A zero trust architecture is an approach to security that assumes that all systems, networks, and users are untrusted. It requires continuous authentication of devices, users, and applications.
In this article
A zero trust architecture is implemented using multiple, integrated technology solutions that support zero trust principles.
Here are some of the main principles of a zero trust architecture, according to the National Institute of Standards and Technology:
- All applications, infrastructure entities and data sources are defined as resources that need to be protected
- All communication, whether inside the corporate network or involving external networks, must be secured
- Users and services are authenticated and authorized before they access resources
- User and service activity is monitored and recorded
- Users are authorized to use services only for specific purposes, and access should be revoked when no longer needed
How Does a Zero Trust Architecture Work?
The National Cyber Security Center of Excellence recommends four main features of a zero trust architecture:
- Identify—creates an inventory of systems, software, and other resources, classifies them, and sets baselines to allow for detecting anomalies.
- Protect—authentication and authorization processing. Zero trust protection includes policy-based resource authentication and configuration, as well as software, firmware, and hardware integrity checks.
- Detect—identifies anomalies and suspicious events, by continuously monitoring network activity to proactively detect potential threats.
- Respond—once a threat is detected, handles threat containment and mitigation.
These capabilities are typically implemented by several IT and security solutions, which work together to create a zero trust environment.
Learn more in our detailed guide to the zero trust security model.
Zero Trust Architecture Workflow
With the above components, you can achieve the following workflow:
- Users sign into corporate systems using multi factor authentication (MFA), verifying their identity over a secure channel.
- User accounts are granted access only to the specific applications and network resources they actually need (least privileged access model)
- User sessions are continuously monitored for unusual or malicious activity
- When potential malicious activity is detected, threat response occurs in real time
The same workflow is applied to all users and resources in the organization, providing tight, granular control over access.
Related content: read our guide to zero trust network
3 Zero Trust Architecture Approaches
There are many ways to implement a zero trust architecture in an organization. Here are a few primary options, each of which places emphasis on different tenets of the zero trust model.
ZTA with Enhanced Identity Governance
This option makes the identity of the actor an important factor in policy making. You define the access conditions for each enterprise resource based on its identity and assigned attributes of the user or system accessing the resource. The main requirement is to give each user or system appropriate access to resources, without giving access to any unnecessary systems.
ZTA with Micro-Segmentation
This option implements zero trust by placing individuals or groups of resources on different network segments, with secure gateways between segments. Organizations can use network equipment like routers, switches, next-generation firewalls (NGFW), or software agents, to act as a policy enforcement point (PEP) that protects groups of resources.
ZTA with Software Defined Network Perimeters
This option leverages an overlay network, typically at layer 7 of the OSI model (the application layer), but may also be lower down in the network stack. This method is known as Software Defined Perimeter (SDP) because it usually leverages Software Defined Networking (SDN) technology, in which networks are managed using flexible, virtualized appliances.
4 Best Practices for Building a Zero Trust Architecture
Know your Architecture
When building a zero trust architecture, it is extremely important to map out your network topology and know your assets. You need to understand who are your users, what devices they are using, and which services and data they are accessing.
Pay special attention to components that use the network. Consider any network as hostile—whether it is your local network or an unsecured public network. Also take into account existing services that were not designed for a zero trust architecture, and may not be able to defend themselves.
Create a Strong Device Identity
Device identity is a cornerstone of a zero trust architecture. It is the basis for authentication, authorization, and other security mechanisms. It must be strong and unique.
The device identity must be:
Attached to the device rather than to the user. It should be possible to identify devices even if they are not connected to a network or are behind a NAT device.
- Verifiable by the network. A device should not be able to claim multiple identities or identities that do not belong to it.
- Persistent and remain unchanged even if the device is repurposed or replaced.
- Verifiable over time. It should be possible to check if a device is still in use or has been decommissioned.
- Verifiable across networks. The same device should be able to prove its identity when connecting from different networks, including public ones.
Create a Secure Communication Channel
Communication channels within a zero trust architecture must be secure and trusted. They need to protect against eavesdropping, replay attacks, message modification, and other threats.
The communication channel between any two devices needs to provide confidentiality, integrity, and authenticity of messages exchanged between them. It may also need to support non-repudiation for certain use cases.
Communication channels may also need to support:
- Protection against denial of service (DoS) attacks
- Authorization of user requests—for example, when a user attempts to access data they do not have permission for
- Authorization of devices—for example, when a client attempts to connect from an unauthorized device
- Time-controlled access based on time of day or location of the user
Use Network Segmentation
Any zero trust architecture relies heavily on network segmentation and security controls between network segments. These are used to protect sensitive data and services from unauthorized access.
Segmentation can be implemented using VLANs, firewalls, and other types of security controls such as IDS/IPS. It is important to implement these security controls in a way that protects your assets from both internal and external threats.
Zero Trust Architecture with Perception Point
Perception Point helps create Zero Trust Architecture by adding enterprise-grade security to standard browsers like Chrome, Edge, and Safari. The solution fuses advanced threat detection with browser-level governance and DLP controls providing organizations of all sizes with unprecedented ability to detect, prevent and remediate web threats including sophisticated phishing attacks, ransomware, exploits, Zero-Days, and more.
By transforming the organizational browser into a protected work environment, the access to sensitive corporate infrastructure and SaaS applications is secure from data loss and insider threats. The solution is seamlessly deployed on the endpoints via a browser extension and is managed centrally from a cloud-based console. There is no need to tunnel/proxy traffic through Perception Point.
An all-included managed Incident Response service is available for all customers 24/7. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.
Customers deploying the solution will experience fewer breaches, while providing their users with a better experience as they have the freedom to browse the web, use SaaS applications that they require, and access privileged corporate data, confidently, securely, and without added latency.
Contact us for a demo of our Advanced Browser Security solution, today.