Your business needs a security model that has been removed from the hype cycle and is validated and without hyper-inflated expectation and disillusionment. Enter Zero Trust Architecture — a paradigm shift that fundamentally changes how organizations protect their digital assets.
But what is Zero Trust Architecture (ZTA) and how does it differ from Zero Trust Network Access (ZTNA)? If you have ZTNA, isn’t that enough? Let’s dive in.
Zero Trust Architecture is a security model based on the principle of "never trust, always verify."
Defined by NIST, zero trust architecture is “an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”
In other words, unlike traditional security models that assume everything within the network is safe, ZTA assumes that threats could exist both inside and outside the network. This model enforces strict identity verification and access controls, ensuring that only authenticated and authorized users have secure remote access to resources. And importantly, zero trust architecture refers to the overall security strategy and structure, including technologies, policies, and concepts.
But wait, isn’t that the same as ZTNA, or the zero trust security model as a whole? Not quite.
Zero trust network access, or ZTNA, is the main technology associated with ZTA (not to be confused with zero trust access). However, ZTNA is not one single technology or solution — rather it is a combination of technologies that make up zero trust architecture. For example, one such technology that delivers the essentials of ZTNA tenets is a business VPN. By creating a secure virtualized network, you’re able to continually verify and enforce the principle of least privilege access.
In other words, zero trust architecture is the structure, while ZTNA is the collection of technologies within that structure.
Whether we are talking about ZTA or ZTNA, there are a few key principles that carry through both. These include:
Specific to ZTA, there are a few additional key principles in the zero trust device pillar, according to the National Security Agency:
Despite its popularity in recent years, zero trust isn’t just a buzz word anymore and has made its way through the hype cycle. What started as an answer to a major network security flaw, implicit trust, is now on its way through Gartner’s “slope of enlightenment” to the “plateau of productivity.” That means zero trust has withstood the test of changes in technologies and workforce changes.
Stability in strategy isn’t the only reason to consider a zero trust framework. Research from IBM found that zero trust reduces the cost of a data breach by about $1 million.
To have the mindset “never trust, always verify” can seem a bit daunting. It requires your team to never let their guard down, no matter where they are in the organization. But ZTA doesn’t have to be a negative or overwhelming architecture to implement. In truth, by simply implementing ZTNA essentials you’ll see many of the same ZTA benefits that make it such an attractive architecture.
For example, the zero trust approach as a whole can help you gain:
We mentioned earlier that ZTA is made up of ZTNA technologies or zero trust solutions and policies. While that is true, there are also a few additional pillars of ZTA to consider.
Strong IAM is crucial for ZTA. This includes implementing robust authentication methods such as multi-factor authentication (MFA) and single sign-on (SSO) to ensure that only verified users can access the network.
Dividing the network into smaller, isolated segments and applying granular access controls helps limit the lateral movement of threats within the network. This approach confines potential breaches to isolated segments, minimizing their impact. Network segmentation also helps enforce least privilege. You can dive into how to set up micro-segmentation in our recent post about implementing ZTNA.
Real-time visibility into network activity is essential for identifying and mitigating threats. Behavioral analytics and anomaly detection tools can spot unusual activity, while automated threat response mechanisms can swiftly address breaches. However, this takes a human element as well. This can’t all be automated or relegated to a software — you’ll need someone who is able to review these logs, conduct random pen-testing, and create response actions to see this have the most impact.
Implementing ZTA begins by implementing ZTNA technologies and moves into implementing zero trust policies and procedures. But, when it comes down to it, the biggest obstacle is creating a shift in the mindset around ZTA and ZTNA as a whole.
It should be noted that implementing an entirely new architecture can be far more daunting than implementing one set of technologies. Many small and mid-size businesses find it more effective to ease into zero trust implementation, first setting up ZTNA basics and then moving into the architecture as a whole. No matter which strategy you prefer for your business, there are a few commonalities to consider:
Begin by evaluating your current security infrastructure to identify vulnerabilities and critical assets. This assessment forms the foundation for your zero trust roadmap.
During this step, you’ll identify all users, their locations, and how they typically interact with assets and sensitive data in your organization. Identify critical assets and systems and where they are currently housed, how they can be accessed, and through which networks your team works. If you have a business VPN product in place, this is a good time to determine what data is currently being routed through tunneling or split tunneling so you can note any traffic that should be tunneled and isn’t (yet).
You may find this step to be the most time consuming — don’t worry, that’s actually a good thing. The more deeply you know and understand your attack surface and current security risks and posture, the easier it becomes to identify the areas of weakness that should be addressed first.
Next, you’ll need to take your assessment and design your zero trust roadmap. This can be broken into a few smaller steps.
For example, you likely already have a VPN for secure remote access or protecting access to SaaS apps in place. That means you are already able to enforce some of the core principles of zero trust, like least privilege access and continuous sign-on, without needing to purchase entirely new software.
Employees play a crucial role in the success of any security initiative, but especially when it comes to zero trust. Training and educating your team on zero trust principles and best practices fosters a culture of security awareness and adherence to new protocols, but it can’t rest only with the security or IT team. Zero trust requires an organization-wide culture shift to embrace the skeptical — and if your team is used to being trusted implicitly, this can come with some push back.
When educating employees on your zero trust initiatives, try adjusting the message and frame it positively: you’re on a journey to “build digital trust.” Remind them that zero trust as a practice does not mean you want to lock them out of systems, or that they will need to take extra time consuming steps that they really don’t care about. Rather, it just means they will need to verify their identity to gain full access to the things they need so they can prevent phishing attacks and breaches.
Although ZTA (and ZTNA) are ongoing practices and architectures that will continually evolve with the changes in cybersecurity, there are a few best practices to keep in mind. These include:
ZTA is not immune to trending technologies, like AI and machine learning. Although these enhancements may one day reshape the architecture as a whole, for now ZTA remains a dynamic, forward-looking security model. For IT managers, the future will likely involve more zero trust initiatives — whether full zero trust architecture or smaller technology adoptions like zero trust network access. No matter what the future holds, the transition from a perimeter-based security model to zero trust is not linear and it is not done with the flip of a switch. It is a journey.
To find out how OpenVPN can help in your journey to zero trust, take a tour of our cloud-based secure remote access VPN, CloudConnexa.