What Is a Zero Trust Network?
How a Zero Trust Network Differs from Traditional Networking
Traditional networking revolves around the concept of perimeter security. Once a device or user is authenticated within the local corporate network, it is considered trusted, and resources will be made available without further checks.
But now, businesses are facing considerable scaling of their ecosystems. Employees work from home or via a hybrid blend of remote and in-office activities. Company resources reside both within the network and in the cloud. Those cloud resources can be both public and private. Service supply chains are increasingly distributed, and endpoint types proliferate.
The Zero Trust Network combats this increasingly varied landscape by using a security model with the same fundamental principle no matter where a device is located or what kind of resource a user tries to access: never trust, always verify. Authentication is never assumed and must constantly be renewed. This minimizes cyber breaches because compromised devices and user credentials will never automatically access network resources.
How a Zero Trust Network Works
A Zero Trust Network is more of a network model and methodology than any specific technology. The NIST 800-207 standard defines its core principles. The elements that make up a Zero Trust Network implementation include:
- Access privileges for all resources are continuously validated
- Access policies can be adjusted based on user behavior. For example, if a device is being used from an unusual location
- Multi-Factor Authentication (MFA) is implemented to strengthen verification
- Security controls are centrally managed
- Cybersecurity AI can enhance threat detection and response for a faster reaction to potential attacks
- Identity and Access Management systems are implemented
- The entire business ecosystem will be visible in real-time to administrators
- Security is audited and reports provided for the continuous improvement of protections
How to Create a Zero Trust Network
Implementing a Zero Trust Network requires a systematic approach divided into clear stages leading towards an effective but evolving system.
- Identify the assets on your network, their value and vulnerability, such as core business data and intellectual property.
- Ensure that devices and users are verified robustly, including multi-factor authentication for users and embedded security chips in devices to accredit their identity.
- Map user workflows, defining which users access which assets and when, generating a plan of how they will be granted the required access.
- Create policies for authentication that can then be automated, including metadata such as device, location, time of access, recent user and device activity, and multi-factor authentication. Automate processes to screen for these metadata attributes to streamline policy enforcement.
- Test the verification, workflows, and policies to ensure they improve security as expected but don’t impact user productivity. Monitor device and user behavior to detect new intrusions while proactively adapting security measures to evolve the Zero Trust Network.
Zero Trust Network Components
Protect surface: any network asset that must be protected
Segmentation gateway: a network of assets can be divided into segments of individual protect surfaces, each of which is secured by a gateway that restricts access to that segment
Micro-segment: this is a smaller segment within a network, with specific security to apply granular access enforcement
Layer 7 firewall: an advanced firewall able to examine network packet contents to provide data that can be used to augment authentication policies
Multi-factor authentication: an authentication method requiring more than one piece of information from the user before access is granted. It is a core principle of Zero Trust
SMS authentication: the most popular form of multi-factor authentication, where users receive a pin or alphanumeric code via SMS text message, which is then used to provide a further level of identity verification
Least privilege access: limiting users’ access to only the services, data, or applications they need immediately, even when trust has been established
Software-defined network: instead of being defined by a physical perimeter, a Zero Trust Network is defined by the software-based rules and policies that control user segmentation and access
Granular enforcement: a core feature of Zero Trust Network, which enables authentication for specific resources