Whether you are new to the cloud security space and trying to figure out the latest security trends or you have an extensive background in the industry with years of experience, you've certainly come across the term "zero trust," but may be confused by the explosive usage of this term, similar to other security buzzwords like ransomware, spoofing, and more, that have been commonly used for years.
Zero trust is the latest buzzword in the security industry, and every security company seems to claim the most comprehensive zero trust solution. Amid all this hype, it can be difficult to determine what is fact and what is fiction. What exactly is zero trust, why is it important, and how can it be implemented? A Gartner paper published earlier this year outlines the practical projects that organizations should prioritize when looking to implement a true zero trust architecture. Through this blog, I intend to provide a better understanding of zero trust and how it can be implemented in an organization as per Gartner’s guidelines.
There is a lot of confusion about what zero trust really is—most think of it as a product, solution, or a platform—it is none of that. Zero trust is a security mindset based on the principle of “never trust, always verify” and least-privileged access, which assumes that no user or application should be inherently trusted. Zero trust security assumes that security risks are present both inside and outside the network. Nothing inside the network is trusted by default—hence the name "zero trust."
Zero trust is an evolution from the traditional network security architectures that leveraged firewalls and VPNs, and were based on the principle of “verify, then trust” security, that trusts verified users inside the network by default. Zero trust only establishes trust based upon user identity and context—such as the user’s location, the security posture of the device, and the app or service being requested—with policy serving as the gatekeeper every step of the way.
As an analogy, think of zero trust as physical fitness. Physical fitness is a conceptual goal with certain benchmarks—it varies by individual and personal objectives, and can be achieved with activities like walking, running, cycling, lifting weights, dancing, and more—but the end goal is to be physically fit. Similarly, zero trust is also an overarching conceptual principle of security that can be achieved with a combination of solutions like ZTNA, workload segmentation, data protection, browser isolation, and more, with an end goal of fully securing users and applications.
According to Gartner, most organizations are still in the planning or strategy phase of implementing zero trust. It suggests that organizations need two primary initiatives to achieve zero trust:
- Front-end network access focused on user-to-application segmentation, also known as Zero Trust Network Access, or ZTNA.
- Back-end network access focused on workload-to-workload segmentation.
ZTNA for user-to-application segmentation
ZTNA supports a zero trust architecture through an adaptive trust model, where trust is never implicit, and access is granted on a “need-to-know,” least-privileged basis defined by granular policies. ZTNA securely connects users to private applications without ever placing them on the network or exposing apps to the internet. This isolation reduces risks to the network, such as infection by compromised devices, and only grants application access to authorized users. Gartner suggests organizations start with a pilot of a ZTNA product and test applications with it to ensure all elements—users, devices (managed and unmanaged), and applications (new and legacy)—work as desired.
Segmentation based on identity
Gartner states that workload-to-workload segmentation reduces excessive implicit trust by allowing organizations to move individual workloads to a default deny model for communication, rather than an implicit allow model. To outline an identity-based strategy, Gartner recommends addressing heterogeneous workloads spanning on-premises, hybrid, virtual, and container environments.
Once ZTNA and identity-based segmentation are implemented, organizations can move on to other security initiatives to extend a zero trust approach throughout their technology infrastructure.
Simplify and accelerate your zero trust journey
The Zscaler Zero Trust Exchange, built on the largest security cloud on the planet, provides the zero trust architecture for securely accelerating business transformation. Operating across 150 data centers worldwide, ZTE ensures that the service is close to users, co-located with the cloud providers and applications they are accessing. To extend our analogy of zero trust as physical fitness, the Zero Trust Exchange would be the most sophisticated gym that has all the equipment required to attain utmost physical fitness, or zero trust per our analogy. The Zero Trust Exchange provides remote access with cyberthreat protection, data protection, secure internet access, B2B app access, network segmentation, performance scores, and many other vital capabilities that are key for implementing zero trust.
Read the paper: What Are Practical Projects for Implementing Zero Trust?