Laura
30/10/2023
How well do you sleep at night? Odds are you would sleep better if you could wake up to Zero Trust Architecture (ZTA).
A true ZTA network makes incident response wake-up calls far less likely by shutting down data breaches, ransomware threats or any kind of unauthorised network access. It would also save your organisation at least £500,000 over a four-year period, making your security efforts much easier to advocate for. That’s the dream anyway.
Unfortunately, for 99% of companies, ZTA like this is out of reach. Despite record spending on Zero Trust technologies and consultants and sustained interest from boards everywhere, achieving ZTA in the real world remains a massive challenge.
So what’s going wrong?
Misunderstanding What Zero Trust Architecture Really Means
Threat actors typically have three core goals: stealing your data, destroying your data or using access to your network to attack other data and infrastructure.
The key word here is data.
Zero Trust Architecture brings the perimeter to sensitive data. It separates communication flows for controlling and configuring from application communication flows used to perform the organisation’s actual work. One part of the network is used to figure out who should get access to what data (control plane), and another part (access plane) makes that access possible.
For a comprehensive technical exploration of ZTA, see NIST 800-207.
The traditional way of stopping attackers was to focus on defending systems and networks. But these are either not the problem (i.e., a compromised device with no sensitive data and no method for escalation is not a major threat) or, in the case of networks, have grown so complex that they are not easily defensible.
Zero Trust moves your network from something like a university library where you have to verify your identity going in the door but can then go pretty much anywhere, into a museum where getting in is easy, but all the important exhibits are stored securely or monitored by security guards.
This happens through access control, continuous monitoring, micro-segmentation and traffic monitoring (particularly outbound traffic). ZTA assumes the network is hostile and all assets are internet-facing – a mind-shift change that makes illicit network access less of a problem because you presume the intruders are already inside.
Knowing Why to Use ZTA
“I like firewalls but just not as protective devices.” This is one of the ways that Randy Marchany, veteran CISO and SANS Institute expert, describes his journey to Zero Trust.
His point is that firewalls are great detection devices for logging network packets but poor protection devices because, ultimately, they have to let some things through.
Indeed, firewalled networks have so many access pathways (like port tunnelling and compromised Bluetooth devices) and unknown assets (69% of companies were compromised by an asset they didn’t know about, according to a 2022 ESG report) that perimeter defence is now almost impossible.
Firewalls log packets going in and out of a network but don’t help you identify complex threats like network insiders.
It’s also the case that many of the services used in any organisation are outside the perimeter anyway. Many devices are mobile, but so are servers. Everyone is using a cloud provider (like Amazon AWS) for a server function that once upon a time used to be provided from inside your network.
ZTA responds to these challenges by moving security closer to users and the data itself.
Zero Trust Architecture Myths
These three myths about ZTA need to go away:
- You can buy a Zero Trust solution – like a multi-factor authentication (MFA) control or a virtual private network (VPN) – and achieve ZTA. Unfortunately, Zero Trust in a box is not a thing. ZTA is built on a security strategy through security policies and access management.
- ZTA is an end state. The truth is that no functional organisation exists with a 100% trustless operating environment. Every organisation is on a journey to ZTA; some are further along than others. Zero Trust is not a destination or compliance standard you either achieve or don’t.
- ZTA has a defined starting point. Your organisation might begin its ZTA journey by focusing on identity authentication and deploying MFA. Or it might start with micro-segmentation and network security. Both approaches to putting in place Zero Trust principles are correct.
Learn more about some of the other things Zero Trust vendors should tell you
Matching Technology to Real-World ZTA Challenges
ZTA can’t be achieved through technology alone, but security solutions play a significant role in ZTA’s success. Almost 1 in 2 CISOs state that companies working with legacy technologies that do not “support” Zero Trust is a central challenge.
ZTA breaks the traditional flat, perimeter-based network into a series of subnets (separated by firewalls), which, theoretically, do not have a perimeter with the outside web. Security relies on access control and least privilege access management.
This environment forces security solutions to:
- Match context-based security criteria (i.e., where a user is located, what device they use, the time of day, etc.) with identity and behaviour.
- Function within the micro-segmented network environment that ZTA creates – an environment where visibility is severely compromised.
Because ZTA security depends on understanding network traffic (inbound and outbound), ZTA tools need to establish at a granular level which apps and users are connecting to a resource and whether their behaviour, along with the posture of their device, aligns with their permissions or indicates a cyberattack.
With ZTA, your security tool stack needs to be able to spot links between users and network behaviour that are otherwise invisible.
This means going beyond the traditional tool stacks of endpoint detection and response (EDR), network detection and response (NDR), user entity and behaviour analytics (UEBA), etc., and combining security events and analysis into a single data flow.
Learn how SenseOn is helping companies implement ZTA in real-world environments.