What is a Zero Trust Architecture (ZTA)?
A zero trust architecture is an approach to security that assumes that all systems, networks, and users are untrusted. It requires continuous authentication of devices, users, and applications.
A zero trust architecture is implemented using multiple, integrated technology solutions that support zero trust principles.
Here are some of the main principles of a zero trust architecture, according to the National Institute of Standards and Technology:
- All applications, infrastructure entities and data sources are defined as resources that need to be protected
- All communication, whether inside the corporate network or involving external networks, must be secured
- Users and services are authenticated and authorized before they access resources
- User and service activity is monitored and recorded
- Users are authorized to use services only for specific purposes, and access should be revoked when no longer needed
How Does a Zero Trust Architecture Work?
The National Cyber Security Center of Excellence recommends four main features of a zero trust architecture:
- Identify—creates an inventory of systems, software, and other resources, classifies them, and sets baselines to allow for detecting anomalies.
- Protect—authentication and authorization processing. Zero trust protection includes policy-based resource authentication and configuration, as well as software, firmware, and hardware integrity checks.
- Detect—identifies anomalies and suspicious events, by continuously monitoring network activity to proactively detect potential threats.
- Respond—once a threat is detected, handles threat containment and mitigation.
These capabilities are typically implemented by several IT and security solutions, which work together to create a zero trust environment.
Learn more in our detailed guide to the zero trust security model.
Zero Trust Architecture Workflow
With the above components, you can achieve the following workflow:
- Users sign into corporate systems using multi factor authentication (MFA), verifying their identity over a secure channel.
- User accounts are granted access only to the specific applications and network resources they actually need (least privileged access model)
- User sessions are continuously monitored for unusual or malicious activity
- When potential malicious activity is detected, threat response occurs in real time
The same workflow is applied to all users and resources in the organization, providing tight, granular control over access.
Related content: read our guide to zero trust network
3 Zero Trust Architecture Approaches
There are many ways to implement a zero trust architecture in an organization. Here are a few primary options, each of which places emphasis on different tenets of the zero trust model.
ZTA with Enhanced Identity Governance
This option makes the identity of the actor an important factor in policy making. You define the access conditions for each enterprise resource based on its identity and assigned attributes of the user or system accessing the resource. The main requirement is to give each user or system appropriate access to resources, without giving access to any unnecessary systems.
ZTA with Micro-Segmentation
This option implements zero trust by placing individuals or groups of resources on different network segments, with secure gateways between segments. Organizations can use network equipment like routers, switches, next-generation firewalls (NGFW), or software agents, to act as a policy enforcement point (PEP) that protects groups of resources.
ZTA with Software Defined Network Perimeters
This option leverages an overlay network, typically at layer 7 of the OSI model (the application layer), but may also be lower down in the network stack. This method is known as Software Defined Perimeter (SDP) because it usually leverages Software Defined Networking (SDN) technology, in which networks are managed using flexible, virtualized appliances.
4 Best Practices for Building a Zero Trust Architecture
Know your Architecture
When building a zero trust architecture, it is extremely important to map out your network topology and know your assets. You need to understand who are your users, what devices they are using, and which services and data they are accessing.
Pay special attention to components that use the network. Consider any network as hostile—whether it is your local network or an unsecured public network. Also take into account existing services that were not designed for a zero trust architecture, and may not be able to defend themselves.
Create a Strong Device Identity
Device identity is a cornerstone of a zero trust architecture. It is the basis for authentication, authorization, and other security mechanisms. It must be strong and unique.
The device identity must be:
Attached to the device rather than to the user. It should be possible to identify devices even if they are not connected to a network or are behind a NAT device.
- Verifiable by the network. A device should not be able to claim multiple identities or identities that do not belong to it.
- Persistent and remain unchanged even if the device is repurposed or replaced.
- Verifiable over time. It should be possible to check if a device is still in use or has been decommissioned.
- Verifiable across networks. The same device should be able to prove its identity when connecting from different networks, including public ones.
Create a Secure Communication Channel
Communication channels within a zero trust architecture must be secure and trusted. They need to protect against eavesdropping, replay attacks, message modification, and other threats.
The communication channel between any two devices needs to provide confidentiality, integrity, and authenticity of messages exchanged between them. It may also need to support non-repudiation for certain use cases.
Communication channels may also need to support:
- Protection against denial of service (DoS) attacks
- Authorization of user requests—for example, when a user attempts to access data they do not have permission for
- Authorization of devices—for example, when a client attempts to connect from an unauthorized device
- Time-controlled access based on time of day or location of the user
Use Network Segmentation
Any zero trust architecture relies heavily on network segmentation and security controls between network segments. These are used to protect sensitive data and services from unauthorized access.
Segmentation can be implemented using VLANs, firewalls, and other types of security controls such as IDS/IPS. It is important to implement these security controls in a way that protects your assets from both internal and external threats.
Zero Trust Architecture with Hysolate
Hysolate creates Zero Trust Architecture by splitting a user’s device into two segregated zones, each running in its own OS, leveraging the latest hypervisor and virtualization-based security technologies. One OS is the user’s untrusted Operating System, and another is an instantly-provisioned, totally isolated corporate Operating System running in a VM – this VM is spun up without any infrastructure cost/image building work, etc. The corporate VM runs a locked-down operating system and can contain an inaccessible client certificate that vouches for the integrity of the VM.
The ZTA broker would only allow that corporate VM running on Hysolate to have access to sensitive enterprise applications, making it impossible for the end-user to access these applications from any other untrusted environment/device.
IT admins can isolate this corporate VM from the user’s personal OS, including admin managed controls over clipboard, USB, network, applications, etc, all managed from the cloud.