What is zero trust security?

Zero-trust security is an IT security model that limits who can access applications and data—including an organization’s employees. Zero Trust architecture uses strict security protocols to grant access, while keeping authenticated users continually protected from malware, data exfiltration and other cybersecurity attacks.

Why is zero trust security important?

Zero trust data security is important because today’s IT departments have to protect an expanding attack surface while delivering an engaging user experience.

Now that employees rely on personal devices for remote access to workspaces, cloud apps and corporate resources, the likelihood of data loss is higher than ever. This is especially true for organizations that still rely on traditional security approaches, where the network perimeter built around resources still leaves organizations vulnerable to malicious outsiders posing as legitimate insiders. Often, all it takes to gain total access to the network is a quick remote VPN login.

In contrast, the zero trust model acknowledges one of the biggest causes of data breaches today: Security models that expose some sensitive data have the potential to expose all sensitive data. To address this risk, zero trust secure access tightens the reins on access management for endpoints and users.

What’s the difference between traditional network security and zero trust architecture?

Traditional enterprise security:

Traditional enterprise security involves corralling sensitive data into data centers protected by logins and firewalls. The assumption with this approach is that everyone inside the organization is vetted and trustworthy—as long as someone has a username and password, they can access everything on the organization’s network, unchallenged. This type of access management is sometimes called the castle-and-moat approach: The castle represents the enterprise housing the data, and the moat represents the secured checkpoints surrounding that data. All access is controlled and verified at the gateway where authentication and authorization are granted. Once verified, however, users are effectively given free rein of the environment.

One example of this type of traditional enterprise security is the classic virtual private network, or VPN, which gives a remote user full access once access is granted. This “blind trust” can create some major vulnerabilities, such as:

  1. Over-simplified authentication: Many existing VPN solutions do not meet the requirements of a complex, modern workforce where applications are accessed using browsers.
  2. An inability to scale: VPNs are limited to remote access only, whereas a zero-trust framework secures the corporate network in real-time, whether users are on-premises or off.
  3. Privacy concerns: Because VPNs route both business and personal traffic through corporate IT, concerns around employee privacy may be raised.

While this security approach worked well for a time, it does not fit modern cybersecurity threats. Inadequate authentication and authorization leads to excessive access, often allowing bad actors to bypass gateways. And with the massive move to cloud and mobile, traditional perimeter-based firewalls are no longer sufficient.

Now that most organizations work in the cloud, a centralized trust-but-verify approach is increasingly less sensible. Users no longer access sensitive data from a single point or device, and that data no longer lives in one place. Essentially, there’s no longer one entrance to the castle. Cyberattacks could arrive from anywhere, at any time.

Zero trust network architecture:

A zero trust network architecture evolves this traditional cybersecurity approach by moving the onus of data protection from within the organization to each user, device and application attempting network access. Implemented correctly, this context-aware model recognizes patterns in behavior to adaptively grant or deny access based on factors like identity, time of day and location.

For an even more comprehensive framework, some organizations opt to provide employees with secure access to a protected digital workspace. This mitigates overall risk by giving users secure access to all the apps, tools and data they need without exposing the organization to unnecessary risk.

How zero trust architecture works:

What are the key considerations when implementing a zero trust enterprise network?

Ask 10 different experts for a zero trust network definition, and you’re likely to get 10 different answers. That’s because there’s no one set solution designed to fit all enterprise needs. 

Zero trust security is an overall strategy rather than a specific product. Think of it as a set of guiding principles to ensure access to apps and data remains secure—no matter where they reside, who's accessing them or what devices they use. There’s no implicit trust granted based on physical or network locations. Instead, authorization is continuous and consistently applied.

Embracing this “never trust, always verify” mindset means rethinking everything about the way an organization houses and accesses sensitive data. That means each individual enterprise will need to take its own unique approach to designing zero trust network access.

At the same time, enterprises across industries are facing increased challenges as more apps move to the cloud and employees become more distributed. That means every business needs a solution that is cloud delivered and provides access at the application layer to reduce the security attack surface. And they need to do it without compromising privacy or hindering the employee experience.

For this reason, many organizations are choosing to protect users and their apps inside a unified workspace where work gets done, rather than trying to provide piecemeal protection for sensitive data and resources from wherever users access them. This also helps ensure a good user experience.

What are the components of a strong zero trust solution?

When implementing a zero trust network, organizations should prepare to invest significant time into restructuring network security and access control at every level. Initial steps to begin building a zero trust architecture include:

  1. Auditing the organization’s network for a clear picture of what infrastructure and endpoints are in place. This shows IT what their network security policy needs to address first.
  2. Conducting a thorough threat assessment, and coming up with some scenarios for what would happen if sensitive data was breached. Ask questions like “Who is most likely to access what data?” and “If the first level of security is penetrated, how easy will it be to penetrate subsequent ones?”
  3. Deciding how to trust users, devices and applications as separate-but-related entities. It’s important to grant access only to what is actually needed on a use-by-use basis. Multi-factor authentication is a good start, but it can also be helpful to adopt contextual access control tools to disable printing, copy-paste and screenshotting in certain scenarios. You can also have all employees access their apps and data inside a secure workspace to deliver more comprehensive enterprise security.

Test your zero trust architecture to see how well it performs. Run scenarios where your IT team attempts to gain access to sensitive data via a lost device, unsecured wifi network, malicious URLs or malware. This can show potential vulnerabilities in your network security in order to adapt the cybersecurity approach accordingly.

What does it take to build a zero trust network?

When building a zero trust network, it's important to recognize upfront that zero trust security is not a single product. Rather, it helps to view the zero trust approach as an architecture or framework that can be used to enable secure access for all applications, from any device, by continuously evaluating trust at every touchpoint. This means a zero trust security model can rely on multiple vendors to deliver security policies that are granular, contextual and continuous.

With this in mind, it’s possible to begin implementation while leveraging existing IT resources. While implementing zero trust is not simple, it should not require you to rip-and-replace your on-premises or cloud infrastructure. The right zero trust vendor will work with you to secure your existing infrastructure, such as identity platforms, SIEM/SOC and web proxies and SD-WAN solutions. For example, your zero trust vendor should be able to integrate with Microsoft Active Directory, Microsoft Azure AD and Okta user directories as well as the contextual identity management policies that come with these platforms.

To ensure these various components work together seamlessly, some experts recommend choosing a single vendor to help avoid gaps that can be created when integrating various point solutions. Given the comprehensive nature of a zero trust security model, IT can often get stuck in an endless cycle of adding point products such as SSL VPN, endpoint management and multi-factor authentication (MFA). This can lead to more complexity and create a fractured experience for end users—all while leaving holes in cybersecurity that attackers can exploit.

In contrast, a single vendor can help ensure the right mix of cloud security, access control, granular policies and more.

How to identify the right technology and services when implementing a zero trust network

For a zero trust platform to be effective, access to apps and data must be aligned to the sensitivity of each session. Any providers you use should be capable of constantly monitoring user activity and device posture. This is what enables you to grant access only to specific app users based on their needs to do their jobs—rather than providing access into the network itself.

In Gartner’s guidance for zero trust network access (ZTNA), these solutions are referred to as the “products and services that create an identity- and context-based, logical-access boundary encompassing a user and...applications [that] are hidden from discovery.”

In other words...

Look for systems that allow you to individually verify every user device, location and workload. Key components to watch for include:

  • Endpoint security solutions that require laptops, smartphones, tablets, desktops and other devices to meet certain standards of compliance before access is granted to the corporate network 
  • Secure access gateway solutions to simplify remote access to everyday apps and data with a simple, secure link
  • Security analytics solutions to detect anomalies and unusual user behavior for a more proactive approach to preventing data breaches

Each of these components can be implemented individually. In many instances, however, they are all part of one overarching solution—such as a secure digital workspace designed to unify various elements of zero trust network security.

How does Citrix help businesses with zero trust security?

Citrix equips companies with an end-to-end solution for implementing a zero trust architecture, with multiple solutions designed to reduce your attack surface. Having these all in one place allows businesses to avoid the gaps often left from relying on assorted point solutions:

  • Citrix Secure Workspace Access goes beyond MFA to provide contextual access management tools such as the ability to disable printing, copying, and pasting in certain scenarios
  • Citrix Endpoint Management keeps BYO, corporate, and other managed devices secure by isolating and protecting apps and content
  • Citrix Secure Internet Access provides a unified, cloud-delivered security stack to protect all applications, for every user

From Citrix Analytics for Security to Citrix Gateway, organizations are able to implement all mission-critical components of a zero trust architecture—all in one secure digital workspace solution.

Additional resources