Zero Trust Security is a concept created on the belief that implicit trust is always a vulnerability, and therefore security must be designed with the strategy of “Never trust, always verify”. In its simplest form, Zero Trust restricts access to IT resources using strictly enforced identity and device verification processes.
Zero Trust identity (ZTI) and Zero Trust Access (ZTA) both ensure that no device or user is trusted by default regardless of location and type, and Zero Trust Network Access (ZTNA) limits verified users and devices to specific network segments, rather than granting access network-wide.
Zero Trust enforces the use of stringent security controls for users and devices before they can gain access to protected resources. Zero Trust identity authentication and authorization use the principle of least privilege (PoLP), which grants the absolute minimum rights required for a given function – before a single packet is transferred.
This has become necessary because of the changes in how network resources are accessed. Gone are the days of a network perimeter or VPN-only access; today’s increasingly mobile workforce and growth in the work-at-home movement demand new security methods be considered for users, while the increasingly distributed nature of computing with containers and micro-services means that device-to-device connections are increasing as well.
Thus, Zero Trust requires mutual authentication to confirm the identity and integrity of devices regardless of location to grant access based on the confidence of device identity, device health, and user authentication combined.
Zero Trust network architecture addresses two weaknesses that have evolved as network topologies and usage have changed. Traditionally, network security was defined by a perimeter that had clear demarcation points between ‘inside’ and ‘outside’ the corporate network. This approach often granted users and devices ‘inside’ the network perimeter broad access, so that a device on one network segment could see all the other network segments within the corporate network perimeter.
Today, computing devices and access are greatly distributed with cloud, mobile, edge, and IoT, components that have blurred the demarcation points thus making it increasingly difficult to defend the perimeter. Since ZTNA assumes that everything inside or outside the network perimeter is not to be trusted, every transaction and connection is authenticated for every access. Once authenticated, ZTNA creates a micro-segmented network with extremely limited access. Zero Trust identity is not based on the IP address but on logical attributes such as virtual machine names.
There are many use cases for Zero Trust including limiting access for outside third parties such as vendors and contractors, isolating IoT devices, and providing for secure remote connectivity for an increasingly mobile workforce.
Zero Trust for vendors and contractors.
There have been many notable security breaches caused by ‘trusted’ third parties, such as the notorious Target breach. Offering broad access to outside organizations could be disastrous. Zero Trust addresses this problem in two ways, first with strict authentication using multi-factor authentication or other identity and access management (IAM) platform that enables each outside party to be assigned a permission category that defines their access within the network. Additionally, segmentation can limit access to just that part of the network required to perform the task or transaction with the third party.
Zero Trust and IoT.
The growth of IoT devices continues to escalate with predictions of nearly 15 billion IoT devices by 2023. Their ubiquity (and often limited security capabilities) demand that a zero-trust approach be taken when considering IoT access to network resources. For example, IoT devices can be isolated to a single network segment designed for just that purpose, limiting a compromised IoT device’s access and lateral spread to other, more sensitive network assets.
Zero Trust for remote workers.
As more employees work outside traditional network perimeters whether due to company policy or pandemic, ZTNA provides secure employee access and limits the attack surface by ensuring that all employees – whether working from VPN or public Wi-Fi at Starbucks – connect securely to corporate data, services, and resources they need to get their jobs done.
The main principle of Zero Trust is “never trust, always verify”. No device or user is to be trusted, regardless of their location, IP address, or network access method. Every interaction on the network always requires verification wherever the source is located. Also, network access should be limited to the smallest possible segment to achieve the desired goal, since most networks are comprised of interconnected zones including on-premises infrastructure, cloud, remote, and mobile users.
For VMware, Zero Trust Security means building a modern security architecture that is designed to be much more robust and dynamic and builds trust on a much deeper and more comprehensive basis.
To achieve this more comprehensive Zero Trust approach, VMware delivers 5 pillars of zero trust architecture.
The main principle of Zero Trust is “never trust, always verify”. No device or user is to be trusted, regardless of their location, IP address, or network access method. Every interaction on the network always requires verification wherever the source is located. Also, network access should be limited to the smallest possible segment to achieve the desired goal, since most networks are comprised of interconnected zones including on-premises infrastructure, cloud, remote, and mobile users.
For VMware, Zero Trust Security means building a modern security architecture that is designed to be much more robust and dynamic and builds trust on a much deeper and more comprehensive basis.
To achieve this more comprehensive Zero Trust approach, VMware delivers 5 pillars of zero trust architecture.
1. Device Trust
By implementing solutions such as device management, device inventory, device compliance and device authentication, organizations can greatly limit the risk that a non-authorized user gains access to a device and leverages that access for nefarious purposes.
2. User Trust
User trust is comprised of password authentication, multi-factor authentication, conditional access and dynamic scoring all geared towards “proving” this user is in fact an authorized and validated user.
3. Transport/Session Trust
Transport/session parameters build on the principle of least privilege access to resources by limiting access rights to users and applying minimum permissions required to perform the given work.
4. Application Trust
Enhancing application trust parameters are made capable with tools such as single sign-on (SSO), isolation and any device access.
5. Data Trust
Data trust is the final pillar of the VMware Zero Trust model. Data trust strategies include protecting data at rest via encryption or immutability, data integrity (checking data integrity often), DLP (data loss prevention) and data classification.
Each of these five pillars of Zero Trust is supported by an architecture layer of visibility and analytics as well as automation and orchestration.
Several tools and technologies contribute to best practices for Zero Trust. Here is a shortlist of those most critical to success:
Toaccess any individual segment, users must pass strict identity and device verification procedures. Every session must be authenticated, authorized, and accounted for (AAA) before a communication session can be established.
To achieve Zero Trust Identity, network identities should be based on logical attributes such as multi-factor authentication (MFA), a transport layer security (TLS) certificate, application service, or the use of a logical label/tag.
Authentication only occurs after two (or more) of the factors validate the user as legitimate.
To maintain a Zero Trust network, IT must:
With the VMware Service-defined Firewall, enterprises gain deep visibility and comprehensive policy controls from a single pane of glass.
For a comprehensive implementation of a Zero Trust Network Architecture, VMware offers VMware Service-defined Firewall, a distributed, scale-out internal firewall, built on VMware NSX, to secure east-west traffic across multi-cloud environments.
Digital workspace platform that enables zero trust.
Implement Zero Trust with fewer tools and silos, better context, and security.