Zero-trust security is an IT security model that limits who can access applications and data—including an organization’s employees. Zero Trust architecture uses strict security protocols to grant access, while keeping authenticated users continually protected from malware, data exfiltration and other cybersecurity attacks.
Zero trust data security is important because today’s IT departments have to protect an expanding attack surface while delivering an engaging user experience.
Now that employees rely on personal devices for remote access to workspaces, cloud apps and corporate resources, the likelihood of data loss is higher than ever. This is especially true for organizations that still rely on traditional security approaches, where the network perimeter built around resources still leaves organizations vulnerable to malicious outsiders posing as legitimate insiders. Often, all it takes to gain total access to the network is a quick remote VPN login.
In contrast, the zero trust model acknowledges one of the biggest causes of data breaches today: Security models that expose some sensitive data have the potential to expose all sensitive data. To address this risk, zero trust secure access tightens the reins on access management for endpoints and users.
Traditional enterprise security involves corralling sensitive data into data centers protected by logins and firewalls. The assumption with this approach is that everyone inside the organization is vetted and trustworthy—as long as someone has a username and password, they can access everything on the organization’s network, unchallenged. This type of access management is sometimes called the castle-and-moat approach: The castle represents the enterprise housing the data, and the moat represents the secured checkpoints surrounding that data. All access is controlled and verified at the gateway where authentication and authorization are granted. Once verified, however, users are effectively given free rein of the environment.
One example of this type of traditional enterprise security is the classic virtual private network, or VPN, which gives a remote user full access once access is granted. This “blind trust” can create some major vulnerabilities, such as:
While this security approach worked well for a time, it does not fit modern cybersecurity threats. Inadequate authentication and authorization leads to excessive access, often allowing bad actors to bypass gateways. And with the massive move to cloud and mobile, traditional perimeter-based firewalls are no longer sufficient.
Now that most organizations work in the cloud, a centralized trust-but-verify approach is increasingly less sensible. Users no longer access sensitive data from a single point or device, and that data no longer lives in one place. Essentially, there’s no longer one entrance to the castle. Cyberattacks could arrive from anywhere, at any time.
A zero trust network architecture evolves this traditional cybersecurity approach by moving the onus of data protection from within the organization to each user, device and application attempting network access. Implemented correctly, this context-aware model recognizes patterns in behavior to adaptively grant or deny access based on factors like identity, time of day and location.
For an even more comprehensive framework, some organizations opt to provide employees with secure access to a protected digital workspace. This mitigates overall risk by giving users secure access to all the apps, tools and data they need without exposing the organization to unnecessary risk.
Ask 10 different experts for a zero trust network definition, and you’re likely to get 10 different answers. That’s because there’s no one set solution designed to fit all enterprise needs.
Zero trust security is an overall strategy rather than a specific product. Think of it as a set of guiding principles to ensure access to apps and data remains secure—no matter where they reside, who's accessing them or what devices they use. There’s no implicit trust granted based on physical or network locations. Instead, authorization is continuous and consistently applied.
Embracing this “never trust, always verify” mindset means rethinking everything about the way an organization houses and accesses sensitive data. That means each individual enterprise will need to take its own unique approach to designing zero trust network access.
At the same time, enterprises across industries are facing increased challenges as more apps move to the cloud and employees become more distributed. That means every business needs a solution that is cloud delivered and provides access at the application layer to reduce the security attack surface. And they need to do it without compromising privacy or hindering the employee experience.
For this reason, many organizations are choosing to protect users and their apps inside a unified workspace where work gets done, rather than trying to provide piecemeal protection for sensitive data and resources from wherever users access them. This also helps ensure a good user experience.
When implementing a zero trust network, organizations should prepare to invest significant time into restructuring network security and access control at every level. Initial steps to begin building a zero trust architecture include:
Test your zero trust architecture to see how well it performs. Run scenarios where your IT team attempts to gain access to sensitive data via a lost device, unsecured wifi network, malicious URLs or malware. This can show potential vulnerabilities in your network security in order to adapt the cybersecurity approach accordingly.
When building a zero trust network, it's important to recognize upfront that zero trust security is not a single product. Rather, it helps to view the zero trust approach as an architecture or framework that can be used to enable secure access for all applications, from any device, by continuously evaluating trust at every touchpoint. This means a zero trust security model can rely on multiple vendors to deliver security policies that are granular, contextual and continuous.
With this in mind, it’s possible to begin implementation while leveraging existing IT resources. While implementing zero trust is not simple, it should not require you to rip-and-replace your on-premises or cloud infrastructure. The right zero trust vendor will work with you to secure your existing infrastructure, such as identity platforms, SIEM/SOC and web proxies and SD-WAN solutions. For example, your zero trust vendor should be able to integrate with Microsoft Active Directory, Microsoft Azure AD and Okta user directories as well as the contextual identity management policies that come with these platforms.
To ensure these various components work together seamlessly, some experts recommend choosing a single vendor to help avoid gaps that can be created when integrating various point solutions. Given the comprehensive nature of a zero trust security model, IT can often get stuck in an endless cycle of adding point products such as SSL VPN, endpoint management and multi-factor authentication (MFA). This can lead to more complexity and create a fractured experience for end users—all while leaving holes in cybersecurity that attackers can exploit.
In contrast, a single vendor can help ensure the right mix of cloud security, access control, granular policies and more.
For a zero trust platform to be effective, access to apps and data must be aligned to the sensitivity of each session. Any providers you use should be capable of constantly monitoring user activity and device posture. This is what enables you to grant access only to specific app users based on their needs to do their jobs—rather than providing access into the network itself.
In Gartner’s guidance for zero trust network access (ZTNA), these solutions are referred to as the “products and services that create an identity- and context-based, logical-access boundary encompassing a user and...applications [that] are hidden from discovery.”
In other words...
Look for systems that allow you to individually verify every user device, location and workload. Key components to watch for include:
Each of these components can be implemented individually. In many instances, however, they are all part of one overarching solution—such as a secure digital workspace designed to unify various elements of zero trust network security.
Citrix equips companies with an end-to-end solution for implementing a zero trust architecture, with multiple solutions designed to reduce your attack surface. Having these all in one place allows businesses to avoid the gaps often left from relying on assorted point solutions: