Updated August 3, 2023

In a traditional security model, anything inside an organization’s network is often assumed to be trustworthy. Once a user or device is authenticated by the network, they have wide-ranging access to internal resources. However, due to the rise of remote work, global teams, and the shift to hybrid cloud environments, defining the network perimeter has become much more difficult. Furthermore, granting broad access within the network means that if just one user is compromised, it can snowball into massive data breaches.

In response, the National Institute of Standards and Technology (NIST) has defined a zero trust architecture (ZTA), a security model that employs a data-centric approach to focus on protecting resources over the network perimeter. ZTA encompasses a core set of principles which includes “Never Trust, Always Verify”, “Assume Breach” and “Least Privileged Access”.

• Never Trust, Always Verify: Eliminate implicit trust by continuously authenticating and authorizing all users and devices every time they attempt to access a resource.
• Assume Breach: Operate under the assumption that an attacker could be present in any environment, implementing constant monitoring and preparing for worst-case scenarios.
• Least Privileged Access: Grant users the minimum amount of access needed to perform their jobs effectively.

ZTA allows businesses to achieve data security and compliance in environments where sensitive information is frequently shared collaboratively. By continuously verifying every data access attempt, regardless of who or where it comes from, ZTA actively minimizes the risk of unauthorized access. This data-centric approach is particularly effective in work settings where employees operate outside traditional network perimeters.

In instances where security incidents occur, ZTA’s simplified architecture enables companies to respond swiftly and decisively. This quick response capability is crucial for mitigating damages and maintaining business continuity.

Moreover, ZTA enhances the way businesses monitor their operations. By providing increased visibility into user and device behavior, ZTA can alert organizations to suspicious activities more effectively.

Setting up a ZTA solution for enterprises typically involves the core, functional, and device and network infrastructure components.

Think of the core components as the brain of the system, where the Policy Engine makes decisions to grant, deny, or revoke access to a given subject. The Policy Enforcement Point is responsible for implementing the authorization decisions in the form of automated, data-centric security controls. In addition, the Policy Administrator provides a facility to create, edit, and manage policies used to make these authorization decisions.

Meanwhile, the functional components of ZTA consist of data security, endpoint security, identity and access management (IAM), and security analytics:

• Data security: Protects data at rest, in use and in transit with data access policies.
• Endpoint security: Safeguards endpoints – such as mobile devices, desktop computers and virtual machines – from external threats.
• IAM: Creates, stores and manages user accounts and identity records, ensuring that only authorized people have access to enterprise resources.
• Security analytics: Covers all threat intelligence feeds and activity monitoring for an IT enterprise, gathering behavioral insights to actively respond to threats.

Finally, setting up ZTA involves the device and network infrastructure components. Devices include laptops, smartphones, tablets, and desktops that employees use to access the company’s network. Each device must be authenticated and meet security standards before gaining access to sensitive data. The network infrastructure comprises of routers, switches, firewalls, and other hardware that manages and secures data traffic. In a ZTA, this infrastructure is designed to verify every connection and data request, ensuring only legitimate and authorized traffic is permitted.

To enhance the effectiveness of ZTA, one approach is to incorporate the National Institute of Standards and Technology (NIST)’s recommendation on using the Policy Engine to implement an Attribute-based Access Control (ABAC) model. This method offers increased flexibility and security by evaluating additional information, or attributes, to make more dynamic and fine-grained authorization decisions.

To learn more about ZTA and its importance, please refer to NextLabs’ interview with Alper Kerman, author of the Implementing a Zero Trust Architecture document, on Why is Zero Trust Architecture (ZTA) Important?

Related Links: