Nathan Howe, VP of Emerging Technology and 5G at zero trust product company Zscaler, pictured, discusses the difference between traditional and zero trust architecture.
Many think of zero trust as just another technology buzzword or a catch-all phrase for online security, but it’s much more that—it’s is an approach that can provide real business benefits to today’s modern organisations.
For those interested in zero trust to understand the wide range of benefits it can provide, they must first learn how it works and how it differs from traditional security architectures—which, of course, requires an understanding of these traditional architectures.
Here’s an analogy I like to give based on a personal experience. In 2018, I went to watch the Golden State Warriors play at Oracle Arena, one of the oldest stadiums in the US. I managed to get really good seats, ten to 15 rows back from courtside, and all I had to do to access them was show my ticket at the stadium entrance.
I bought myself a beer and, realising there was little to no visible security beyond the entrance, wandered right to courtside and sat down in an empty seat to watch the game. I was there for about 30 minutes before the true owner of that seat arrived and I had to stand up and leave, but in summary, there was nothing standing between me and the best seats in the house, not even security.
This is a real-world interpretation of a traditional security architecture. Once someone is inside the network perimeter, there’s very little to stop them moving around the entire ecosystem. This poses a real problem for enterprises. As they continue to add more points of connectivity in more locations, the risk of network exploitation increases, and threats, once they’ve breached the perimeter, can move laterally at will.
The concept of zero trust is a direct antithesis of a traditional, perimeter-based architecture. Namely, it doesn’t grant access to an entire ecosystem of resources in one go. Instead, it builds solid controls based on business policy and context to grant only the level of access that’s required for an employee to accomplish their task. To go back to my analogy from before, zero trust allows a user to get to their booked seats, but no closer.
Let’s unpick that a little further by breaking zero trust into its three core action pillars.
1.Verify: Who is connecting?
Any person, device, or workload that initiates a connection through a zero trust architecture needs to go through a specific verification process. First, the network must understand the identity of the user and determine which device they’re signing on from. For example, an employee could try to access the network via their work laptop, personal laptop, or phone.
From here, the context of the initiating device must be understood in granular detail—not just what the device is (e.g., phone, laptop, etc.), but who the initiating user is, their role, and their responsibilities. Such context helps Infrastructure and IT Security teams establish more dynamic policies and controls. Case in point, if a user is on their device and working from home, their permissions may be different than if they were in the office or on public Wi-Fi.
2.Control: Continuous risk assessment
With both user and device identified, zero trust then seeks to understand where a user wants to go and controls their access to the destination, which requires full visibility into the connection itself.
With full visibility over connectivity, a zero trust architecture can conduct a dynamic risk assessment of each user and device rather than a one-time static risk assessment as with traditional network connectivity. For example, if a user was to connect to a malicious website, that connection might be allowed initially, but if they were to then click on a link that contained an infected payload, the next action they take must be reconsidered a higher risk. With zero trust, this type of dynamic evaluation is conducted after every action a user takes.
Understanding of a user’s past, present, and future actions helps to create a risk profile that the network can attribute a score to. This is used to determine the level of access each user is allowed. If a user’s risk score goes past a certain threshold, they won’t be allowed direct access to the site and may receive a warning or find their access isolated.
Beyond user risk, IT and Security teams also need to ensure they’re protecting their enterprises, i.e., isolating and analysing any malicious content that an initiator may be exposed to. Finally, enterprises need to be thinking about how to prevent the loss of core assets and data. The big question that most companies don’t have an immediate answer for is, ‘What are you protecting?’ Once you know that, then you can create controls to protect yourself.
3.Enforce: Determining access policy
The final element of a zero trust security approach is policy application and enforcement. Policy isn’t limited to whether access should be allowed—this approach is too binary in today’s flexible, agile workplace. What you need is to have policies that are applied and can be altered based upon the risk level of the initiator.
Based on the information collected during the verification and control stages, policy can then be enforced granularly, and conditionally at each access request. This means that a user may be able to access the internet, but if they’re exposed to any potentially malicious activity, then access to sensitive sites will have conditional policy enforced, e.g., isolation, quarantine, etc.
Conclusion
There’s a lot of noise surrounding zero trust at the moment, and it’s only made louder by the numerous conflicting architecture standards being published by companies, governments, and organisations. This can overwhelm and complicate your perception of zero trust, but at Zscaler, we truly believe that the core principles of zero trust can be simplified to ease adoption and implementation.
At its base level, zero trust is about verifying and contextualising connection requests and controlling access using the principle of least privilege. Using this principle, access is only allowed when necessary for the correct role, thus protecting your most valuable assets. In a hybrid working environment, traditional forms of connectivity are asking to be exploited. You need an architecture that is dynamic and fluid and facilitates your employees’ ability to work wherever and however they want.
