What is Zero Trust Network?
A Zero Trust Network (ZTN) is a network operated in line with the zero trust security model. It requires rigorous authentication of users and devices attempting to access resources, whether they are inside and outside the organization’s private network.
Traditional network security was based on the concept of a guarded network perimeter, which is difficult to access from outside, but implicitly trusts everyone on the inside. The problem with this approach is that once an attacker has access to the network, they are free to move laterally and escalate privileges to reach critical assets.
In today’s IT environment, the traditional model no longer holds, because data and systems are distributed among on-premise data centers and cloud providers, and employees are transitioning to remote work, making it almost impossible to achieve consistent security controls with a traditional network perimeter.
Moving to a zero trust security model means that no one is trusted—whether inside or outside the network. ZTN solutions continuously verify that each user and device can only receive access to the specific resources they need, being sensitive to the time, location, and nature of the activity. Anomalous access is immediately detected and acted upon by security teams.
Why is a Zero Trust Model Important?
IT security teams have traditionally relied on strategies like VPNs and firewalls. These tools surround the network with a perimeter, designed to allow authenticated users to access the network and its resources easily.
However, a traditional security perimeter is insufficient to protect cloud-based resources, or defend against the security risks of remote work and the use of personal devices by employees (BYOD). Relying on traditional authentication measures is becoming inefficient and dangerous, leaving businesses vulnerable to account compromise.
Zero trust is a systematic security model that ensures all users and devices are authenticated, verified, and granted only the minimal privileges appropriate in the current context. Zero trust makes it much more difficult for attackers to make use of compromised accounts and endpoints, and limits their ability to move laterally and escalate privileges. When attacks happen, zero trust improves visibility, detection and response time, and auditability of malicious activity.
How Does a Zero Trust Architecture Work?
The specific tools used to implement a zero trust architecture may vary, but usually focus on the following four capabilities:
- Collecting an inventory of systems and software, classifying them by sensitivity and business purpose, and establishing a baseline of normal behavior.
- Handling authentication and authorization, establishing resource identities, and verifying resources based on device configuration, including software and hardware health checks.
- Identifying anomalies in network access and usage compared to normal behavior, and continuously verifying the health of resources on the network, or resources accessing the network.
- Handling threat containment and mitigation once a security event is detected. For example, isolating a segment of the network found to contain a threat.
- Enabling micro-segmentation of the network, to isolate sensitive resources and ensure they can only be accessed by authorized entities for a known purpose. You can apply granular policies, using role-based access to limit access to more sensitive resources, while granting access to other resources.
Zero Trust Network Workflow
The workflow of a zero trust network typically involves the following stages:
- Multi-factor authentication (MFA) is used to verify the identity of users over a secure channel. User devices are checked to ensure they are healthy and updated.
- Based on verified user ID, access is granted to specific applications and network resources.
- Sessions are continuously monitored for unusual or malicious activity. If such activity is detected, the solution sends alerts and can perform automated threat response, typically involving network micro-segmentation.
Types of Zero Trust Network Solutions
There are two main types of ZTNA solutions, as defined by Gartner.
In this type of solution, agents are installed on each end user device, which collect information about the device’s security context. The agent sends this information to a controller, and accordingly, the controller requests authentication from the user, and returns a list of allowed applications.
After successful authentication, the controller allows the device to connect to the required application through a gateway. Depending on the solution, ZTNA may or may not remain in the data path after the user connects to the application. Because all users connect through a secure gateway, the risk of malicious traffic reaching applications is dramatically reduced.
A drawback of endpoint-initiated ZTNA is that it is difficult to implement on unmanaged devices, because they require a local agent. In some cases, it may be possible to integrate with third-party Unified Endpoint Security (UES) systems, which may be acceptable to company users because they don’t require full device management. UES can provide a health assessment of devices for the ZTNA controller.
These products are based on a connector, installed on the same network as the application, which establishes and maintains outbound connections to a provider cloud. The provider authenticates users and checks their eligibility to access protected applications. The provider then authenticates the user using an enterprise identity management product.
Only after successful verification, traffic is allowed to pass to the private network, through the provider’s cloud. This setup makes it impossible to access applications directly, and the enterprise firewall need not allow any inbound traffic. However, in service-initiated ZTNA, the provider’s network becomes a single point of failure, and must be relied on to serve all enterprise traffic.
The advantage of this type of solution is that it can be used for personal user devices, where it is difficult to deploy agents. The downside is that this type of ZTNA mainly supports web applications based on HTTP/HTTPS. New ZTNA solutions are starting to support additional protocols.
How to Implement a Zero Trust Network Strategy
Here are four ways to begin implementation of a ZTN strategy in your organization.
Start by mapping out traffic between applications, and identifying the attack surface. This can be a difficult task—it is challenging to understand traffic flows, and also to adjust the model to ongoing changes in the network. You must also identify applications that require access and their dependencies.
By inspecting the traffic, you can create a zero trust policy using a “default deny” rule. You can define micro-perimeters around each protected application, and start monitoring privileged access traffic accessing application boundaries.
When defining a policy, you should test it without actually applying it. Simulate the policy by generating alerts whenever it is violated, but without actually making any changes on the network. This lets you fine tune the policy and reduce the chance of failure or access issues for authorized entities.
Once you have rigorously tested your policy, and ensured it will not result in network outages or access issues, you can enforce the policy. Track policy violation alerts in real time, enhance alerts with meaningful contextual data, and ensure you have visibility over encrypted east-west traffic, to gain visibility of application traffic in a zero trust model.
Monitor and Maintain
Maintaining a zero trust network is an ongoing effort. Once you have implemented zero trust for the first applications or areas of your network, you can continue rolling out the zero trust model, ensuring that you continuously monitor and respond to violations. The time you invest in maintaining and monitoring zero trust systems will gradually replace the huge workload of investigating and responding to incidents in a non-segmented, implicit trust environment.
Zero Trust Network with Imperva
Zero trust network solutions must be complemented by robust data security controls. Imperva protects all cloud-based data stores to ensure compliance and preserve the agility and cost benefits you get from your cloud investments:
Cloud Data Security – Simplify securing your cloud databases to catch up and keep up with DevOps. Imperva’s solution enables cloud-managed services users to rapidly gain visibility and control of cloud data.
Database Security – Imperva delivers analytics, protection and response across your data assets, on-premise and in the cloud – giving you the risk visibility to prevent data breaches and avoid compliance incidents. Integrate with any database to gain instant visibility, implement universal policies, and speed time to value.
Data Risk Analysis – Automate the detection of non-compliant, risky, or malicious data access behavior across all of your databases enterprise-wide to accelerate remediation.