Zero Trust Architecture is the latest concept in security architecture. We’re starting to hear this term widely used and in this explainer blog, we take a look at what Zero Trust means – and why you might want to implement this technology.
There's a number of important enterprise network trends emerging. Technologies such as SDA Fabric, along with the whole concept of the increased use of Identity and granular security technologies such as Micro Segmentation, networking as we know it, is on the move.
Here’s the term you’ll get used to ZTA – Zero Trust Architecture.
Zero Trust: Background
In a typical network (let’s say a ‘classic’ network, as opposed to an software defined SD-Access style network), we have a three layer hierarchy. The typical core, distribution and access layer network design has been around for a long time and is generally configured with a range of VLANs for end user device access.
For Zero Trust, every device must be specifically allowed access for every interconnection to every device (sounds like a familiar concept, if you've read about Micro Segmentation - this is just a part of the subset that makes up ZTA).
In a nutshell, the whole network becomes a giant firewall, with minimum access between any two points granted on an as-required basis.
There’s a bunch of reasoning behind Zero Trust, but the most obvious is security. This is a massive step up in security from our classic open trust model. The ability to provide highly granular control of what clients can connect with, means that you have a much higher level of control. This granular control is known as micro segmentation, and we’ve got other blogs that cover this concept in more detail.
Greater visibility is also a benefit – now that you know what clients are meant to be able to access, you can view what they are doing against that backdrop – and confirm they are in fact only using the access they are meant to have.
Reducing cost is arguably a benefit. There is of course a lot of up front effort to configure the Zero Trust network, which is primarily spent in working out the access contracts and policies (eg what can clients actually do), but this is all part of having a secure network anyway.
The cost savings come later – once you have the type of access each client is allowed to have worked out, you can allow clients to roam freely. All access ports are configured the same (this is a saving) and clients can plug in anywhere and be granted the access they’re allowed to have.
Inherent Security with Zero Trust
ZTA is not about single technology – its an approach to how you secure your network.
The Zero Trust approach in essence is about eliminating inherent trust.
This inherent trust has historically meant that we allow clients to connect to switch ports, but tend not to limit in detail what those clients can do.
With the network segmentation we are taking that control back, but Zero Trust is more than just allowing access on a need-to-know basis, it’s also about account security and the way in which we use end-users identities to grant access to information, as well as network resources.
What does this mean in practice? It means that all access requires trust. It needs to be given, not just automatically allocated.
Think of 802.1X - we've had this technology around for quite a long time. This allows a client to authenticate on a port and receive a dynamic VLAN assignment. The client has no connection until this point and all ports are configured the same. ZTA is essentially a major step up from this, but takes a lot from the 802.1X approach.
There’ some standards for Zero Trust, which are detailed in the list below:
Each of the major standards bodies has their own approach, but ZTA is fundamentally about some key, core concepts.
This is about only allowing the minimum required access on your network, the undertaking automated baseline and alerting on the network.
This of course required AI and Machine Learning to play out fully, however the key concept is about the approach to allowing user access to the network.
Zero Trust Architecture: Summary
In a nutshell, ZTA is all about taking back control, or to put it a different way, only granting access to specific users, devices and data, specifically where required.
This involves micro-segmentation of what users and devices can access, but requires a lot more thought to develop the policies and contracts for what those users and devices are allowed to access.
The AAA / NAC servers are key in this process, and tracking of the users identity – and allocating rights based upon this – is a key concept in the ZTA rollout.
If you're ready to read more - we've got a blog on the concepts of Zero Trust Deployment.