fbpx
Zero Trust has become one of cybersecurity’s latest buzzwords.
 
It’s imperative for you to understand what Zero Trust is, as well as what Zero Trust isn’t.
 
 
 
 
There is a huge confusion around Zero Trust...
 
Most people are not able to figure out the different between Zero Trust, ZTA, and ZTNA.
 
The reason is plain and simple. It is that most security vendors are talking about Zero Trust solution they are offering, but while doing so they are giving ever-new twists to the meanings of these terms. Most sales-based articles and sales-reps are using these terms 'interchangeably' that makes people confused all the time. Even the Gartner mentioned in 2019 that--
 
"Zero trust is being misused as a marketing term. Vendors are applying the term ‘Zero Trust’ to market everything in security, creating significant marketing confusion."
 
This post is all about looking at these with the intention of making things clearer to you and all!
 
Let's begin...
 
-
 
👉 The older mindset to network security was based on 2-assumptions:
 
1. Inside means TRUSTED
2. Outside means UNTRUSTED
 
This mindset is a history of times gone past. You might have seen the older view of protecting the perimeter no longer serves anybody. You might have also seen the evolution of VPNs and Demilitarized Zones (DMZs), as a response to seeing large numbers of network users going mobile, working from home, and observing the necessity of granting more & more access to your suppliers, vendors and business partners who makes the outside of your networks.
 
But it has been resulting in YOU granting 'excessive' of implicit TRUST to them (all above). Because once they are connected to your network, whether directly or indirectly using VPNs, they are trusted (read, Equally) alongside the rest of users who makes your 'Internal Network.'
 
Once you understand this, you are ready to understand...
 
-
 
👉 What is Zero Trust?
 
The concept of Zero Trust was introduced by John Kindervag, Industry Analyst of Forrester in 2010. Soon after the publication of his paper, the concept was immediately picked up by Google as they began architecting their own Zero Trust architecture internally. During those times, a massive breach happened at US Office of Personnel Management. As a response to it, the House of Representatives recommended that US government-agencies must adopt Zero Trust frameworks to protect themselves against cyber attacks.
 
Soon after, whole IT industry picked up the concept and brought the ZERO TRUST MODEL mainstream. Today there won't be a single cybersecurity vendor who is not offering Zero-Trust solution/service to their customers.
 
The essence of Zero Trust Model is in 'never trust, always verify' mindset.
Zero Trust = Assume everything to be hostile
 
The Zero Trust model forces you to recognize that 👉 TRUST is a vulnerability! You must eliminate trust...
 
That's why, when it comes to network access, zero trust starts with a default deny posture for everyone and everything.
 
Zero Trust Model recommends you that whenever any user or device requests you some access to a resource (based on a workload they handle), you must verify them every single time before you grant them requested access. You must verify them based on the identity of the users and the device along with some well-defined attributes and context (UBEC). There are many attributes you can use here:
 
🎯 User identity and type of credential (human, programmatic)
🎯 Number and privileges of each credential on each device
🎯 Normal connections (pattern) for the credential and device (behavior patterns)
🎯 Endpoint hardware type and function
🎯 Geo-location
🎯 Firmware versions
🎯 Authentication protocol and risk
🎯 Operating system versions and patch levels
🎯 Applications installed on endpoint
🎯 History of security/ incident detections, including suspicious activity and attack recognition in past, etc
 
Now comes the next part...
 
After the device and user is verified, you grant the appropriate trust required only. And you grant this access based on the principle of least privilege.
 
If a user requests access to an HR application and is verified, access to that application is the only access he is granted.
Just because users have been given access to something doesn’t mean that they now can see anything else. Access means only granting access to a specific resource, not the entire network.
 
A key element of the zero-trust model is that the trust must be continually re-evaluated. If important attributes of the user or device changes ANYTIME, the verification may be revoked and access removed IMMEDIATELY.
 
-
 
4-FUNDAMENTAL PRINCIPLES OF ZERO TRUST
 
1. Least-privilege access with all entities (users, devices, and workloads) being authenticated before granting access and continually re-authenticated and re-authorized based on context
2. Microsegmentation at the application level without network segmentation
3. Applications and network remain invisible to the open internet
4. The internet becomes the new transport network via encrypted microtunnels
 
-
 
👉 What is Zero Trust Access (ZTA)?
 
Ahaa...Access.
Oh...Access.
 
Zero trust access (ZTA) is about-- Knowing and Controlling WHO and WHAT is on your network.
 
Role-based access control (RBAC) is a critical component of your access management. Only by knowing 'definitively' who a user is, you can grant the appropriate level of access to users/devices based on their role. Is the user an employee, a guest, or a contractor? What is their role and what network access rights does that role entitle them to?
 
ZTA covers user-endpoints where management control and visibility is required. Aligning to the zero-trust model means implementing a least access policy that grants the user the minimum level of network access required for their role and removing any ability to access or see other parts of the network.
 
But ZTA doesn't focus solely on 'Who' is on the network; it also incorporates security for 'What' is the on network.
 
For example, the ever-growing profusion of network-connected devices can include a host of IoT devices that can range from printers to heating and ventilation devices and door access systems. These devices do not have a user name and password to identify themselves and a role. For these "headless" devices, network access control (NAC) solutions can be used to discover and control their access. Using NAC policies, the principle of least access can be applied to these IoT devices, granting just sufficient network access to perform their role and nothing more.
 
-
 
Here is the last piece of this post.
 
👉 What is Zero Trust Network Access (ZTNA)?
 
Oh My God, this is a kind of bad term, or better say, a bad name.
 
Because although it is called zero trust network access, it’s really about ... (read carefully 👀 now)
 
It is really all about 📌 BROKERED ACCESS for users to ☑ APPLICATIONS ☑.
 
Had they called it Zero Trust 'Application' Access, it might have been clearer to all people. Well, we can't do anything about it. Whether you like it or dislike it, for better or worse, it is called ZTNA.
 
One thing you can do here is to remember that -- ZTNA is an element of the larger ZTA proposition (mentioned above).
 
Because of the rise in remote working, ZTNA has received more attention lately because it's a way of controlling access to APPLICATIONS regardless of where the user or the application resides. The user may be on a corporate network, working from home, or someplace else. The application may reside in a corporate data center, in a private cloud, or on the public internet.
 
Although traditional VPNs have been a mainstay for decades, ZTNA is the natural evolution of VPN. It offers you much better security, more granular control, and a better user experience in light of the complexity of today’s networks. Definitely, it can be a smarter choice for securely connecting a remote workforce.
 
With a traditional VPN, the assumption is that anyone or anything that passes network perimeter controls can be trusted. But ZTNA takes the opposite approach: no user or device can be trusted to access anything until proven otherwise. Unlike a VPN, ZTNA extends the zero-trust model beyond the network and reduces the attack surface by hiding applications from the internet.
 
-
 
😀 SUMMARY 😀
 
Because people access resources outside of a traditional network, the perimeter is dissolving and trust can’t be granted based on location anymore.
 
So when you're reading about zero-trust solutions, the key thing to remember is that used generically, the term zero trust simply means no one should automatically be trusted; once verified, only limited access should be given; and re-verify.
 
Building on that concept, ZTA focuses on understanding who and what is accessing the network, and ZTNA revolves around application access and is often discussed as an alternative to using a VPN.
 
While no security is perfect, and data breaches will never be totally eliminated, Zero Trust reduces the attack surface and limits the blast radius—that is, the impact and severity—of a cyberattack, which reduces the time and cost of responding to and cleaning up after a data breach.
--
 
Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.
 
Kindly write 💚 your comment 💚on the posts or topics, because when you do that you help me greatly in ✍️ designing new quality article/post on cybersecurity.
 
 

This Article Was Written & published by Meena R,  Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India. 

Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...

She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms. 

30,000+ professionals are following her on Facebook and  mesmerized by the quality of content of her posts on Facebook. 

If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:

Click Here to follow her: Cybersecurity PRISM