we’ll walk you through the basics of a zero trust architecture, the benefits (and why zero trust is critical for today’s remote workforce), plus, how to build your own zero trust security defense.
What is Zero Trust Architecture?
Zero Trust Architecture treats every user, device, and application as a potential threat to the company, assuming that a breach is imminent or has likely already occurred. A zero trust setup limits user access to only what is needed, and continuously looks for anomalous or malicious activity.
Also known as the Zero Trust Security Model or Zero Trust Network Architecture (ZTNA), this approach to security means that no user can be trusted at any point in their interactions with a corporate network. It is an architectural approach based on “Deny first, and only allow what you must.” With zero trust there is NO assumption that what was trusted to get into the network should be trusted to access everything that’s inside.
What is an example of zero trust architecture?
Simply put, zero trust functions on the philosophy that because attackers can live both inside and outside the network, no identity should be automatically trusted even if they’ve authenticated themselves at the front door with a username and password.
Let me paint you a scenario to illustrate why this concept is so important.
Let’s say an attacker steals a user’s credentials and authenticates with their username and password. They get through the “front door” and discover a folder of highly sensitive corporate data, like source code, HR data, or internal emails — downloading its contents threatening to expose it in a ransomware attack.
To avoid this scenario, traditionally you have two moves:
- Either make the user re-authenticate every few minutes to ensure that only legitimate users are on the network. But this costs you money in lost productivity, and increased Help Desk calls — not to mention some pretty frustrated employees.
- Or, allow them to authenticate themselves seldomly, like once a week or month … which certainly makes for happier users, but leaves your company vulnerable to incoming threats.
But with a zero trust architecture, you would take a “never trust, always verify” approach — continuously checking the user’s access, searching for signs of anomalous activity — even once they’ve authenticated at the front door.
Why Zero Trust Is Critical for Remote Work
Rooted in the principle of “never trust, always verify,” Zero Trust is great at protecting the modern workforce, like the millions of employees now working remotely due to the COVID-19 pandemic. The beauty of zero trust is that this security approach does not care if an employee is logging in from the office, at home, or from a Starbucks. It treats every person, inside and outside the network as a suspect. A drastic change from the old model of “perimeter thinking” where users were typically only authenticated once to access the network — assuming that once they’re in they can be implicitly trusted.
Think of it this way: in the past, if you were inside the physical building, you were already keyed in with your keycard and protected with the perimeter firewall. This created implicit trust that you were authorized to perform the actions you were doing inside the network. But with the zero trust approach, even if you’re in the building, you still have to pass continuous verification throughout your workday.
Surprisingly, this actually leads to a much simpler infrastructure. Because now you don’t need to buy different equipment, or technologies for securing users depending on the situations. With zero trust, you have one architecture, one system, to secure all users all the time, wherever they are, regardless of what they’re trying to do because each user gets run through the same stringent security checks.
Key Components of Zero Trust Architecture
It’s important to remember that Zero Trust is not a single solution but rather a strategic set of guiding principles for how organizations should create their cybersecurity strategy.
According to the National Security Agency (NSA), A Zero Trust solution requires operational capabilities that:
- Assume breach: Consciously operate and defend resources with the assumption that an adversary already has presence within the environment. Deny by default and heavily scrutinize all users, devices, data flows, and requests for access. Log, inspect, and continuously monitor all configuration changes, resource accesses, and network traffic for suspicious activity.
- Never trust, always verify: Treat every user, device, application/workload, and data flow as untrusted. Authenticate and explicitly authorize each to the least privilege required using dynamic security policies.
- Verify explicitly: Access to all resources should be conducted in a consistent and secure manner using multiple attributes (dynamic and static) to derive confidence levels for contextual access decisions to resources.
- No action or user is inherently trusted within a zero trust security model.
- Assume that a breach is imminent or has likely already occurred. Treat every user, device, and application as a potential threat to the company,
- Give access to exactly what is needed to complete a legitimate task, and nothing more.
Zero Trust and NIST SP 800-207
In response to the increasing number of high profile security breaches, in May 2021 the Biden administration issued an executive order mandating U.S. Federal Agencies adhere to NIST 800-207 as a required step for Zero Trust implementation.
NIST (National Institute of Standards and Technology) Special Publication 800-207 is a series of cybersecurity measures and guidelines highlighting the core components of Zero Trust principles. As a result, the standard has gone through heavy validation and inputs from a range of commercial customers, vendors, and government agencies stakeholders – which is why many private organizations view it as the defacto standard for private enterprises as well.
A brief history of Zero Trust Architecture
“Zero Trust” was coined by an analyst at Forrester Research Inc. in 2010 when the model for the concept was first presented. It was a change from the old model of “perimeter thinking” where users were typically only authenticated once to access the network, to a zero trust model where users are authenticated much more frequently. Before the zero trust security model, there were simply trusted insiders and untrusted outsiders.
How To Set Up Zero Trust Architecture
Identify the user before they enter the system, with Multi Factor Authentication (MFA).
In 2020, Microsoft’s Cybersecurity Solutions Group corporate vice president Ann Johnson said, “The entire principle of zero trust is that you trust nothing. That’s the first thing that we tell organizations: they must use multi-factor authentication for 100% of employees 100% of the time. That is the first control to put in place as part of that Zero Trust architecture”.
Multi Factor Authentication (MFA) is a key component to achieving Zero Trust. It adds a layer of security to access a network, application or database by requiring additional factors to prove the identity of users. This is a critical step in zero trust architecture. Learn more about Multi Factor Authentication.
Require real-time monitoring and continuous authentication while the user is inside the corporate network.
One way to achieve this is with facial recognition technology, but that’s quickly becoming unpopular due to the intrusive nature of a camera always watching you as you work. You can rely on fingerprint scanning technology, but fingerprint scanning on a computer requires expensive external hardware — not to mention frustrating your employees with requests to scan their fingerprint multiple times a day.
But, there is another solution: typing biometrics technology which passively monitors how users type throughout the workday to ensure that only authorized users have access to company computers. Learn more about continuous authentication with ActiveLock.
Expert Insights Awards TypingDNA 🏆 Best of Zero Trust Solutions, Plus 2 More Cybersecurity Categories. Learn why