Zero trust is an approach to network security that considers all network devices untrustworthy by default. Each transaction enacted by a user from an end device is individually authenticated and authorized while the system provides no more than the minimum necessary access to systems and services for that transaction; a methodology called zero trust network access (ZTNA).
Traditional corporate data networks are typically a collection of local area networks that connect to the Internet via routers. These connection points define the edge of the network and form the perimeter of the organization’s network. At this edge, security appliances such as firewalls are installed and security policies are enforced, creating a security perimeter. The zero trust approach to security moves away from this traditional model of protecting the perimeter, which is why it is sometimes referred to as “perimeter-less security.”
Zero trust is a relatively new approach to network security and is quite different from conventional security practices, so most network administrators require some level of help with it. Implementing zero trust requires adherence to a series of zero trust pillars that aid in guiding the network administrator in its application. Here’s a summary list of these pillars with a brief description of each:
- Identity: Authentication and access control policies
- Device: Management of all devices (security, patching, and access control)
- Network: Network isolation, encryption, and monitoring
- Application: Application firewalling, testing, and code review
- Data: Data protection, integrity, and recovery
- Observability: Monitoring and analysis of logs, events, and metrics
- Automation: Vulnerability scanning and intrusion prevention
Additionally, the zero trust maturity model aids in zero trust network design and implementation. This is a process where zero trust maturity is achieved by optimizing and integrating pillars through various maturity levels. Success in attaining this maturity relies upon the creation of a robust, long-term strategy fully supported by stakeholders at all stages.
In this article, we’ll use these principles to describe some best practices for implementing zero trust network access.
Summary of Key Concepts
The following table lists the seven pillars of the zero trust security approach with a description of the best practices that should be followed for each in order to successfully implement zero trust network access within an organization.
Fundamental Principles of Zero Trust Implementation
Implementing zero trust network access is an ongoing process that begins by executing on the principles described in the zero trust pillars. However, once those are initially applied, the implementation is continually modified and improved, moving toward a more mature and optimal implementation.
Zero trust security uses a set of security parameters that are much more granular than traditional security schemes, that can include specific users, roles, services, or devices as well as other factors. What will be applied in any particular network and how it will be implemented over time will depend upon both organizational requirements and the capabilities of each individual deployment.
In the following sections, we’ll explore the concepts and best practices that should be considered for each of the pillars and how they should be approached when implementing zero trust network access.
The Identity pillar is a critical component of zero trust that is primarily responsible for identifying and authenticating users before granting access to resources. It includes managing and authenticating user identities to provide a context for the application of access control policies.
Primary actions that should be taken within the framework of the Identity pillar for the successful implementation of ZTNA include the following:
- Establish a robust identity management system that can securely store and manage user identities and credentials.
- Make multi-factor authentication (MFA) mandatory for all users.
- Implement conditional access by using policies to control access to resources based on several factors, including the identity of the user, the device being used, and the context of the request.
- Consider the use of adaptive authentication, which is a type of authentication that adapts to the user's behavior and context. It uses various elements such as device type, location, time of day, and user behavior to assess the threat level of a particular authentication request. Based on this assessment, the system may require additional credentials such as a one-time password, biometric authentication, or security questions.
- Enable single sign-on (SSO) from identity providers (IDPs) to deliver a seamless user experience by eliminating the need for users to remember and enter different credentials for different services or have to authenticate repeatedly.
- Implement identity and access management (IAM) as well as identity governance (IG), two key services that deliver the necessary controls to granularly manage and monitor user access to resources.
Ideally, in a mature implementation, zero trust network access should authenticate identities using MFA for initial access and then continually validate them throughout the user’s session. This does not mean asking the user to reauthenticate. Rather, it means that a secure session is established but terminated if the policy that allowed user access no longer permits such access.
The Device pillar is responsible for identifying and verifying the security posture of connecting devices before granting them access to resources. Where the Identity pillar is responsible for authenticating and authorizing a user, the Device pillar deals with evaluating the risk that a particular device may present if it connects to a resource.
Zero trust network access is approached differently depending on whether the device in question is managed or unmanaged.
A managed device is one that has agent software installed, limits the user’s administrative control, and enables remote configuration and administration. Such a device is typically owned by the organization and is an authorized device that is managed by the organization. The agent software sends information about the device’s security posture to a controller. This information includes the device’s geographic location, date and time of connection, as well as more detailed parameters of the device, such as whether the device has valid antivirus and antimalware software, what software and OS patch levels have been applied, etc.
An unmanaged device does not have any agent software installed. This would be the case if an employee or a guest brought their own device to connect to the network, such as in a BYOD arrangement. In such cases, more stringent security and application access levels should be implemented, simply because the enterprise has no control over what security measures (if any) the owner has implemented on their device, and how much of a security threat that potentially unprotected device may be to the network.
Each enterprise will choose a different level of security for managed and unmanaged devices, and some may even deny any access to unmanaged devices completely. In each case, the following actions should be considered:
- Require all devices to be registered with the organization, have agent software installed, and meet specific security requirements before being granted access to resources. This includes devices associated with specific users—such as laptops, smartphones, and tablets—as well as those not associated with a particular person, such as IoT devices or IP cameras.
- Decide whether or not to allow unmanaged devices to connect and to which resources they should connect, if any.
- Continuously evaluate the security posture of devices that connect to the organization’s network, even during the course of a communication session, to ensure that they meet the set security standards.
- Enable device-based conditional access by implementing security policies that allow or disallow a user based on the security posture of the device, regardless of the identity and privileges that may be associated with the user in question.
Ultimately, the goal here is to reach a point where the security posture of any device attempting to access network resources is continually monitored and validated during the initial connection as well as during the session.
The Network pillar is responsible for the protections and controls put in place to protect the confidentiality and integrity of data on a network and to defend against unauthorized access.
Traditional network architectures are designed with large perimeters and macro segmentation. External traffic is explicitly encrypted, while internal traffic is not because it is implicitly trusted. The Network pillar of zero trust network access seeks to change this arrangement: we no longer implicitly trust communication that takes place within internal corporate networks.
For this reason, the following principles must be applied to ensure zero trust network access:
- Support end-to-end mutual authentication, where entities at both ends of the session authenticate each other and establish an end-to-end encrypted communication session.
- Define access control policies that determine which users using which devices can access which services on which systems. In the case of machine-to-machine communication, these policies determine which devices can access which services on which systems.
- Deploy an access control mechanism that implements the access control policies. Such a control mechanism is essentially delivered by the policy engine.
A network where ZTNA is delivered successfully has a policy engine that authenticates connection requests from endpoints based completely on predefined, dynamically updated policies and where all network traffic is encrypted from end to end. ZTMesh is an example of such a platform.
The monitoring and control of access to applications and data within a zero trust network is the responsibility of the Application pillar. The monitoring and control of access is applied to those users and devices that have been authenticated.
The key to implementing zero trust within the framework of the Application pillar is to enforce policies on the device where the application resides and deploy a combination of security controls – such as application segmentation, firewalls, and access controls – to control and monitor access to applications and data as well as to ensure that only authorized users and devices are granted access to resources. Additionally, implementing microservices, API, and cloud-based security solutions can provide an additional layer of assurance.
The following list provides some additional details on these principles and best practices:
- Application segmentation: Applications must be divided into smaller isolated segments. Isolation can be achieved via application firewalls, security and access controls, and sandboxing.
- Microservices security: Deploy small, independent services that communicate with each other and with the network securely.
- API security: API security solutions are used to protect and monitor access to APIs and to ensure that only authorized users and devices are granted access to resources.
- Cloud-based security solutions: Define security parameters that can be integrated with on-premises security solutions that control access to applications and cloud environments based on business requirements.
In a mature network where zero trust network access is optimally deployed, all applications of an organization are accessible on the cloud with no traditional VPNs in use. In addition, web application firewalls should inspect application layer traffic using dynamic policies.
The Data pillar is responsible for the protection of data at rest. This is data stored in various locations that is used for applications or for direct access by users.
Traditionally, such data is stored on-premises in unencrypted form and typically with inconsistent manual data categorization. Zero trust network access seeks to change this to ensure that data at rest is stored in an encrypted form, either on the cloud or in remote environments. In a mature, optimally deployed zero trust network, such data should also be categorized, possibly by advanced machine learning (ML) and artificial intelligence (AI), ensuring consistency of data formats and categorization across the whole organization.
The Observability pillar is involved in providing visibility and insights into the security posture of the organization as a whole. It represents the systems used to observe real-time events in the enterprise’s network concerning data, traffic, users, and devices. It also covers analytics and dashboarding to identify potential threats.
The key to implementing zero trust network access within the framework of the Observability pillar is to use a combination of a series of security tools and solutions. These include techniques such as security information and event management (SIEM), network traffic analysis (NTA), endpoint detection and response (EDR), and cloud-based security solutions. Also included in this category are security automation and orchestration to provide visibility into the security posture of the organization and to identify and respond to security threats in real-time. Additionally, using AI and ML tools such as user and entity behavior analytics (UEBA), as well as network visualization tools and compliance and auditing tools, can provide additional visibility and insights into the security posture of the organization.
A mature ZTNA implementation will ideally be able to analyze all access events for suspicious activity using these specialized tools and solutions. It will also provide sufficient data for forensic analysis, should that be necessary.
The Automation pillar seeks to minimize the manual work required to achieve zero trust network access. This involves the application of workflow-based automation tooling that automates repetitive and often complex tasks, which is achieved by creating a series of interconnected steps, or workflows, that are executed automatically and in a specific order, reducing the need for manual intervention.
Zero trust network access should be deployed with advanced analytics and automation tools to monitor and secure network, application, and user activity. The goal is to identify and respond to potential threats in real time while also automating security-related tasks to reduce the risk of human error and improve efficiency.
Some of the most important aspects of such an approach include:
- Advanced threat detection: Detect and quickly respond to potential threats in real time by using advanced analytics and machine learning techniques that can identify unusual behavior or patterns on the network.
- Automated incident response: Using workflow-based automation tooling, incident response processes can be automated to help improve the speed and efficiency of incident response and reduce the risk of human error.
- Compliance automation: Use automation tools to monitor, report on, and enforce compliance based on set standards and regulations. These include how updates and fixes to systems are applied as well as reporting on compliance with data privacy regulations.
- Continuous integration / continuous deployment (CI/CD) models: These software development practices aim to improve the speed and quality of software development and deployment.
A fully mature zero trust network seeks to enforce automated security policies and administration. Device and network configurations should also be automated using infrastructure as code and a well defined CI/CD approach for the quick development and deployment of automation and analysis systems.
Deploying a network architecture where zero trust network access is employed is a process. Zero trust is a comprehensive philosophy rather than a specific implementation. This process initially involves the implementation of the principles and best practices described in the zero trust architecture pillars. However, each of the principles involved will go through a maturing process to reach optimal operation.
The goal when implementing zero trust is to ensure that this maturing process is being followed. That is why it is important to take each pillar individually and ensure that the best practices for each are being applied and developed throughout the process.
Designing, developing, and implementing a zero trust network is a journey and a challenge that requires a robust strategy. Basing this strategy on these best practices will ensure implementation success.