According to APWG’s Q4 2021 report, phishing attacks in December reached the highest monthly total in history, with ransomware attacks targeting companies of all sizes of industries.
A phishing attack is the most common technique of stealing login credentials and gaining illegal access to company networks, which is one of the reasons why zero trust is now more important than ever.
Zero trust is a concept in network security that uses strict user verification in order to minimize the incidence and impact of insider threats.
An insider threat is either a malicious actor trespassing the business systems or a well-meaning user making an inadvertent error. These two sometimes go hand in hand; for instance when an unwitting worker falls for a legitimate-looking phishing lure set by a crafty adversary.
The way zero trust policies tackle this challenge is by very strict access verification and damage containment via restriction of unnecessary access privileges (i.e. segmentation).
In the past, everyone connecting from a trusted zone, typically a company LAN, was automatically allowed access to multiple systems without major restraint. The zero trust model does away with this idea and instead verifies the identity of every user to make sure they are who they claim they are.
Connections to systems are established only after successful authentication and authorization. To improve the accuracy of identity verification, and to reduce risk if a user’s credentials are stolen, it’s common practice in zero trust architectures to employ multi-factor authentication (MFA), where users are required to supply additional identity information (tokens, one-time passcodes, biometric data, etc.) before being allowed through.
Once authenticated, users do not communicate via public channels. In zero trust, all communications are encrypted and encapsulated in a private tunnel (e.g. IPsec) to prevent eavesdropping and misuse.
Fig. 1 - Legacy approach vs. zero trust access control
When an adversary does succeed in penetrating a private network, it is important that they do not get free reign of the entire infrastructure. Zero trust emphasizes access control rules based on the principle of least privilege.
Least privilege means that a user should only have access to those resources they need to perform their role. For instance, a marketing team member may have access to the CRM system, content management system, and marketing analytical tools, but not development tools or accounting data or invoices. The idea is that if an attacker uses an employee’s access credentials, they will only have access to the same systems the employee did which will give them less room to move laterally and escalate the attack.
This approach is called segmentation and its purpose is to contain the threat in a limited space rather than opening up business-critical systems by default.
In order for segmentation by least privilege to work, access rules have to be granular enough, and need to include methods of assigning access for individual users to individual resources with varying degrees of permission. User access needs to be verified per every session so that the zone of implicit trust is as small as possible.
Application-layer segmentation is based on different degrees of access privileges granted upon user authorization. This approach is reasonably easy to manage, but, on its own, it does not offer any control over network-level access and users usually have freedom of movement throughout the network.
On the other hand, network-layer segmentation is an access control policy that is traditionally configured on a key network device, such as a firewall (by means of rules) or router or switch (ACL/VLAN). While more secure, it can be difficult to configure and slow to adapt to changes, and ideally requires a dedicated access control tool.
A comprehensive zero-trust architecture usually embodies a combination of both these approaches.
Zero trust network access (ZTNA) is an implementation of the zero trust concept in network architecture. ZTNA architecture can follow the model of intent-based networking, software-defined networks, or software-defined perimeter.
ZTNA is different from purely gateway-based architectures or microsegmentation achieved primarily by software agents running on host devices. These models typically operate on the application layer (layer 7), and while ZTNA will often incorporate their elements, it would work on both the application and network layer.
The zero trust mindset applied on the network disregards the idea of a company network as a “safe zone” whose every participant enjoys implicit trust. The thinking is to accommodate the decentralizing trend in business networks catalyzed by the popularity of remote work.
As the traditional concept of company LAN is being phased out and is effectively moving to the internet, the company no longer controls every device, and employees do not always connect via company-owned infrastructure. In such a model, it’s hard to tell who has a legitimate right to access company resources and who represents a hazard.
ZTNA addresses this by enabling the verification of both users and devices attempting to connect to company assets on local networks, remote branches, or clouds, all the while aiming to ensure a consistent level of security throughout the whole infrastructure.
Network deployment under the ZTNA philosophy has to account for the combination of company-owned infrastructure and devices, company-owned resources curated by a third party (such as assets in the public cloud), and assets entirely out of company ownership like public wifi, home networks, personal devices, or contracting workers.
Simultaneously, the ZTNA architecture has to ensure consistent security posture across all assets, whether the organization’s own or third-party. No remote connection or local authentication attempt can be inherently trusted, which means the same security measures (such as access control rules and network encryption) apply to every resource regardless of location.
Zero trust network access fulfills four primary functions:
ZTNA separates application access from network access. It only establishes a connection once both the user and device have been authenticated, and on a strictly per-session basis.
Only after being authenticated does the user receive access privileges, which correspond strictly to what the user is allowed to do and no more.
Data protection acts like GDPR oblige data controllers to monitor and retain access history for post-compromise analysis and auditing purposes. In response, the ZTNA model implements techniques of access history logging which are both granular enough to provide relevant insights into potential breaches, yet sufficiently privacy-conscious as not to record personal or otherwise sensitive data.
The majority of online communication today is encrypted via the HTTPS protocol. However, this encryption is restricted to the application layer, which means it only encrypts the payload of the communication.
ZTNA extends this encryption further, for instance to TCP metadata, obscuring the source and destination IP address, as well as other information, to protect it from misuse. This degree of encryption effectively hides the communicating devices on the internet and makes the transmission remarkably difficult to intercept and read.
The principles of least privilege that ZTNA is built on require that access is granted on a need-to basis, where users only receive access to resources they have legitimate reasons to access. User privileges should follow in a similar line, so, for example, no one except for the accounting team should be able to file and edit invoices or no one in the company should have administrator privileges to the company data repository except for the administrator.
Since so much business activity has moved inseparably into the online space, there are many entities that can benefit by adopting zero-trust policies.
While different in topology, the same zero trust mindset applies to all these scenarios equally. Access mustn’t be granted unless authorized using multiple identity factors, unknown devices and locations are disqualified unless they prove legitimacy (e.g. by a client application), access privileges allow users no further than the pool of resources associated with their role, and all communication between users and systems takes place via an encrypted tunnel.
There are several forms that a ZTNA deployment can take and they vary depending on the systems included and the overall goals they aim to achieve.
This approach draws primarily on user identity and its attributes in the definition of access policies. To do this, the model requires very robust and granular access policies for each system, in a way to compensate for the fact that it often operates with a freely-accessible network.
This model is common among infrastructures with high connection rate from third-party users and devices. Everyone is allowed to the network but access is further restricted based on individual identities and their associated privileges.
The downside of this approach is that it is relatively easy for malicious actors to exploit, and constant activity monitoring is therefore essential.ss:
As the name suggests, the model based on microsegmentation manages access structurally and hierarchically using policies configured at key nodes, such as firewalls or routers. It requires that the users always connect using the same device and preferably from the same location, although this can be somewhat mitigated by the use of client applications (as part of VPNs) for additional identity provision in cases where remote access is needed.
The downside of this approach is that it takes a lot of time and skill to create, configure, and manage and can be somewhat rigid and slow to adapt to new circumstances.
The software-defined perimeter (SDP) is a broader concept that includes elements of zero trust. It combines application-layer access control with network-layer, which means it authenticates both users and devices by default.
You could think of SDP as a virtualization of a company network that does not functionally distinguish between hardware devices and cloud assets (although it can still apply different security policies on each of the two) or in-house users and remote ones. Instead, it creates secure encrypted connections in between all the communicating elements, and enforces uniform access control policies across all users and resources.
A common model of SDP is a gateway/client app model with a business VPN at its core. Check this article for a full comparison of ZTNA vs VPN.
Some implementation of zero trust is nowadays a necessity, as the traditional concept of a company network is shifting into the virtual space and company boundaries have become blurred by remote work, BYOD, and distributed network deployments.
Zero trust is a response to this - it enforces strict user authentication rules, least-privilege access control, network segmentation, and encryption to improve the security posture of networks that de-emphasise physical location and instead establish connections over the public internet.