Learning Resource: Zero Trust
What is a Zero Trust Architecture (ZTA)?
A zero trust architecture is an approach to security that assumes that all systems, networks, and users are untrusted. It requires continuous authentication of devices, users, and applications.
A zero trust architecture is implemented using multiple, integrated technology solutions that support zero trust principles.
Here are some of the main principles of a zero trust architecture, according to the National Institute of Standards and Technology:
- All applications, infrastructure entities and data sources are defined as resources that need to be protected
- All communication, whether inside the corporate network or involving external networks, must be secured
- Users and services are authenticated and authorized before they access resources
- User and service activity is monitored and recorded
- Users are authorized to use services only for specific purposes, and access should be revoked when no longer needed
How Does a Zero Trust Architecture Work?
The National Cyber Security Center of Excellence recommends four main features of a zero trust architecture:
- Identify—creates an inventory of systems, software, and other resources, classifies them, and sets baselines to allow for detecting anomalies.
- Protect—authentication and authorization processing. Zero trust protection includes policy-based resource authentication and configuration, as well as software, firmware, and hardware integrity checks.
- Detect—identifies anomalies and suspicious events, by continuously monitoring network activity to proactively detect potential threats.
- Respond—once a threat is detected, handles threat containment and mitigation.
These capabilities are typically implemented by several IT and security solutions, which work together to create a zero trust environment.
Learn more in our detailed guide to the zero trust security model.
Zero Trust Architecture Workflow
With the above components, you can achieve the following workflow:
- Users sign into corporate systems using multi factor authentication (MFA), verifying their identity over a secure channel.
- User accounts are granted access only to the specific applications and network resources they actually need (least privileged access model)
- User sessions are continuously monitored for unusual or malicious activity
- When potential malicious activity is detected, threat response occurs in real time
The same workflow is applied to all users and resources in the organization, providing tight, granular control over access.
Related content: read our guide to zero trust network
3 Zero Trust Architecture Approaches
There are many ways to implement a zero trust architecture in an organization. Here are a few primary options, each of which places emphasis on different tenets of the zero trust model.
ZTA with Enhanced Identity Governance
This option makes the identity of the actor an important factor in policy making. You define the access conditions for each enterprise resource based on its identity and assigned attributes of the user or system accessing the resource. The main requirement is to give each user or system appropriate access to resources, without giving access to any unnecessary systems.
ZTA with Micro-Segmentation
This option implements zero trust by placing individuals or groups of resources on different network segments, with secure gateways between segments. Organizations can use network equipment like routers, switches, next-generation firewalls (NGFW), or software agents, to act as a policy enforcement point (PEP) that protects groups of resources.
ZTA with Software Defined Network Perimeters
This option leverages an overlay network, typically at layer 7 of the OSI model (the application layer), but may also be lower down in the network stack. This method is known as Software Defined Perimeter (SDP) because it usually leverages Software Defined Networking (SDN) technology, in which networks are managed using flexible, virtualized appliances.
4 Best Practices for Building a Zero Trust Architecture
Know your Architecture
When building a zero trust architecture, it is extremely important to map out your network topology and know your assets. You need to understand who are your users, what devices they are using, and which services and data they are accessing.
Pay special attention to components that use the network. Consider any network as hostile—whether it is your local network or an unsecured public network. Also take into account existing services that were not designed for a zero trust architecture, and may not be able to defend themselves.
Create a Strong Device Identity
Device identity is a cornerstone of a zero trust architecture. It is the basis for authentication, authorization, and other security mechanisms. It must be strong and unique.
The device identity must be:
Attached to the device rather than to the user. It should be possible to identify devices even if they are not connected to a network or are behind a NAT device.
- Verifiable by the network. A device should not be able to claim multiple identities or identities that do not belong to it.
- Persistent and remain unchanged even if the device is repurposed or replaced.
- Verifiable over time. It should be possible to check if a device is still in use or has been decommissioned.
- Verifiable across networks. The same device should be able to prove its identity when connecting from different networks, including public ones.
Create a Secure Communication Channel
Communication channels within a zero trust architecture must be secure and trusted. They need to protect against eavesdropping, replay attacks, message modification, and other threats.
The communication channel between any two devices needs to provide confidentiality, integrity, and authenticity of messages exchanged between them. It may also need to support non-repudiation for certain use cases.
Communication channels may also need to support:
- Protection against denial of service (DoS) attacks
- Authorization of user requests—for example, when a user attempts to access data they do not have permission for
- Authorization of devices—for example, when a client attempts to connect from an unauthorized device
- Time-controlled access based on time of day or location of the user
Use Network Segmentation
Any zero trust architecture relies heavily on network segmentation and security controls between network segments. These are used to protect sensitive data and services from unauthorized access.
Segmentation can be implemented using VLANs, firewalls, and other types of security controls such as IDS/IPS. It is important to implement these security controls in a way that protects your assets from both internal and external threats.
Zero Trust Architecture with Hysolate
Hysolate creates Zero Trust Architecture by splitting a user’s device into two segregated zones, each running in its own OS, leveraging the latest hypervisor and virtualization-based security technologies. One OS is the user’s untrusted Operating System, and another is an instantly-provisioned, totally isolated corporate Operating System running in a VM – this VM is spun up without any infrastructure cost/image building work, etc. The corporate VM runs a locked-down operating system and can contain an inaccessible client certificate that vouches for the integrity of the VM.
The ZTA broker would only allow that corporate VM running on Hysolate to have access to sensitive enterprise applications, making it impossible for the end-user to access these applications from any other untrusted environment/device.
IT admins can isolate this corporate VM from the user’s personal OS, including admin managed controls over clipboard, USB, network, applications, etc, all managed from the cloud.
What is a Zero Trust Network?
A zero trust network continuously authenticates and validates users and connected endpoints. The goal of zero trust security models is to ensure networks remain protected, while providing access to remote endpoints and users, including bring your own device (BYOD) endpoints and external-third party integrators.
A zero trust network lets all types of users leverage corporate resources, as long as these users and endpoints are continuously validated. According to Gartner, 60% of enterprises will replace their virtual private networks (VPNs) with ZTNA solutions.
To ensure safe access, a zero trust network uses zero trust network access (ZTNA) solutions. ZTNA solutions provide access controls that validate and authenticate users on a continuous basis.
What is ZTNA?
Zero trust network access (ZTNA) is a network security pattern that helps organizations implement zero trust concepts in their network ecosystem.
ZTNA is not a single technology. It encompasses a range of technologies for verifying a requesting user or device, and providing access according to predefined policies. ZTNA solutions create an environment that protects local cloud-based resources. Applications are assumed to be unknown and undiscoverable, and access is granted by a trusted broker.
The ZTNA trusted broker uses the following processes to authorize entities on the network:
- Login—when a user logs in, the broker verifies their identity.
- Device connection—shen a device connects to the network, the broker ensures the device is known, trusted, and has the relevant security updates.
- Least privilege—the broker restricts access according to the principle of least privilege (POLP). It grants access to users depending on their role, and only lets them access the resources necessary for their function, at the minimal level of privilege.
Related content: read our guide to zero trust security
Benefits of ZTNA
ZTNA solutions can provide the following benefits to organizations, as they adopt a zero trust security model.
Secure Cloud Access
Many organizations are running services in the public cloud, and research shows a majority of cloud users run on multiple cloud platforms. To reduce the attack surface, organizations need to limit access to these cloud-based resources.
ZTNA allows organizations to restrict access to cloud environments and applications based on their business needs. Each user and application can be assigned a role within the ZTNA solution. Each role is then granted the appropriate rights and privileges with respect to cloud-based infrastructure.
Secure Remote Access
In the wake of COVID-19, most organizations have moved largely or entirely to remote workforces. Many companies use virtual private networks (VPNs) to enable remote access. However, VPNs have significant limitations such as lack of scalability and integrated security.
A major problem with VPN is that by default, authenticated users gain full access to the entire network, regardless their role or the desired resource that is being accessed. This creates an inherent security vulnerability. ZTNA solutions recognize that users are connecting remotely or via their personal devices (BYOD), and gives them appropriate, limited access to the corporate network.
Protecting Against Account Compromise
Privileged account compromise is a common threat vector in modern networks. Attackers steal, infer, or otherwise compromise user account credentials, and then use them to authenticate on the organization’s systems. This grants the attacker the same level of access as a legitimate user.
Implementing ZTNA can address this threat, and minimize the damage that an attacker can inflict using a compromised account. The attacker’s ability to move laterally across the network is limited by the privileges assigned to the compromised user account.
Considerations for Choosing a Zero Trust Network Access Solution
Here are a few key considerations when selecting technologies that will make up your ZTNA solution:
- Agent vs. agentless—whether the solution requires an endpoint to be deployed on devices. Agents can significantly limit the solution’s value for devices that are not owned by the organization.
- Support for workloads—whether the solution supports web applications, legacy applications, containerized infrastructure, etc.
- Cloud based vs. on premises—whether the solution is delivered as a cloud service or deployed on premises. Cloud-based solutions are easier to deploy and provide better protection against DDoS due to their elastic scalability. However, on-premise solutions may provide more flexibility in some scenarios.
- Authentication—which protocols and standards the solution supports. It is important to make sure that the solution can integrate with the organization’s identity provider, such as Active Directory.
- Points of presence POPs)—for cloud based solutions, it is important to evaluate the solution’s global reach and whether it has PoPs in all the locations the organization operates or does business in.
- Unified Endpoint Management (UEM) integration—it is common for ZTNA solutions to work together with UEM platforms. It is important to evaluate whether the solution integrates with the UEM platform already used by the organization.
Zero Trust for Virtualized Desktops: Secure Remote Access with Hysolate Workspace
Hysolate achieves this new ZTA architecture by splitting a user’s device into two segregated zones, each running in its own OS, leveraging the latest hypervisor and virtualization-based security technologies.
One OS is the user’s unmanaged OS (where they can work freely) and another is an instantly-provisioned trusted corporate OS running in a VM – this VM is easily spun up without any infrastructure cost. The ZTA broker would only allow that corporate VM running on Hysolate to have access to sensitive enterprise applications. It’s impossible for the end-user to access these applications from any other untrusted environment/device. With Hysolate IT can isolate this corporate VM from the user’s personal OS, including fine-grained cloud-managed controls over clipboard, USB, network, applications, etc. With this architecture in place, the Zero Trust puzzle can now be complete and enterprises can really move to a secure-by-design architecture.
Learn more about Hysolate’s Zero Trust Isolated Workspace solution here.
What Will Zero Trust Security Mean for Your Organization?
What is Zero Trust Security?
Zero trust security helps organizations enforce policies and processes that authenticate, authorize, and continuously validate all users and devices. It is based on the notion that no user, device or application on the network should be trusted, even if it is within the organization’s security perimeter.
To implement zero trust security, organizations typically leverage a set of tools, including multi-factor authentication, granular access control, and endpoint security systems. Ideally, a zero-trust implementation should help organizations protect the network from advanced threats and improve compliance with standards like GDPR, FISMA, PCI, HIPAA, and CCPA.
Zero Trust Architecture Components
Zero trust is a comprehensive security model that can be used to secure the entire organization. At the heart of the model is data security. Data is an asset that is valuable to an attacker—this can include personally identifiable data (PII), protected health information (PHI), payment card information (PCI), or intellectual property (IP).
Beyond protecting data, zero trust security provides control measures for securing networks, workloads, and devices.
Zero Trust Data
The zero trust approach requires first protecting your data where it is stored, then setting up extra security layers.
Access to valuable data should be severely restricted, operating on the assumption that attackers can breach the security perimeter, leverage misconfigured controls, or compromise insider accounts. Control measures should be introduced to detect and respond to abnormal data access before a breach occurs.
Since data is the ultimate target of most attackers and insider threats, it is the heart of the zero trust framework. To protect data, companies must understand where sensitive data is located, how it can be accessed, and monitor data access to detect and respond to potential threats.
Zero Trust Networks
Under zero trust, attackers are assumed to have access to the network. Networks designed with a zero trust approach use technologies such as next-generation firewalls (NGFW) to segment, isolate, and limit access to the network, making it as difficult as possible for attackers to access sensitive data or critical systems.
Zero Trust Workloads
In a zero trust model, “workloads” are applications and backend software that are either directly used by customers or employees, or serve an important business function. Customer-facing applications or mission critical applications with known security vulnerabilities are a common attack vector. The organization must treat the entire stack, including storage, operating system, back end components like databases, and front end components, as vulnerable. Each layer of the stack must be protected with zero trust controls.
Zero Trust Devices
With the advent of the Internet of Things, there are many devices that may have access to company systems, including smartphones, sensors, smart building systems, connected cars, and smart consumer devices. Each of these connected devices represents an entry point that an attacker can use to break into the network. In a zero trust model, the security team must be able to isolate, protect and control all devices on your network, whether company owned or not.
How to Implement Zero Trust Security
Zero trust is a major shift for most organizations, compared to traditional security approaches. Here are three ways to start implementing a zero trust model in your organization.
Evaluate and Bolster Security Tools
In most cases, traditional network security tools are not compliant with the end-to-end zero trust architecture model.
Perform a security assessment of your security tools, and where you discover gaps, identify tools or technologies that can add another layer of protection. Fortunately, modern security tools integrate with each other and can share data to help cover for each other’s shortcomings.
Examples of tools commonly used to meet the requirements of the zero trust framework:
- Network micro-segmentation
- Single sign-on (SSO) for all applications and data
- Multi factor authentication (MFA)
- Advanced threat protection tools including endpoint protection platforms (EPP), endpoint detection and response (EDR), and eXtended detection and response (XDR)
Define and Apply Zero Trust Policies
Once you have the right tools in place, create a zero trust policy that will guide you when configuring and managing the tools. A zero trust policy is a strict set of rules that allow access to resources only when absolutely necessary.
Your policy should be highly detailed, describing exactly:
- When and which users can access data and services
- When and which devices and workloads can data and services
- Which network segments are allowed to access other segments
The general process is to define these policies at an abstract level, and then configure each security tool in line with the policies. Zero trust security platforms are emerging that will allow organizations to define these policies centrally, and automatically apply them to the entire ecosystem of security tools.
Monitor and Alert
A critical part of zero trust is thorough monitoring and effective alerting technology:
- Monitoring tools must give security personnel insight into whether the security policy is effective, and where there are gaps in the zero trust framework
- Alerting tools must capture malicious activity when it actually occurs, and escalate it to the appropriate staff for immediate action
It’s important to remember that even with a zero trust framework, nothing is completely safe. Security teams must be keenly aware of what is happening in the environment. When security incidents occur, they must perform root cause analysis, to identify and repair flaws in existing security mechanisms.
Zero Trust Implementation Example: BeyondCorp
BeyondCorp is a cybersecurity architecture developed at Google that shifts access control from the traditional network perimeter to individual devices and users. The goal is to enable users to securely work anytime, anywhere and on any device without having to use a virtual private network, or VPN, to access an organization’s resources.
The two most important tenets of BeyondCorp are:
Controlling access to the network and applications: In BeyondCorp, all decisions about whether to give a person or device access to a network are made through an access control engine. This engine sits in front of every network request and applies rules and access policies based on the context of each request – such as user identity, device information, and location – and the amount of sensitive data in an application. It provides organizations with an automated, scalable way to verify a user’s identity, confirm they’re an authorized user, and apply rules and access policies. However, access control alone is not enough to ensure effective security.
Visibility: Once a user has access to an organization’s network or applications, the organization must continually view and inspect all traffic to identify any unauthorized activity or malicious content. Otherwise, an attacker can easily move around within the network and take whatever data they want without anyone knowing.
Automation—user identity verification and authorization are automated and scalable. Rules and access policies are defined in one place and propagated to the entire network.
BeyondCorp provides a foundation to build a Zero Trust implementation. Inspection and logging of all traffic plays an important role to establish Zero Trust, because one should not presume all traffic from an endpoint is trustworthy or safe for data. For this reason, organizations implementing BeyondCorp should also consider implementing Zero Trust principles to further reduce risk.
Learn more about BeyondCorp and get Google collaterals that can help you implement it in your organization.
Zero Trust for Virtualized Desktops with Hysolate
Hysolate splits a user’s device into two segregated zones, each running in its own OS, leveraging the latest hypervisor and virtualization-based security technologies. One OS is the user’s unmanaged/untrusted/personal OS and another is a trusted corporate OS running in a VM.
The corporate VM runs a fully locked-down operating system that can contain an inaccessible client certificate that vouches for the integrity of the VM. The ZTA broker would only allow that corporate VM running on Hysolate to have access to sensitive enterprise applications. The end-user would be unable to access these applications from any other untrusted environment/device.
With Hysolate, IT can isolate the corporate VM from the user’s personal OS, including detailed controls over clipboard, USB, network, applications and more. With this Zero Trust architecture in place, enterprises can really move to a secure-by-design architecture.
Learn more about Hysolate’s Zero Trust Isolated Workspace solution here.