Zero Trust Access

What Is Zero Trust Access?

Zero Trust Access is a catch-all term for any security framework requiring all IT entities to authenticate, authorize, and continuously verify their identity. It is applied evenly across all users and groups, regardless of position, privileges, or permissions. This represents a departure from traditional IT security models, which implicitly trust an entity after a single authentication. 

In a world of distributed work, connected endpoints and cloud software, such legacy models are increasingly infeasible. This is primarily because they are predicated on a security perimeter that no longer exists. They assume that everyone and everything within a particular environment can be trusted. They also make no distinction between remote users and those that are physically connected to a network or server. 

Zero Trust Access vs. Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) is essentially an offshoot of Zero Trust Access, and both are built on the Zero Trust Security model defined in NIST 800-207. The primary difference between the two is their scope. While Zero Trust Access encompasses all resources and environments, including applications and services, ZTNA focuses on networks and network resources. 

As a result, Zero Trust Access is more holistic than ZTNA, defined by role-based access control. It aims to identify and monitor users, devices, and other entities within an operating environment. Zero Trust Access also seeks to maintain visibility into all devices within an environment, particularly IoT endpoints.  

ZTNA, on the other hand, is more akin to a network security model—one which may be leveraged within the scope of Zero Trust Access to provide a dynamic, software-defined network perimeter. Its core objective is to provide applications and users with remote access to an organization’s network resources. ZTNA is also frequently proposed as a replacement for legacy VPNs

Why Zero Trust Access?

Under a perimeter-centric security model, a threat actor need only compromise a single user account to potentially gain full access to an organization’s most sensitive assets. Provided they can successfully authenticate, security software may be unable to differentiate them from a legitimate user. This means that by the time anyone realizes an ecosystem has been compromised, it’s usually too late—the adversary has already achieved what they set out to do. 

Access control aside, older security models suffer from several additional weaknesses when measured against Zero Trust Access: 

  • Less granular control over users, groups, and permissions
  • Limited visibility into user behavior and activity
  • A lack of flexibility, particularly with regard to cloud software and remote access

Benefits of Zero Trust Access

The benefits of Zero Trust Access are similar to those of any Zero Trust security model and include:

  • Greater oversight of business resource usage
  • Reduced risk of malicious access or abuse
  • Unified access control
  • Easier compliance with industry standards and regulations
  • Improved vulnerability management, visibility, and breach detection
  • A strong foundation for digital transformation
  • Reduced scope and cost for compliance, operational, and security initiatives
  • Simpler user, device, and policy management
  • Improved visibility into an organization’s attack surface
  • Improved visibility into the users and entities present within an organization’s ecosystem

How Zero Trust Access Works

Zero Trust Access operates on the fundamental principles established by the Zero Trust Security model—namely, no single entity within an organization’s ecosystem should be granted implicit trust. Every user, device, and application may be malicious and must be authenticated, monitored, and continuously validated. Although it may leverage some legacy security controls such as firewalls and encryption, Zero Trust Access takes a far more dynamic, holistic approach. 

The core goal of Zero Trust Access is to reduce and control an organization’s attack surface, reducing access opportunities for adversaries while dynamically and proactively mitigating potential threats. Complimentary technologies to Zero Trust Access include Extended Detection and Response (XDR)Endpoint Protection Platforms (EPPs)User and Entity Behavior Analytics (UEBA), and Identity and Access Management (IAM)

Elements of Zero Trust Access

Unsurprisingly, Zero Trust Access is closely related to Zero Trust Architecture and encompasses the following components: 

  • Multi-factor authentication
  • Continuous, non-intrusive validation
  • Endpoint security
  • Real-time visibility and threat intelligence
  • Application management
  • Security analytics
  • Artificial intelligence
  • Automation
  • Real-time monitoring
  • Micro-segmentation of organizational and network resources
  • Trust zones
  • Centralized management of entities, endpoints, and security controls
  • Dynamic access policies
  • Security auditing and reporting

It can be incredibly challenging to implement Zero Trust Security. The most important thing to understand at the outset is that Zero Trust Access is not an out-of-the-box solution but a holistic approach to managing access to organizational resources. In broad strokes, this requires the following steps:  

  1. Establish a thorough inventory of all assets, applications, data stores, and services.
  2. Determine how data and transactions flow between these resources. 
  3. Define policies for controlling and managing access and authentication. 
  4. Take an incremental approach to testing and implementation. 
  5. Ensure you have the mechanisms to adjust controls and policies dynamically. 

If your organization needs more in-house security expertise, following through on this process is easier said than done. BlackBerry can help. In addition to decades of cybersecurity expertise, we provide Cylance® AI to help you better protect your people, data, and systems.