Zero Trust Security Model

Zero trust implementation involves requiring strict identity verification for every individual or device that attempts to access the network or application. This verification applies whether or not the device or user is already within the network perimeter. User or device identity verification can be triggered by events such as changes in the devices being used, location, log-in frequency, or the number of failed login attempts.

Protection begins by identifying your protect surface, which is based on data, applications, assets, or services, commonly referenced by the acronym DAAS:

1. Data: Which data do you have to protect?
2. Applications: Which applications have sensitive information?
3. Assets: What are your most sensitive assets?
4. Services: Which services can a bad actor exploit in an attempt to interrupt normal IT operation?

Establishing this protect surface helps you hone in on exactly what needs to be protected. This approach is preferable to trying to guard the attack surface, which constantly increases in size and complexity.

A zero trust policy involves regulating traffic around critical data and components by forming microperimeters. At the edge of a microperimeter, a zero trust network employs a segmentation gateway, which monitors the entry of people and data. It applies security measures that are designed to thoroughly vet users and data before to granting access using a Layer 7 firewall and the Kipling method. 

A Layer 7 rule involves inspecting the payload of packets to see if they match known types of traffic. If a packet contains data that doesn’t meet the parameters of the Layer 7 rule, access is blocked. The Kipling method challenges the validity of the entry attempt by asking six questions about the entry and who is trying to get in: Who? What? When? Where? Why? How? If the answer to any of the queries raises a flag, access isn’t granted.

Multi-factor authentication (MFA) verifies the identity of a user by requiring them to provide multiple credentials. With traditional password entry methods, a bad actor only has to figure out a username and password, which often are easy for hackers to acquire. With MFA, users must provide multiple methods of identification. For example, a user may need both a USB stick and a password. Without either factor, the person would not be able to gain access.

Multi-factor authentication aids a zero-trust network by increasing the number of user-specific credentials required for access. Using MFA can increase the difficulty for hackers by a factor of two, three, four, or more.

Endpoints need to be verified to make sure each one is being controlled by the right person. Endpoint verification strengthens a zero trust approach because it requires both the user and the endpoint itself to present credentials to the network. Each endpoint has its own layer of authentication that would necessitate users to prove their credentials before gaining access. 

Then, in order for a component or program on the network to allow the endpoint access, it sends a verification out to the endpoint. The user then responds on the device. The data sent from the endpoint is used to check its validity, and a successful receipt and transmission process earns the device the status of “trustworthy.”

Unified endpoint management (UEM) allows administrators to centralize how they manage IT infrastructures by giving them a single set of tools they can use to verify multiple endpoints. Endpoint detection and response (EDR) verifies the safety and security of the endpoint. EDR works like a multifaceted antivirus. It scans the endpoint, identifies threats, and then takes steps to protect the endpoint and by extension, the rest of the network.

Microsegmentation involves creating zones within the network to isolate and secure elements of the network that could contain sensitive information or provide access to malicious actors. A zero trust security approach benefits from microsegmentation because once the secured area has been microsegmented, it’s protected from threats. The firewall or filter that forms a barrier around the zone can also block threats from exiting the zone, which protects the rest of the network.

Least-privilege access refers to allowing users and devices to access only those resources that are essential to performing their duties. A zero trust setup benefits from least-privilege access because it limits the number of points of entry to sensitive data or infrastructure. Least-privilege access may also save time and resources because fewer MFA measures have to be employed, which limits the volume of identification credentials that have to be granted and managed.

Zero trust network access (ZTNA) is an element of zero trust access that focuses on controlling access to applications.  ZTNA extends the principles of ZTA to verify users and devices before every application session to confirm that they meet the organizations policy to access that application. ZTNA supports multi-factor authentication to retain the highest levels of verification.

A key element of the ZTNA concept is the location independence of the user.  The application access policy and verification process is the same whether the user is on the network or off the network. Users on the network have no more trust than users that are off the network.

For users off the network, ZTNA includes a secure, encrypted tunnel for connectivity from the user device to the ZTNA application proxy point.  The automatic nature of this tunnel makes it easier to use than traditional VPN tunnels. The improved experience for users is leading many organizations to shift to ZTNA to replace VPN access.

The ZTNA application proxy point provides a benefit beyond just the transparent, secure remote access.  By putting applications behind a proxy point, ZTNA hides those applications from the Internet.  Only those users who have verified can gain access to those applications.