One year ago, President Biden issued an Executive Order to improve cybersecurity for federal agencies.
In particular, the order centered around Zero Trust Architecture (ZTA), a strategy (and term) first devised by Forrester Research analyst John Kindervag in 2010.
Yet, even with the order in place, the Zero Trust security framework developed by the research group remained behind a paywall until January 2022.
In the meantime, only Forrester clients and security vendors had access to the research.
Many of these vendors quickly co-opted the term and applied it to their own security offerings. With many solutions branded as “Zero Trust security”, it can be difficult to separate the marketing hype from a practical understanding of ZTA and its purpose.
The key then, is to go back to the basic definitions, and understand the motivation behind the creation of the Zero Trust security model.
From there, you’ll better appreciate what advantages Zero Trust Architecture delivers, and when a switch from existing solutions is worth the effort.
What is Zero Trust Security?
Officially, Forrester Research defines Zero Trust security in the same language as the National Institute for Standards and Technology does in section SP 800-207:
“Zero Trust security is an information security model that denies access to applications and data by default. Threat prevention is achieved by only granting access to networks and workloads utilizing policy informed by continuous, contextual, risk-based verification across users and their associated devices. Zero Trust security advocates these three core principles: All entities are untrusted by default; least privilege access is enforced; and comprehensive security monitoring is implemented.”
So, what does all that mean?
Well, simply put, Forrester hopes to change IT strategy to always assume a breach until proven otherwise.
Zero Trust doesn’t rely on passed credentials, then depending on those credentials for multiple sessions. Instead, Zero Trust security requires continuous authentication and authorization.
This assumption requires all resources to continuously verify – and never trust – users, processes, and applications.
Adopting Zero Trust Architecture
Just as no single security product delivers a full range of traditional IT security (firewall, endpoint defense, email security, etc.), there is no singular product that delivers a complete Zero Trust security solution.
ZTA adoption requires embracing the Zero Trust strategy throughout your entire IT security stack, and across all users, applications, and assets.
Transitioning to Zero Trust Architecture requires consideration of each resource and security tool, as well as what needs to be changed to implement Zero Trust verification.
Typically, Zero Trust Architecture requires cloud deployment for universal access, so you’ll need to be comfortable with continuing migration to the cloud.
Similar to the adoption of cloud apps and storage, ZTA will be conceptually similar to traditional architecture. However, there are enough specific differences to lead to critical failures if improperly implemented.
Fortunately, once defined, ZTA deploys as a set of rules incrementally applied to new users, apps and devices, but changed universally as needed.
And as a bonus, in many cases Zero Trust Architecture transitions also reduce risk, complexity, and congestion on a corporate architecture, while removing the constraints of local networks.
Traditional Virtual Private Network (VPN) connections provide secure network access between a remote user and a local network.
From a security standpoint, once a device successfully authenticates through a VPN, it may have full access to the network. Additionally, no further authorization is required to access various resources within the network.
Zero Trust Architecture networks’ connections push the authorization to the resource itself, such as a file server or application server. The ZTA requires the resource to verify:
- Users – Do they have permission to access the resource? If so, is it full or partial permission?
- Device – Is it an authorized device? Is it compliant, infected, or missing authentication certificates?
- Connections – Are they encrypted? Is the connection from an authorized location?
- Applications – Are the connecting applications approved and appropriate for this resource?
- Data – Is the connecting user or application authorized for the specific data requested from this resource?
In addition to improving security, bypassing VPNs can improve connection speeds, reduce network congestion, and simplify technology management.
Should You Consider Making the Move?
Executive orders require federal agencies to adopt ZTA, so if that applies to your organization, there’s not much of a choice.
But, looking to the future, it could someday be required by either insurers or newer regulations.
In the meantime, ZTA currently remains optional for most municipalities, non-profits, educational institutions, healthcare facilities, and corporations.
For maximum security protection, it’s one of the best ways to minimize both risk and damage, if an attack were to occur. So, if you’re dealing with highly sensitive data, it might be the right choice for you.
Although ZTA delivers true benefits for security and risk management, a return on investment isn’t guaranteed.
Your organization must weigh the advantages of the additional security against the costs of adoption.
You’ll need to consider budget, implementation time, and your IT team’s capabilities. Though you can start by deploying ZTA to key assets or users, piecemeal adoption increases complexity and requirements for security management and patching.
So, is Zero Trust Architecture the right solution for you? And if so, how do you begin implementing it?
For any questions or help deploying ZTA or any other security solution, contact Ideal Integrations and Blue Bastion at 412-349-6680, or fill out the form below. Our experts will provide a simple-to-understand, no-obligation explanation of the technology, and which options are right for your current needs.