Zero Trust Security is a security architecture that limits access to resources via strict identity and device verification procedures. Zero Trust is based on the concept of “never trust, always verify” and recognizes that traditional security models are no longer effective.
Zero Trust Security incorporates the concepts of Zero Trust Identity (ZTI) and Zero Trust Network Architecture (ZTNA). Zero Trust Identity ensures that no endpoint is trusted by default, regardless of location and type., Zero Trust Network Architecture limits users and, devices access to specific, segments of a network.
Users and their devices pass stringent security controls to gain access to protected entities. The process of authentication and authorization before permitting a single packet to reach the target service enforces what's known as "least privilege”, in which entities are granted the minimum privileges needed to get the job done.
A Zero Trust network architecture solves two critical gaps in traditional network design: First, a traditional network security model provides a static perimeter with a clearly defined network and security demarcation points. However, with mobile, cloud, IoT, and edge computing, the network becomes blurred by numerous entry points, making assets behind the perimeter increasingly difficult to defend.
Zero Trust Network Architecture tackles this issue by not trusting anything either inside or outside an organization network. The traditional perimeter has less relevance, and nothing is trusted. As a result, organizations can have numerous entry points with security right at the workload level.
Second, traditional networks often operate with a broad level of access. Once on a segment, there is the potential to view and access all other devices. A broad level of access presents a large attack surface and lateral movement without scrutiny.
A Zero Trust Network Architecture inverts this approach by creating small micro-segment within a network and very limited access. In this model, identity is not based on IP address but on logical attributes such as virtual machine names.
The road to achieving a Zero Trust Network Architecture begins with micro-segmentation. Micro-segmentation creates the minimal accessible network required to get specific tasks done securely. This is accomplished by subdividing larger networks into small, secure, and flexible micro-segments. Instead of having a static perimeter, micro-segmentation presents many small perimeters that follow the protected entities. This reduces the attack surface to an absolute minimum.
A Zero Trust Network Architecture only grants access to small segments of the network at a time — and only to users who confirm they are authorized to access each network segment. User and device authentication are carried out at a micro-segment level.
Connectivity to each micro-segment is based on a need-to-know model. No DNS information, internal IP addresses, or even visible ports of the internal network infrastructure are transmitted.
To access any individual segment, users must pass strict identity and device verification procedures. Every session must be authenticated, authorized, and accounted for (AAA) before a communication session can be established.
To achieve Zero Trust Identity, network identities should be based on logical attributes such as, multi-factor authentication (MFA), a transport layer security (TLS) certificate, application service, or the use of a logical label/tag.
For a comprehensive implementation of a Zero Trust Network Architecture, VMware offers VMware Service-defined Firewall, a distributed, scale-out internal firewall, built on VMware NSX, to secure east-west traffic across multi-cloud environments.
To maintain a Zero Trust network, we need to consider several areas:
First, to set up adequate security controls, IT needs to have a clear picture of all the users and devices that have access to the network and what access privileges they require to do their jobs.
IT also needs to ensure that network security policies are kept up to date. It’s a good idea to test policy effectiveness regularly to make sure no vulnerabilities have escaped notice. In addition, IT must continue compliance monitoring: network traffic is constantly monitored for unusual or suspicious behavior.
Finally, we need visibility at a traffic flow level and at a process and data context level. Without this type of granular application visibility, it's challenging to map and fully understand normal traffic flow vs. irregular communication patterns.
With the VMware Service-defined Firewall, enterprises gain deep visibility and comprehensive policy controls from a single pane of glass.