What is zero trust security?

Zero-trust security is a contextual IT security model governed by a single axiom: “Trust no one.” A zero trust model, or architecture, means that no user or device should have default access to an organization’s network, workspace, or other resources—even if they’re employed by the organization. Authorized users must pass security protocols before access is granted based on criteria like their identity, time of access, and device posture. Zero trust architecture can include access control, user identity verification, and secure workspaces to prevent malware, data exfiltration due to a VPN breach, and other attacks on sensitive data.

Why is zero trust security important?

Zero trust security is important because today’s IT departments have to protect a larger attack surface while delivering an engaging user experience. Now that employees rely on personal devices for remote access to workspaces, cloud apps, and corporate resources, the likelihood of a data loss is higher than ever. Making matters worse, the average cost of a single data breach is $3.92 million and on average, 25,575 records are stolen. In just the top two biggest data breaches of the last 20 years, more than 3.5 billion people had their information stolen.

A zero trust architecture is a serious approach to this serious problem. It acknowledges that models of information security that expose some sensitive data have the potential to expose all sensitive data. It’s like putting all of one’s assets in a single bank safe: once an intruder gains access, they can steal everything. To address this risk, zero trust network access tightens the reins on access security for endpoints and users. For more comprehensive zero trust security, organizations can provide employees secure access to a protected digital workspace. This mitigates overall risk by giving users secure access to all the apps, tools, and data they need without exposing the organization to unnecessary risk.

What’s the difference between traditional information security and zero trust architecture?

Traditional approaches to information security involve corralling sensitive data into data centers protected by logins and firewalls. The assumption was that everyone inside the organization was vetted and trustworthy—as long as someone had a username and password, they could access everything on the organization’s network unchallenged. This is sometimes called the castle-and-moat approach: the castle represents the enterprise housing the data, and the moat represents the defenses and deterrents surrounding that data.

However, this approach does not fit modern cybersecurity threats. Now that most organizations work in the cloud, a centralized trust-but-verify approach is increasingly less sensible. Users no longer access sensitive data from a single point or device, and that data no longer lives in one place. Essentially, there’s no longer one entrance to the castle, as cyberattacks could arrive from anywhere at any time. A moat offers no protection if intruders can parachute out of airplanes.

A zero trust architecture evolves this traditional cybersecurity approach by moving the onus of data protection from within the organization to each user, device, and application attempting network access. Implemented correctly, this approach to zero trust is a context-aware security architecture that can recognize patterns in user behavior and devices to adaptively grant or deny access based on factors like identity, time of day, and location.

How to get started implementing a zero trust architecture

Zero trust security is an overall strategy rather than a single, tangible solution. Embracing its “never trust, always verify” mindset means rethinking everything about the way an organization houses and accesses sensitive data. Organizations should prepare to invest significant time into restructuring network security and access control at every level. Here are some steps to begin implementing a zero trust architecture in an organization:

  1. Audit the organization’s network for a clear picture of what infrastructure and endpoints are in place. This shows IT what their network security policy needs to address first. 
  2. Conduct a thorough threat assessment, and come up with some scenarios for what would happen if sensitive data was breached. Ask questions like “Who is most likely to access what data?” and “If the first level of security is penetrated, how easy will it be to penetrate subsequent ones?”. 
  3. Decide how to trust users, devices, and applications as separate but related entities. It’s important to grant access only to what is actually needed on a use-by-use basis. Multi-factor authentication is a good start, but it can also be helpful to adopt contextual access control tools to disable printing, copy-paste, and screenshotting in certain scenarios. You can also have all employees access their apps and data inside a secure workspace to deliver more comprehensive enterprise security.
  4. Test your zero trust architecture to see how well it performs. Run scenarios where your IT team attempts to gain access to sensitive data via a lost device, unsecured wifi network, malicious URLs, or malware. This can show potential vulnerabilities in your network security in order to adapt the cybersecurity approach accordingly.

FAQs about zero trust security

Is zero trust architecture a single product?
Zero trust security is not one product or a solution. Rather, it is an architecture or framework that IT can use to enable secure access for all applications, from any device, by continuously evaluating trust at every touchpoint. This means a zero trust security model can rely on multiple vendors and products in order to deliver an access security policy that is granular, contextual, and continuous.

Does zero trust mean I need to replace my entire IT infrastructure?
While implementing zero trust is not simple, it should not require you to rip-and-replace your on-premises or cloud infrastructure. The right zero trust vendor will work with you to secure your existing infrastructure, such as identity platforms, SIEM/SOC and web proxies, and SD-WAN solutions. For example, your zero trust vendor should be able to integrate with Microsoft Active Directory, Microsoft Azure AD, and Okta user directories as well as the contextual identity management policies that come with these platforms.

How do I find the right technology or services to implement a zero trust network?
Because of the comprehensive nature of a zero trust security model, IT can get stuck in an endless cycle of adding point products such as SSL VPN, endpoint management, and multi-factor authentication to address new security use cases. This can lead to more complexity and create a fractured experience for end users—all while leaving gaps in cybersecurity that attackers can exploit.

This in mind, Forrester reports that there are significant benefits to choosing a single vendor to implement a zero trust security architecture. This helps avoid the gaps left from integrating various point solutions. One proven strategy is to protect users and their apps inside a unified workspace where work gets done, rather than trying to provide piecemeal protection for sensitive data and resources from wherever users access them. This also helps ensure a good user experience.

Zero Trust vs VPN: Why can’t VPNs support zero trust security?

The most fundamental difference between VPNs and zero trust security frameworks is that traditional VPNs trust blindly. With a VPN, once access is granted, a remote user gains total access to the network. To summarize the major vulnerabilities of VPNs, the following attributes stand out:

  1. VPNs over-simplify authentication – existing VPN solutions do not meet requirements of a complex, modern workforce where applications are accessed using a browser, deployed in both datacenter and cloud environments or delivered as SaaS.
  2. VPNs don’t scale – VPNs are limited to remote access only, whereas a zero trust framework secures the corporate network whether users are on-premises or off in real time. 
  3. VPNs aren’t optimized for employee experience – because VPNs route all the traffic (business and personal) through corporate IT, concerns around employee privacy may be raised. Additionally, VPNs don’t provide the best performance because there’s no app-level optimization.

In short, businesses need a solution that is cloud delivered, provides access at the application layer and thereby reduces the security attack surface, providing the best performance without getting in the way of employee privacy.

Additional resources