What is Zero Trust Security?

Zero Trust Security is a concept created on the belief that implicit trust is always a vulnerability, and therefore security must be designed with the strategy of “Never trust, always verify”. In its simplest form, Zero Trust restricts access to IT resources using strictly enforced identity and device verification processes.

Zero Trust identity (ZTI) and Zero Trust Access (ZTA) both ensure that no device or user is trusted by default regardless of location and type, and Zero Trust Network Access (ZTNA) limits verified users and devices to specific network segments, rather than granting access network-wide.

Zero Trust enforces the use of stringent security controls for users and devices before they can gain access to protected resources. Zero Trust identity authentication and authorization use the principle of least privilege (PoLP), which grants the absolute minimum rights required for a given function – before a single packet is transferred.

This has become necessary because of the changes in how network resources are accessed. Gone are the days of a network perimeter or VPN-only access; today’s increasingly mobile workforce and growth in the work-at-home movement demand new security methods be considered for users, while the increasingly distributed nature of computing with containers and micro-services means that device-to-device connections are increasing as well.

Thus, Zero Trust requires mutual authentication to confirm the identity and integrity of devices regardless of location to grant access based on the confidence of device identity, device health, and user authentication combined.

Zero Trust network architecture addresses two weaknesses that have evolved as network topologies and usage have changed. Traditionally, network security was defined by a perimeter that had clear demarcation points between ‘inside’ and ‘outside’ the corporate network. This approach often granted users and devices ‘inside’ the network perimeter broad access, so that a device on one network segment could see all the other network segments within the corporate network perimeter.

Today, computing devices and access are greatly distributed with cloud, mobile, edge, and IoT, components that have blurred the demarcation points thus making it increasingly difficult to defend the perimeter. Since ZTNA assumes that everything inside or outside the network perimeter is not to be trusted, every transaction and connection is authenticated for every access. Once authenticated, ZTNA creates a micro-segmented network with extremely limited access. Zero Trust identity is not based on the IP address but on logical attributes such as virtual machine names.

There are many use cases for Zero Trust including limiting access for outside third parties such as vendors and contractors, isolating IoT devices, and providing for secure remote connectivity for an increasingly mobile workforce.

Zero Trust for vendors and contractors. 

There have been many notable security breaches caused by ‘trusted’ third parties, such as the notorious Target breach. Offering broad access to outside organizations could be disastrous. Zero Trust addresses this problem in two ways, first with strict authentication using multi-factor authentication or other identity and access management (IAM) platform that enables each outside party to be assigned a permission category that defines their access within the network. Additionally, segmentation can limit access to just that part of the network required to perform the task or transaction with the third party.

Zero Trust and IoT.

The growth of IoT devices continues to escalate with predictions of nearly 15 billion IoT devices by 2023. Their ubiquity (and often limited security capabilities) demand that a zero-trust approach be taken when considering IoT access to network resources. For example, IoT devices can be isolated to a single network segment designed for just that purpose, limiting a compromised IoT device’s access and lateral spread to other, more sensitive network assets.

Zero Trust for remote workers. 

As more employees work outside traditional network perimeters whether due to company policy or pandemic, ZTNA provides secure employee access and limits the attack surface by ensuring that all employees – whether working from VPN or public Wi-Fi at Starbucks – connect securely to corporate data, services, and resources they need to get their jobs done.

The main principle of Zero Trust is “never trust, always verify”. No device or user is to be trusted, regardless of their location, IP address, or network access method. Every interaction on the network always requires verification wherever the source is located. Also, network access should be limited to the smallest possible segment to achieve the desired goal, since most networks are comprised of interconnected zones including on-premises infrastructure, cloud, remote, and mobile users.

For VMware, Zero Trust Security means building a modern security architecture that is designed to be much more robust and dynamic and builds trust on a much deeper and more comprehensive basis.

To achieve this more comprehensive Zero Trust approach, VMware delivers 5 pillars of zero trust architecture.

The main principle of Zero Trust is “never trust, always verify”. No device or user is to be trusted, regardless of their location, IP address, or network access method. Every interaction on the network always requires verification wherever the source is located. Also, network access should be limited to the smallest possible segment to achieve the desired goal, since most networks are comprised of interconnected zones including on-premises infrastructure, cloud, remote, and mobile users.

For VMware, Zero Trust Security means building a modern security architecture that is designed to be much more robust and dynamic and builds trust on a much deeper and more comprehensive basis.
To achieve this more comprehensive Zero Trust approach, VMware delivers 5 pillars of zero trust architecture.

1.   Device Trust

By implementing solutions such as device management, device inventory, device compliance and device authentication, organizations can greatly limit the risk that a non-authorized user gains access to a device and leverages that access for nefarious purposes.

2.  User Trust

User trust is comprised of password authentication, multi-factor authentication, conditional access and dynamic scoring all geared towards “proving” this user is in fact an authorized and validated user.

3.   Transport/Session Trust

Transport/session parameters build on the principle of least privilege access to resources by limiting access rights to users and applying minimum permissions required to perform the given work.

4.   Application Trust

Enhancing application trust parameters are made capable with tools such as single sign-on (SSO), isolation and any device access.

5.   Data Trust

Data trust is the final pillar of the VMware Zero Trust model. Data trust strategies include protecting data at rest via encryption or immutability, data integrity (checking data integrity often), DLP (data loss prevention) and data classification.

Each of these five pillars of Zero Trust is supported by an architecture layer of visibility and analytics as well as automation and orchestration.

• Analytics and Automation
  
  These five pillars of Zero Trust, together, provide a comprehensive security approach that lends itself to analytics and automation. By layering analytics and automation solutions on top of this five pillar approach, organizations can gain insightful data regarding their organization’s security posture.
  
  Log location, maintaining a central repository for all logs, dashboards for monitoring and a centralized console for troubleshooting all enable true analytics and automation drawn from the solutions standing up to the five pillars of Zero Trust.
• Automation and Orchestration
  
  Enacting a strong Zero Trust policy requires more processes and policies to achieve this more secure environment. Automation and orchestration make this process more attainable by moving manual redundant processes into an automated and orchestrated approach.  
  
  Here, strategies such as maintaining a compliance engine on the device, APIs for integration with external programs and contextual workflows for automatic remediation all enable a more automated and secure approach to Zero Trust.
  

Several tools and technologies contribute to best practices for Zero Trust. Here is a shortlist of those most critical to success:

• Trust nothing, authenticate everything.
  
  Assume all devices are compromised and never trust any device that has not been verified. ZTI tools assist with endpoint security by pushing identity controls out to endpoints to help ensure devices are first enrolled before access is granted to corporate resources. Device enrollment also simplifies identifying and verifying every device granted access and ensures devices meet ZTNA security requirements.


• Adopt network micro-segmentation
  
  A Zero Trust Network Architecture only grants access to small segments of the network at a time — and only to users who confirm they are authorized to access each network segment. User and device authentication are carried out at a micro-segment level. Connectivity to each micro-segment is based on a need-to-know model. No DNS information, internal IP addresses, or even visible ports of the internal network infrastructure are transmitted.

To access any individual segment, users must pass strict identity and device verification procedures. Every session must be authenticated, authorized, and accounted for (AAA) before a communication session can be established.

To achieve Zero Trust Identity, network identities should be based on logical attributes such as multi-factor authentication (MFA), a transport layer security (TLS) certificate, application service, or the use of a logical label/tag.

• Limit Access based on the Principle of Least Privilege (PoLP)
  
  PoLP limits permissions and access to the absolute minimum required to perform a specific task. If a user only requires read access, don’t grant read or execute access.
  
  PoLP equally applies to users and devices, so IoT devices, connected applications, and micro-services should only be granted the minimum permission levels required to complete their transactions.
  
  
• Deploy multi-factor authentication (MFA)
  
  MFA has become popular for consumer banking and finance websites, and MFA makes perfect sense as part of a zero-trust environment as well. As a rule, MFA requires users to present at least two things including:


• Something known. A secret such as a password, PIN, or phrase the user has memorized


• Something possessed. An object or token in the user’s possession such as a smartphone or smart card can generate or display a one-time use code to be provided along with something known.


• Something human. Biometric information can include a fingerprint, face scan, or retina scan

Authentication only occurs after two (or more) of the factors validate the user as legitimate.

To maintain a Zero Trust network, IT must:

• Have a clear picture of all the users and devices that have access to the network and what access privileges they require to do their jobs.
• Ensure that network security policies are kept up to date and to test policy effectiveness regularly to make sure no vulnerabilities have escaped notice.
• Continue compliance monitoring including monitoring network traffic constantly for unusual or suspicious behavior.
• Have visibility at a traffic flow level and at a process and data context level to better enable mapping normal traffic flow to better target irregular communication patterns.

With the VMware Service-defined Firewall, enterprises gain deep visibility and comprehensive policy controls from a single pane of glass.

For a comprehensive implementation of a Zero Trust Network Architecture, VMware offers VMware Service-defined Firewall, a distributed, scale-out internal firewall, built on VMware NSX, to secure east-west traffic across multi-cloud environments.