Topics In Demand
Notification
New

No notification found.

What is Zero Trust and how does it work?
What is Zero Trust and how does it work?

April 21, 2022

233

0

Now more than ever, organizations are increasingly trying to understand the concept of ‘Zero Trust’ and how it can be used to bolster the security of their data and systems. No doubt, a zero-trust strategy can safeguard any type of business, small or large, in this new era of remote work.

So, what exactly is Zero Trust and how does it work? In this article, we’ll explore the concept of zero trust security and more.

1. What is Zero Trust?

Zero Trust is not a product, vendor or technology.

Zero Trust is a security model or framework for protecting data and applications in an organization. It is about a simple concept – “trust no one, always verify”. It means that organizations must not trust anything by default, inside or outside their IT network or infrastructure. They must strictly verify identity and authenticate and authorize users who are closer to their resources.

To implement this model, organizations are essentially required to include verification activities such as auditing, tracking, monitoring, and alerting in every aspect of their IT infrastructure.

Zero Trust is similar to the Principle of Least Privilege, where only those users are given privileged access who require it to perform their job. The only difference in Zero Trust is that organizations are required to track the activities of all the users, including the most privileged ones.

So, don’t trust anyone, not even your most privileged users. 

Credit: Pexels

2. How Zero Trust works?

Practically, a Zero Trust model focuses on five key areas:

  • User
  • Device
  • Application
  • Data
  • Session

Among the five focus areas, User and Device are the key areas that the Zero Trust ecosystem emphasizes on the most. If we think about how organizations must take cybersecurity, these choices will make a lot of sense. However, due to the increasing use of cloud technologies, there are other areas too that increase an organization’s risk surfaces, and therefore, areas such as Data and Applications have also gained importance in the cloud-first strategy (as listed above).

Hence, rather than addressing security only from an identity standpoint, organizations have broadened their security strategies by addressing Zero Trust from a more controlled access standpoint.

2.1. Zero Trust Architecture

Organizations build a Zero Trust Architecture (ZTA) by blocking unauthorized users from accessing areas of the network, applications, and data.

Zero Trust Architecture – Core Components (Credit: NIST)

There are three approaches that organizations use for creating an effective Zero Trust architecture.

2.1.1. Identity-based

Organizations often take an identity-based approach when building their Zero Trust security architecture. This approach puts the identity of devices, users, or services in focus while drafting policies. For example, the resource access policies of an organization are based on role assigned attributes.

The basic requirement for any user or device to enter an organizational resource is to have access privileges. This access is granted to them only after their identity is verified by a trusted source. Enterprises need to authenticate identity and the health of each device and then decide whether to allow entry to the users or devices on a real-time basis.

2.1.2. Network-based

The nature of the network-based approach requires the ability to divide the network perimeter of corporate resources into sub-sections where each sub-section is secured through a web gateway. While this approach is quite safe yet is not completely risk-free, as anything that manages to enter the network gateway is trusted. Hence, organizations must use robust security measures in this approach to protect each resource.  

Organizations must also use network devices such as intelligent switches for improving network efficiency or Software-Defined Networking (SDN) for improving performance, monitoring and overall network management.

2.1.3. Cloud-based

A cloud-based approach uses systems that integrate with any asset and make cloud access more manageable for any organization. It uses software-defined perimeter, identity and access management, and multi-factor authentication to block unwanted events from occurring. Like other approaches, it also divides traditional perimeters into sub-zones. This enables easy monitoring and better access control.

Overall, everything required for a sleep-deprived or overly stressed security team to protect their data and resources is the ‘Zero Trust security model’.

2.2. How to design a Zero Trust Architecture? Few points to consider.

  • Plan ahead and design an architecture based on the outcomes you define.
  • When designing, consider securing all areas.
  • Decide who, what, where, and when to allow access and at what levels. Accordingly, draft access control policies and implement them across environments.
  • Inspect all traffic that enters or leaves your network and take full control of all activities over all layers.
  • Use multi-factor authentication (MFA) and short-lived credentials.
  • Apply the right workflows and regularly create reporting and analytics of compliance.

2.3. Trust Broker and Actionable Metrics

In a Zero Trust architecture, a trust broker plays a crucial part in deciding whether the context, identity, and policy adherence are sufficiently trusted before allowing access to the specified participants. To make this decision, following are the trust metrics on the basis of which security teams operate within an organization:

2.3.1. People Trust Metrics

User Authentication: This involves verifying the authentication status of users and the security level that users need to pass. For example, two-factor or multi-factor authentication provide better security than simple authentication.

User Activity: This involves verifying if the users follow normal working patterns in an organization. For example, are users accessing the devices during normal working hours? Are users accessing the organizational resources from their usual access devices?

2.3.2. Device Trust Metrics

Location Tracking: This involves verifying whether a device is being operated from an expected geographic location, using a safe network.

Device Security: This involves steps that authenticates if the device is used by an authorized person and has anti-virus, anti-malware installed.

2.3.3. Data Trust Metrics

This includes verifying the following:

(a) Who has access to what kind of data?

(b) What is the level of sensitivity of the data?

(c) What security parameters are set on the different data types?

3. Do you need Zero Trust security?

Here are the benefits of implementing a Zero Trust security architecture:

3.1. Reduces risk for organizations

Zero Trust helps organizations to minimize risk in the cloud and improve governance and compliance. It helps them to gain better visibility into all devices and users, detect threats, maintain control across a network. A Zero Trust model helps in defining policies that get updated automatically when risks are identified.

3.2. Turns down the breach possibilities

Data breaches can not only cause financial loss to companies but also can impact a customer’s confidence in them. Both customers and governments are increasingly growing their demands for security and data privacy, and it is on enterprises to meet that requirement in the best possible manner.

To reduce the possibility of breaches, a network using the Zero Trust architecture continuously analyzes the workload. The moment a mismatch is detected, its communication privileges are blocked from the rest of the system. This process continues within the system until the system is improved according to the defined security policies.

3.3. Improves compliance and trust

Zero Trust architectures naturally improves an organization’s appetite for compliance and adherence to the policies. This in turn, helps them gain customer trust. There are many tools provided by trusted vendors offering cyber security services to businesses of all sizes to help make the digital world more secure.

4. Conclusion

You may be having a secure infrastructure and so, may have nothing to be worried about. But what’s the harm in getting it assessed and verified.

Building a Zero Trust security architecture can be an excellent decision for futuristic organizations . With time, Zero Trust will be  the only framework in the market when it comes to cybersecurity.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


ZNet Technologies Private Limited, incorporated in 2009, is a cloud services provider offering cloud infrastructure and managed services to partners and end customers across the globe with a primary focus on India. We empower 90k+ websites.

© Copyright nasscom. All Rights Reserved.