- A zero-trust architecture is based on the fact that all network requests are constantly and critically monitored.
- The micro-segmentation of networks required for this increases the level of security and reduces the threat surface for cyber attacks.
- The implementation of a ZTA is complex and must be well prepared and solidly managed.
For a long time, the world of IT security was clearly structured: Everything outside a company’s own network was considered insecure, everything within its own network was considered trustworthy. However, in times of increasingly complex networks, remote work and hybrid infrastructures, this concept is vulnerable to attacks and data leaks. The answer to these problems is Zero Trust, an approach to protecting IT systems and data described here.
What is Zero Trust?
In a zero trust architecture, there are basically no trusted users, networks or devices. All network participants must be constantly authenticated and verified, regardless of their location, origin or previous logins. The principle is: trust no one, verify everything.
The main pillars of zero-trust architectures are:
- Trust no one: Every user, every device and every app is considered a security risk in principle.
- Assume Breach: A zero trust model constantly assumes that the security of the data is at risk.
- Minimal access rights: Every client is given least privilege access, i.e. only those authorizations that are urgently needed to perform tasks.
- Constant monitoring: Status and identity are constantly checked and verified even within ongoing sessions.
- Micro-segmentation: Data traffic within networks is strictly controlled. Data packets are only distributed to where they are actually needed. For this purpose, the network is divided into small, isolated segments.
- Strict access control: Every request for resources must be authorized and every access is checked and documented.
Zero Trust is not a substitute for other security measures such as firewalls, virtual private networks (VPN), virus protection, intrusion detection systems (IDS), data loss prevention (DLP) or an information security management system (ISMS). In fact, it extends and improves the security of these measures.
An important component of this security architecture is Zero Trust Network Access (ZTNA), a system that restricts access to company resources based on identity and context. It does not matter whether the request comes from within the company’s own network or from outside.
However, Zero Trust is not a clearly defined standard or a product that can be “installed” in the traditional way. Rather, it is a principle that describes processes, identities, system architectures and their interaction.
Which advantages does the Zero Trust principle offer?
Probably the most important advantage of a zero-trust architecture in the current environment is the fact that employees want to access their work resources from anywhere. Whether in the office, working from home or working off-site – important data must be available at all times. Nevertheless, access must remain secured and verifiable.
This also applies to data and applications that are hosted outside the company network, for example with cloud service providers. They are also protected by a zero-trust architecture.
Another advantage is that the micro-segmentation of the network minimizes the damage caused by successful attacks. If malware enters the network, it cannot spread unhindered but is isolated in a small segment. This increases the resilience of the systems.
Another advantage of a ZTA is the scalability with which the principle can be rolled out across networks. Once set up, a ZTA can be expanded at any time and even ensures the security of data that is exchanged with other companies and organizations.
How is a zero-trust architecture set up?
The implementation of a Zero Trust security strategy is a complex process that brings a noticeable increase in IT security. To kick off, it is necessary to take a holistic view of the IT security of the entire organization. The German Federal Office for Information Security (BSI) explains in its Zero Trust position paper: “The initial focus [should] be on taking stock of your own existing IT infrastructure and identifying identities, organization-critical data, systems and business processes, among other things. On this basis, the next step can be to draft needs-based guidelines that form the basis for access evaluations by the policy engine. The policies can relate to the entire organization or initially only be applied to a sub-area (e.g. business processes identified as critical).”
The most important steps are discussed below.
Definition of a Zero Trust Strategy
First of all, a company must define exactly what it expects the architecture to achieve: What goals should be reached with the ZTA, what risks should be minimized? Which systems and data should be particularly protected and what resources are required to fulfill the security objectives? When and where should Zero Trust be used?
Architecture implementation
- In order to carry out a ZTA, the network must first be segmented into small, segmented sectors. This micro-segmentation makes it possible to identify the smallest areas and separate them from each other if necessary.
- Identity and Access Management (IAM) manages the identities and rights of users and devices.
- Building on this, Zero Trust Network Access (ZTNA) is implemented, which controls resources based on identity and context.
- All data is encrypted – both at rest and in transit.
- Multi-Factor Authentication (MFA) prevents people from logging into the network with just one device or set of credentials.
- All systems and activities are constantly monitored and all access is logged to quickly identify and detect suspicious activity, anomalies or threats.
Training and further qualifications
Once the architecture is ready for use, employees must be prepared to work in a ZTA. It is important to create a culture of awareness and raise employees’ awareness of the importance of IT security.
What challenges does a ZTA entail?
Despite all the strengths of the Zero Trust principle, there are also challenges inherent in the system. The most important topics are:
- Implementing, monitoring and maintenance of a ZTA are complex.
- Due to the high level of control, a zero trust model requires a powerful IT infrastructure. Otherwise there is a risk of downtime or latency while the system processes its security requirements.
- The measures required for zero trust are often perceived by employees as complicated or restrictive and may represent a cultural change compared to the access systems previously used. Care must be taken during the implementation phase to ensure that employees understand why the respective measures are necessary and what benefits they will gain from a ZTA.
- The high level of control and monitoring in a zero trust network occasionally triggers data protection considerations. The data in a ZTA must be consistently pseudonymized in order to avoid allegations of a surveillance system.
Zero Trust provides companies with greater security and flexibility
Overall, a well-implemented Zero Trust Architecture is the answer to many of today’s security issues. It offers employees a high degree of flexibility, reliably secures data and applications and at the same time reduces the threat surface for cyber attacks. This means that less trust in the context of zero trust actually leads to more security.