Zero Trust Network Architecture Explained

What is Zero Trust Network Architecture?

Zero Trust Network Architecture (ZTNA) is a security model that uses multiple layers of access control, attack prevention, and continuous verification to each user, device, and process before granting access to data and applications. With a ZTNA approach, trust is never granted implicitly and must continually be evaluated. ZTNA - also known as Zero Trust Network Access, software-defined perimeter (SDP), or dynamic security perimeter (DSP) - doesn't rely on predefined trust levels.

As a security architecture, the goal of Zero Trust is to provide more secure access to data and applications, even for remote workers. As today’s organizations work in a vastly more complex, connected ecosystem and cloud services, Zero Trust can help organizations protect against malicious activity from both external and internal threats and prevent costly data breaches.

Zero Trust is gaining traction as more and more organizations look for ways to improve their cybersecurity posture. Better yet, a Zero Trust model for user access can be adapted to any size organization. Whether you're a small business or a large enterprise, you can implement Zero Trust to improve your security.

What Are the Benefits of Zero Trust?

Digital transformation has created new opportunities for organizations to expand their markets, grow sales, and improve productivity. But this transformation has also opened new attack vectors and has expanded the attack surface for bad actors who now deploy increasingly more sophisticated threats including malware, phishing attacks, and ransomware. Employees and “trusted” vendors and partners are often the entry into systems, whether unintentional victims or intentionally malicious insiders.

The key benefit of a Zero Trust Network Architecture is that it helps provide a strong approach to digital identity in today’s modern IT landscape. IT security teams can no longer simply protect their network architecture with firewalls. Today’s complex environments now include mobile devices, cloud environments, DevOps, BYOD, IoT devices, and more. Zero Trust can grant detailed access and permissions to all identities - all users, endpoint devices, and automated machine and application processes.

Furthermore, ZTNA is a strong design that not only closes vulnerabilities to outside threats trying to gain access but also controls lateral movement on a network once inside. Often organizations focus less on internal controls and system configurations than on establishing their outside perimeter. Take the example of the malicious insider just mentioned, they often try to exploit their “trusted” status and credentials to gain access to other systems undetected. Zero Trust closes that security gap by never granting trust implicitly for any identity.

Beyond the strong identity security benefits that Zero Trust provides, another benefit is that it isn't an all-or-nothing proposition. Organizations can implement Zero Trust incrementally without a complete overhaul of their existing network infrastructure and cloud security at once. In fact, the National Security Agency (NSA) has identified and recommends three maturity levels of Zero Trust:

• Basic: Implement fundamental integrated secure access to data and applications.
• Intermediate: Refine your integration capabilities and add more capabilities.
• Advanced: Deploy advanced protections and controls, with robust analytics and orchestration.

This flexible implementation strategy can help IT teams save time and money, and it is scalable for large enterprises.

How Does a Zero Trust Network Architecture Work?

Zero Trust Network Architecture denies access to resources unless the user or machine is explicitly allowed. There are no implicit trust relationships. Moreover, those access rights are continually evaluated and approved (or declined) in real-time for each identity, every single time access is requested. This 'never trust, always verify’ validation policy is the primary difference between Zero Trust and legacy network security models.

It works through a variety of methods, including user authentication, authorization, and inspection, and is based on criteria, such as a user's identity, location, operating system and firmware version, and endpoint hardware type. The Zero Trust approach provides granular, least-privilege access to limit lateral movement.

The 3 Stages of the Zero Trust Security Model

Gartner defined a three-stage strategy for Zero Trust Network Access that delivers an adaptive security posture by predicting, preventing, detecting, and responding to attacks.

1. Attack Prevention: This is a defensive security posture that keeps malicious attacks out. For example, isolation techniques like network segmentation and micro-segmentation can be deployed to harden the network perimeter. Attack prevention also includes predicting attacks before they occur, and fast discovery, containment, and remediation of threats once they do occur.
2. Access Protection: This is a form of access management that is designed to let trusted traffic in. A combination of setting access security policies, monitoring usage, and managing usage creates an adaptive access protection model.
3. Continuous Visibility and Assessment: In order to maintain compliance with and enforce the requisite policies and systems, organizations should implement procedures for continuous visibility and assessment of their environment. These procedures are a constant cycle of implementing a ZTNA posture, monitoring it, and adjusting it.

How is Zero Trust Different From SASE?

Secure Access Service Edge (SASE) is another security framework that is popular today and has also been developed to provide secure access to applications and data. SASE was originally defined by Gartner in 2019 as “a new package of technologies including software-defined WAN (SD-WAN), secure web gateway (SWG), cloud access security brokers (CASB), firewall as a service (FWaaS), and Zero Trust Network Access (ZTNA) as core abilities, with the ability to identify sensitive data or malware and the ability to decrypt content at line speed, with continuous monitoring of sessions for risk and trust levels.” In other words, SASE is an umbrella term that includes Zero Trust Network Architecture.

Both are important components of modern security architecture, but they are different. SASE offers a comprehensive, multi-faceted security framework based on strong digital identity, regardless of a user or machine’s location. On the other hand, Zero Trust, as a component of SASE, focuses solely on resource access policies and controls. When used together, they can provide a more comprehensive security solution that is able to effectively protect today’s modern IT ecosystem.

How to Build a Zero Trust Architecture?

In order to implement this approach to security, organizations need to tightly control access and permissions for every human and machine identity. But how to build a zero-trust architecture is complicated as already complex environments expand further to include remote workers using VPNs and mobile devices, cloud services deployed in hybrid and multi-cloud environments, developers producing code in DevOps environments, all departments automating processes using Robotic Process Automation (RPA), widely deployed IoT devices connecting to systems, and many other enterprise applications. It’s nearly impossible for overburdened IT teams to efficiently manage all of those identities and effectively prevent a breakdown that exposes an organization to data breach and theft.

That’s where PKI rises to the challenge. There is no stronger, easier-to-use authentication and encryption solution for Zero Trust than the digital identity provided by digital certificates built using Public Key Infrastructure (PKI). In February 2020 the National Institute of Standards and Technology (NIST) published its “Zero Trust Architecture” report, in which NIST describes PKI as an essential component of the architecture.

Some ways you can use digital certificates to build this type of solution include:

• Replacing passwords with user identity certificates
• Automating the issuance and renewal of SSL/TLS certificates
• Protecting email with S/MIME certificates
• Securing critical workflows with document signing

Additionally, digital certificates offer significant advantages over multi-factor authentication (MFA) or two-factor authentication (2FA). True, MFA and 2FA look to enhance authentication security beyond the use of simple passwords by introducing additional steps such as SMS push notifications, one-time passwords (OTP), or hardware tokens. But unlike MFA, digital certificates offer vital benefits to authenticating and securing identities in a ZTNA, including cryptographic-based credentials that cannot be easily stolen, deployment for any identity use case (not just users), scalable provisioning and management, no impact to user experience, and lower total cost of ownership (TCO).

A Zero Trust Network Architecture requires the proper installation, monitoring, and renewal of all certificates - which is where Certificate Lifecycle Management (CLM) comes in. CLM provides a single administration portal to manage an increasing number of digital identities securely, as well as integrations into leading technology providers that can be used in any IT environment.

For organizations looking to improve their identity security using Zero Trust, Sectigo Certificate Manager is a CA agnostic cloud-based CLM solution; it automates every aspect of managing certificates, from provisioning and deployment to revocation.

Watch this webinar to learn how Sectigo views ZTNA and how certificate-based authentication is essential to implementing the secure enterprise of today and tomorrow.