Zero trust is an approach to cybersecurity that assumes no user or system is trusted and requires continuous verification of all users and systems for each request before allowing access to an organization’s sensitive data. It is based on the principle of “never trust, always verify.”
The zero trust reference architecture, designed around the zero trust principles, establishes a security model from the ground up that does not rely on traditional perimeter-based security. It covers concepts, best practices, workflows, and access policies.
The US General Services Administration (GSA) defines the original zero-trust model with five pillars; while its sister organization, the US Cybersecurity and Infrastructure Security Agency (CISA) builds on those concepts by adding analytics and automation.
In this article, we include these two additional pillars, which we title “observability” and “analytics and automation,” to present a more comprehensive explanation.
- Identity
- Device
- Network
- Application
- Data
- Observability
- Analytics and Automation
This article will review the processes and technologies used in zero trust. As CISA points out, the approach presented by this framework is not the only way to implement the zero trust principles, but one of many paths to transition to it.
Zero Trust Pillars Summary
Before we delve into the details, the table below summarizes the seven pillars of the zero trust reference architecture, including the tools and techniques that support it.
The Zero Trust Pillars
You can think of the zero trust framework as a set of best practices within each pillar or subsection defined by prescribed strategies, processes, and techniques. An enterprise advances its security posture maturity by wholesale or incremental implementation of the recommended tools and best practices introduced in each pillar.
Policy Enforcement
Most techniques used to implement the various zero trust principles reside within a single pillar; however, some concepts must span across multiple pillars. The most notable concept that spans more than one pillar is access control policy enforcement. For example, access control may involve user identity, device identity, and the application – with access controlled by a centralized policy engine.
This article covers the concepts of access control under the identity section, but it’s important to know that it can not function in isolation without the information shared from the device, network, application, and data pillars.
The sections below explain each zero trust pillar in more detail.
Zero Trust Pillars: Identity
The “Identity” pillar of the zero trust framework is a set of policies, processes, and technologies to ensure users are accurately identified and authenticated before they gain access to a network or system. The policies and systems covered by this pillar include
- Authentication policies, such as multi-factor authentication (MFA), biometrics, and certificates.
- Access control policies, such as role-based access control (RBAC), which grants access to specific resources based on a user's role within an organization, or context-based access control, which grants access based on a user's current context (e.g., location, device, job title).
- Password policies, such as the requirements for password strength, expiration, and reset procedures.
- Identity provisioning policies, such as how new users are on-boarded and how existing users are removed from the system.
- Identity governance policies, such as managing user identity data, including how it is collected, stored, and protected.
- User onboarding and provisioning define how new users are added to the system and granted access to the necessary resources and training.
- User authentication, which may be multi-factor authentication, such as prompting users to enter their username and password (something they know), providing them with a one-time code or a token (something they have), or scanning their fingerprints or other biometric data (who they are). It’s worth noting that the original approach to MFA authentication, where a code is sent to a user to enter alongside a password, is being gradually replaced with time-based one-time passwords (TOTP) (used by vendors such as OneLogin) and passkeys (used by vendors such as Apple). Passkeys use local biometric authentication enabling the device to encrypt a challenge from the server with a locally-stored private key.
- Identity and access management (IAM) systems for managing user accounts and granting access to resources based on user identity and authorization. This includes Federated Identity Management based on the Single Sign-On (SSO) concept used by vendors such as Microsoft’s Azure Active Directory and Okta.
- Certificate-based systems where a certificate authority issues a digital certificate to verify the identity of an entity such as a server and make a public key available which is then publicly used to authenticate to that entity by having it prove that it holds the corresponding private key. Even though not typically used to verify an individual's identity, we have included it under this section.
Zero Trust Pillars: Devices
The key processes and techniques included in the "Devices" pillar of the zero trust framework are:
- Device registration and inventory management to maintain a comprehensive inventory of all devices that have access to the network, and the implementation of policies and processes to ensure that only authorized devices are allowed access.
- Device identity to ensure that applications connect to the correct systems in compliance with access control policies. This relies on authentication protocols that may use digital certificates or other mechanisms for securely distributing public keys.
- Device configuration management to implement policies and processes for ensuring that devices are configured securely and consistently and kept up to date with the latest security patches and software updates. Minimum OS requirements must be defined and applied equally to all devices, whether organization-owned or user-owned BYODs (bring your own device). Many device compliance monitoring tools, such as Microsoft Intune, are available in the market today for this purpose.
- Antivirus and anti-malware software attempt to detect and remove malicious software from connected devices. This software helps protect devices from external threats.
- Device security measures to protect devices from physical and cyber threats, such as strong passwords, secure bootloaders, trusted drivers, signed software, secure key stores, and local disk encryption.
- Mobile device management to centrally manage and secure mobile devices, such as smartphones, tablets, and laptops, that have access to the network.
Zero Trust Pillars: Networks
Network security encompasses the protections and controls put in place to protect the integrity and confidentiality of data on a network and protect it from unauthorized access. These include:
- Encryption is a fundamental security measure that helps to protect data transmitted over the network from unauthorized access. Encryption ensures that only the intended recipient can view the data, enforcing confidentiality, integrity, and authenticity.
- Micro-segmentation separates a corporate network into multiple isolated subnetworks with well-defined policies on traffic flows between the segments.
- Firewalls restrict incoming and outgoing network traffic. They allow or block specific types of traffic or traffic from predetermined sources or destinations. They filter external traffic and flows between network segments in a micro-segmented network. In an ideal zero trust environment, neither micro-segmentation nor firewalls are necessary since traffic is encrypted and authorized directly at the endpoints. However, this relies on every network service implementing these zero trust security measures. Firewalls and micro segmentation are a good part of a defense in depth strategy to ensure that any damage from rogue devices and services is contained (for example, a misconfigured server).
- Network access control lists (ACLs) are used to determine which devices can access specific network resources and how they can access them. These could be subsumed by, or derived from, an overall access control policy.
- Network security monitoring involves watching the network for any malicious activity, such as strange traffic patterns or odd user/device behavior. It's an essential part of keeping networks secure.
- Network intrusion detection and prevention systems (IDS/IPS) monitor network traffic for malicious activity and block any suspicious activities.
Zero Trust Pillars: Applications
This pillar ensures secure access to applications and data. Some of the processes and technologies used in this pillar include:
- Application security involves implementing measures to protect applications from cyber threats, such as secure coding, input validation, and vulnerability testing. It may include code signing to ensure that the application has not been modified.
- Application access control involves implementing processes and technologies to ensure that only authorized users and devices can access specific applications and that access is carefully monitored.
- User authorization is defined by CISA as a centralized authorization service that controls how users are granted access to specific resources or applications based on an end-to-end process that includes users, devices, applications, and networks.
- Application security testing involves testing applications for vulnerabilities and weaknesses that attackers could exploit. It includes penetration testing, code review, fuzzing (injecting unexpected inputs to reveal flaws) and vulnerability scanning.
- Application isolation covers mechanisms for ensuring that one application cannot interfere with another beyond the isolation provided by the operating system. This includes running applications in containers, virtual machines, or dedicated systems.
- Application firewalls control traffic to and from applications based on security rules, allowing or blocking specific types of traffic from specific sources or destinations.
Zero Trust Pillars: Data
Data security is a critical component of the zero trust architecture. It is essential to ensure data is kept secure against unauthorized access. The following methodologies and technologies are leveraged in this pillar:
- Data classification is the process of identifying and labeling data according to its sensitivity and the level of protection it requires. Classifications and access policies will align with those of the organization. For example, data may be labeled as "confidential," "restricted," or "public." Organizations such as governments may have multiple levels of security and access policies that are a function of the user’s security clearance. Other organizations may rely on a Chinese wall model that separates groups that may have a conflict of interest. All models rely on tagging data with some form of security classifier.
- Data encryption involves converting data into a form that can only be read by someone with the right decryption key, used to protect data when stored or transmitted.
- Data masking involves replacing sensitive data with fake data that looks similar but is not sensitive for testing and development purposes.
- Data backup and recovery involves creating copies of data and storing them securely in case the original data is lost or damaged to recover from disasters and maintain business continuity.
- Data governance involves establishing policies and procedures for managing data, such as how it is collected, stored, and accessed, to ensure it is handled securely and consistently.
- Data loss prevention (DLP) involves implementing technologies and processes that detect and prevent the accidental or unauthorized transmission of sensitive data.
Zero Trust Pillars: Observability and Analytics
Logging, observability, and analytics are vital parts of zero trust implementation. Some of the processes and technologies used by this pillar include:
- Log analysis involves collecting and analyzing log data from systems and devices on an organization's network to identify patterns of activity that might indicate a security breach.
- Security information and event management (SIEM) is a software used to collect, analyze, and report security-related data from various sources within an organization to help identify and respond to potential security threats.
- Application performance monitoring (APM) involves monitoring the performance and behavior of applications within an organization's network to detect abnormal application behavior.
- Threat intelligence involves collecting and analyzing data from various sources to identify potential security threats and vulnerabilities, enabling organizations to take appropriate action to mitigate them.
- Vulnerability management involves identifying, prioritizing, and mitigating vulnerabilities in an organization's systems and devices. It involves using tools such as vulnerability scanners and implementing patches or other remediation measures to fix them.
- Security incident response involves establishing procedures to identify, contain, and restore systems affected by a security incident. It also covers disaster recovery plans to ensure that an organization can continue operating during a breach.
Zero Trust Pillars: Automation
The “Automation” pillar of zero trust involves using technology to enforce security policies and controls, improve security operations and reduce the risk of human error. The following items are examples of technologies and processes that can be used in this pillar.
- Security policy automation reflects the adjustment of access control policies when users are added, deleted, or their roles change. Similarly, the policies must be updated when new servers and services are added or removed or the specific services running on servers change.
- Automated threat detection and response uses technologies such as intrusion detection and prevention systems (IDPS) and security information and event management (SIEM) systems to alert on a security breach and trigger an automated response. For example, monitoring network traffic and system logs may identify an unusual attempt to access the network, resulting in an automated action to block a TCP port.
- Patch management involves using automated tools and processes to quickly identify and apply security patches to systems and software to prevent vulnerabilities from being exploited.
- Compliance and governance can help organizations maintain compliance with various regulatory frameworks and internal governance policies, such as data loss prevention (DLP) systems, which can automatically monitor and control the flow of sensitive data within an organization.
What’s Next?
Implementing zero trust can be daunting, but is easier to manage when divided into smaller parts. The recommendations presented in this section aren’t intended to guide readers through an implementation project; they are meant to mentally prepare readers for the journey ahead and spark internal planning discussions between colleagues.
- Plan. The first step is to document a plan that outlines the policies, processes, and technologies required for the pillar. This plan should consider the organization's security needs and relevant regulatory or compliance requirements.
- Prioritize. Organizations should prioritize and focus on one pillar at a time. For example, protecting the network and implementing a user identity management system is more urgent than implementing automation. Assign the highest priority pillar to a cross-departmental team to ensure collaboration.
- Get help. The execution of the plan may require help from companies specializing in a particular domain (such as penetration testing or data encryption) or training existing employees on the latest best practices and technologies before implementation begins.
- Identify gaps. Missing a single pillar could leave a gap in security that may be exploited by cyber attackers and result in data breaches, security incidents, or compromise regulatory compliance.
- Iterate. Zero trust architecture is an ongoing process of continually improving an organization’s security posture and should be regularly reviewed and updated.