What Is Zero Trust Network Architecture

A robust security model is essential for keeping network architecture secure. One model that has been in the spotlight for the past few years is zero trust network architecture. Some people think it’s a buzzword. Others believe it’s the wave of the future. So which is it? Let’s take a closer look. 

Defining zero trust

Zero trust is defined by the principle of “never trust, always verify”, which is a change from the previous philosophy of “trust, but verify”. This means that one should never assume that anyone on a network is automatically trustworthy; there should be verification at every possible opportunity. 

According to the book, Zero Trust Networks: Building Secure Systems in Untrusted Networks, there are five tenets of zero trust: 

  1. Always assume the network is hostile.
  2. There are always external and internal threats on the network.
  3. Network locality does not mean the network is trustworthy.
  4. Authenticate and authorize every device, user, and network flow.
  5. Have dynamic policies that are calculated from as many data sources as possible.

How a zero-trust network works

So what does this all look like, practically speaking? And how is it different from traditional security models? For years, a classic network security model involved centralized data centers with a secure network perimeter. Many still do. They basically operate on the assumption that there should be implicit trust involved with everything inside an organization’s network. There is typically a reliance on approved ports, protocols, IP addresses, and remote VPN access. The problem with this kind of setup is that once a user has access to a network, they can do whatever they want. So if a malicious actor can gain access to the network, you’re in trouble. 

Zero trust requires continual validation and authorization, even once a user has accessed a network. It treats all users as a potential threat, even on internal networks. All users are given least privileged access until they provide the required authorization. For example, if you happen to be in an office, you won’t just be able to go on any computer and access the internal network. There’s no presumed trust that you’re allowed to access it, that you are permitted just because you happen to be in the right place. The zero-trust approach will verify numerous contextual markers before allowing someone access, such as user identity, device and location, the app or service being requested, and how secure the endpoint is. 

What the future holds

The widespread adoption of cloud computing and the move to a hybrid work model for many companies and their employees have spotlighted network security policies. Employees being scattered around various geographic locations, sometimes using personal devices rather than company-issued devices, has created a whole host of new security concerns. Implicit trust has become even riskier. This is why many companies have started to adopt a zero-trust approach by implementing measures like multi-factor authentication, least-privileged access, and endpoint security.

Share on Twitter, Facebook, Google+