What’s the difference between traditional information security and zero trust architecture?

Traditional approaches to information security involve corralling sensitive data into data centers protected by logins and firewalls. The assumption was that everyone inside the organization was vetted and trustworthy—as long as someone had a username and password, they could access everything on the organization’s network unchallenged. A zero trust architecture evolves this traditional cybersecurity approach by moving the onus of data protection from within the organization to each user, device, and application attempting network access. Implemented correctly, this approach to zero trust is a context-aware security architecture that can recognize patterns in user behavior and devices to adaptively grant or deny access based on factors like identity, time of day, and location.

How to get started implementing a zero trust architecture?

1. Audit the organization’s network for a clear picture of what infrastructure and endpoints are in place. This shows IT what their network security policy needs to address first. 2. Conduct a thorough threat assessment, and come up with some scenarios for what would happen if sensitive data was breached. Ask questions like “Who is most likely to access what data?” and “If the first level of security is penetrated, how easy will it be to penetrate subsequent ones?”. 2. Conduct a thorough threat assessment, and come up with some scenarios for what would happen if sensitive data was breached. Ask questions like “Who is most likely to access what data?” and “If the first level of security is penetrated, how easy will it be to penetrate subsequent ones?”. 3. Decide how to trust users, devices, and applications as separate but related entities. It’s important to grant access only to what is actually needed on a use-by-use basis. Multi-factor authentication is a good start, but it can also be helpful to adopt contextual access control tools to disable printing, copy-paste, and screenshotting in certain scenarios. You can also have all employees access their apps and data inside a secure workspace to deliver more comprehensive enterprise security. 4. Test your zero trust architecture to see how well it performs. Run scenarios where your IT team attempts to gain access to sensitive data via a lost device, unsecured wifi network, malicious URLs, or malware. This can show potential vulnerabilities in your network security in order to adapt the cybersecurity approach accordingly.

Is zero trust architecture a single product?

Zero trust security is not one product or a solution. Rather, it is an architecture or framework that IT can use to enable secure access for all applications, from any device, by continuously evaluating trust at every touchpoint.

Does zero trust mean I need to replace my entire IT infrastructure?

While implementing zero trust is not simple, it should not require you to rip-and-replace your on-premises or cloud infrastructure. The right zero trust vendor will work with you to secure your existing infrastructure, such as identity platforms, SIEM/SOC and web proxies, and SD-WAN solutions. For example, your zero trust vendor should be able to integrate with Microsoft Active Directory, Microsoft Azure AD, and Okta user directories as well as the contextual identity management policies that come with these platforms.

How do I find the right technology or services to implement a zero trust network?

Because of the comprehensive nature of a zero trust security model, IT can get stuck in an endless cycle of adding point products such as SSL VPN, endpoint management, and multi-factor authentication to address new security use cases. This can lead to more complexity and create a fractured experience for end users—all while leaving gaps in cybersecurity that attackers can exploit.

Why can’t VPNs support zero trust security?

The most fundamental difference between VPNs and zero trust security frameworks is that traditional VPNs trust blindly. With a VPN, once access is granted, a remote user gains total access to the network. To summarize the major vulnerabilities of VPNs, the following attributes stand out: 1. VPNs over-simplify authentication. 2. VPNs don’t scale. 3. VPNs aren’t optimized for employee experience.

Back to Glossary

What is zero trust security?

Q: What is Zero Trust Security?

Zero-trust security is a contextual IT security model governed by a single axiom: “Trust no one.” A zero trust model, or architecture, means that no user or device should have default access to an organization’s network, workspace, or other resources—even if they’re employed by the organization. Authorized users must pass security protocols before access is granted based on criteria like their identity, time of access, and device posture. Zero trust architecture can include access control, user identity verification, and secure workspaces to prevent malware, data exfiltration due to a VPN breach, and other attacks on sensitive data.

Q: Why is zero trust security important?

Zero trust security is important because today’s IT departments have to protect a larger attack surface while delivering an engaging user experience. Now that employees rely on personal devices for remote access to workspaces, cloud apps, and corporate resources, the likelihood of a data loss is higher than ever.

Zero trust security is a security model that trusts no one by default. In a zero trust model, anyone trying to access a company network must be continuously verified via mechanisms like multi-factor authentication (MFA). This enterprise security architecture uses such technologies to tightly control access and protect against data breaches.

Explore additional zero trust security topics:

What is the history of zero trust security?
Zero trust architecture overview
Why is zero trust security important?
What are the benefits of zero trust security?
How does a zero trust architecture work?
How do you build a zero trust network architecture?
Citrix solutions for zero trust security

What is the history of zero trust security?

The zero trust security model’s origins go back at least to the early 2000s, when a similar set of cybersecurity concepts was known as de-perimeterization. Forrester analyst John Kindervag eventually coined the term “zero trust security.” The zero trust approach came to the fore around 2009, when Google created the BeyondCorp zero trust architecture in response to the operation Aurora cyberattacks, which involved advanced persistent threats (APTs) that had eluded traditional network security architectures.

Zero trust architecture overview

The core logic of a zero trust architecture is essentially “don’t trust, always verify.” In a world of complex cybersecurity threats and hybrid workforces equipped with numerous applications and devices, zero trust security (or ZTNA for short) aims to provide comprehensive protection by never assuming a request comes from a trustworthy source—even if it originates from within the corporate firewall. Everything is treated as if it comes from an unsecured open network, and trust itself is viewed as a liability within the zero trust framework.

Zero trust security may also be called perimeterless security. This term shows how it is the polar opposite of traditional security models, which follow the principle of “trust, but verify” and regard already-authenticated users and endpoints within the company network perimeter, or those connected via virtual private network (VPN), as safe. But such implicit trust increases the risk of data loss caused by insider threats, since it allows for extensive, unchecked lateral movement across the network.

A zero trust architecture instead is built upon:

Explicit verification and continuous validation

Network users must be authenticated, authorized and validated in real time, and on an ongoing basis, to ensure that they always have the proper privileges. Numerous data points, such as user identity, geolocation and device posture, may be leveraged for this purpose. One-time validation of a user identity is no longer enough.

Least-privileged access

Zero trust security enforces the principle of least privilege, so that identities only get the lowest level of access to the network by default. In tandem with other cybersecurity practices such as network microsegmentation and adaptive access, least-privileged access sharply limits lateral movement within a zero trust security model.

Why is zero trust security important?

Zero trust data security is important because it is the most reliable cybersecurity framework for defending against advanced attacks across complex IT environments, with dynamic workloads that frequently move between locations and devices. A zero trust architecture is especially important as multi-cloud and hybrid cloud deployments become more common and expand the range of applications that companies use.

Indeed, with the number of endpoints in the typical organization on the rise and employees using BYOD and personal devices to access cloud applications and company data, traditional cybersecurity methodologies can’t reliably prevent access from bad actors. A malicious insider who has already connected to the company network via a VPN would be trusted from then on, even if their behaviour were unusual — e.g., they were downloading enormous amounts of data, accessing from an unauthorized location, or accessing logins they had not previously ventured near.

In contrast, the zero trust model is always evaluating each identity on the network for risk, with a close eye on real-time activities. At the core of this approach is the concept of least-privilege access, which means each user is given only as much access as they need to perform the task at hand. Zero trust frameworks never assume that an identity is trustworthy, and accordingly require it to prove itself before being allowed to move through the network. Another way to think of zero trust security is as a software-defined perimeter that is continuously scaling and evolving to protect applications and sensitive data, no matter the user, device, or location.

SOLUTION BRIEF

How secure is a VPN connection?

Learn how traditional VPN solutions differ from zero trust security—and why a strong VPN alternative can benefit your business.

Read the solution brief

What are the benefits of zero trust security?

The main benefits of a zero trust model are:

Superior risk mitigation from closing security gaps and controlling lateral movement on the network
Improved cybersecurity and support for mobile and remote employees
Strong protection for applications and data, whether they’re in the cloud or an on-premises datacenter
Reliable defense against ransomware, malware, phishing attacks, and advanced threats

How does a zero trust architecture work?

Implemented properly, a zero trust security model is closely attuned to behavioral patterns and data points associated with all requests made to a company network. Zero trust security solutions may grant or deny access based on criteria such as:

User identity
Geographic location
Time of day
Operating system and firmware version
Device posture
Endpoint hardware type

Effective zero trust security will be highly automated, and its protections may be delivered via cloud and/or from an on-premises implementation. Identity providers and access management are key components of any zero trust framework, since they provide a variety of critical measures such as:

Adaptive authentication: Authentication type and authorization access based on the results of the user identity, geolocation, and device posture assessment.
Multifactor authentication: Second factors like additional devices and one-time codes may be required on top of a correct password.
Single sign-on: A common set of credentials allows access to multiple applications, and can be granularly managed and revoked at any time.
Lifecycle management: Workflows like employee onboarding and offboarding can be streamlined by assessing and correlating identity directories.

Beyond these fundamental capabilities, specific zero trust security tools can also deliver advanced protection through:

Network segmentation and traffic isolation

Cybersecurity solutions such as next-generation firewalls and secure browsers help isolate traffic from the main corporate network. This segmentation curbs lateral movement, reduces risk, and minimizes the damage of a breach even if it does occur. Because risky users are confined to a relatively small subnet of the network, they cannot move laterally without authorization. Under normal circumstances, microsegmentation security policies also help limit access by user group and location.

VPN-less proxies

Classic VPNs do not align with zero trust principles, since one-time access gives a user the metaphorical keys to the kingdom. Instead of this castle-and-moat security approach, the zero trust model uses a dedicated VPN-less proxy that sits between user devices and the full spectrum of applications they need, from web and SaaS apps to client/server (TCP and UDP) based apps, and even unsanctioned web apps. This proxy can enforce granular cybersecurity measures, such as adding a watermark and disabling printing, copying, and pasting on an endpoint if the contextual evidence supports doing so.

Adaptive authentication and adaptive access

Adaptive access and authentication allow organizations to understand the state of end user devices without having to enroll them with a mobile device management (MDM) solution. Based on a detailed device analysis, the system intelligently offers the user with a suitable authentication mechanism based on their role, geo-location, and device posture.

Unified endpoint management

From one interface, administrators can manage all applications and resources across the enterprise. Unified endpoint management helps keep up with the rapid pace of updates to different applications and operating systems, plus it simplifies any complexity created by mergers and acquisitions.

Remote browser isolation

Remote browser isolation redirects the user session from a local browser to a hosted secure browser service when the access occurs on an unmanaged device. This ensures users can access their apps in a sandbox environment and allows them to stay productive. At the same time, this protects endpoints and networks from malicious content from the internet with browser isolation capabilities, creating an airgap from corporate resources.

Security analytics

Security analytics solutions amass the valuable data needed for determining what counts as anomalous activity on a network. Networks can intelligently evaluate in real time whether a request is risky and help automate security enforcements based on user behaviour and anomalies detected in the system. This helps reduce manual work for IT, provides timely enforcement, and reduces the risk of breaches.

SD-WANs

Software-defined wide area networks (SD-WANs) provide cloud security, including secure direct access to SaaS and traffic encryption, along with scalable bandwidth and intelligent traffic control for applications of all kinds.

How do you build a zero trust network architecture?

Zero trust security is not a single product, but an overarching security framework for continuously evaluating risk and controlling secure access across an environment. Accordingly, multiple solutions, including but not limited to those described above, may be deployed in tandem to support a zero trust model.

The exact process for designing and building zero trust security will vary by organization and solution set, but a common progression will involve:

Assessing existing cybersecurity controls and determining the key network flows and vulnerabilities.
Determining a protected surface that will be shielded from harm through zero trust security measures.
Implementing specific technologies such as adaptive and multifactor authentication, VPN-less proxies, and secure embedded browsers.
Continuously monitoring the network to keep tabs on suspicious activity and fine-tune the solution mix and overall cybersecurity approach as needed

Citrix solutions for zero trust security

Citrix equips companies with end-to-end solutions for realizing a zero trust architecture that defends protected surfaces. From Citrix Analytics for Security to Citrix Gateway, organizations are able to implement all mission-critical components of a zero trust architecture—all in one secure digital workspace solution.

Citrix Secure Private Access is a VPN-less solution that delivers zero trust access with adaptive authentication and SSO to IT sanctioned applications accessed from managed and BYO devices.
Citrix Endpoint Management keeps devices secure by isolating and protecting their apps and content.
Citrix Secure Internet Access provides a unified, cloud-delivered security stack to protect all applications, for every user.

Additional resources

Gartner Market Guide for Zero Trust Network Access

The Forrester New Wave^™: Zero Trust Network Access

Migrating to a VPN-less solution with Citrix Workspace

Secure access: A unified and cloud-delivered zero-trust security solution

See how you can achieve zero trust security with Citrix Workspace

Request a demo

Request a call

In North America:
1 800 424 8749

Modernize IT

Secure Distributed Work

Boost Productivity

Choose the most secure, productive way to work.

Citrix Workspace

Citrix online store

Download Citrix Workspace app

Forrester Report – New Tech: Zero Trust Network Access, Q3 2021

Empower every worker with one intelligent, flexible workspace.

GET HELP

CUSTOMER SUCCESS

Success Center

Cloud Learning Series

Born Digital