Updated August 3, 2023

A traditional security model implicitly trusts everything inside an organization’s network, leaving plenty of loopholes for human error and insider threats. This is no longer sufficient under today’s circumstances: many are now working remotely, with enterprise teams spreading across a variety of countries and companies shifting to complex hybrid cloud systems. Given these challenges, it is becoming increasingly difficult to define network perimeters. Additionally, when subjects (end users, applications, non-person entities requesting information) are given broad access to resources within the network perimeter, the compromise of a single subject can snowball into massive data breaches.

As defined by NIST, a zero-trust architecture (ZTA) employs a data-centric methodology that focuses on protecting resources over the network perimeter. Since the network perimeter is no longer the key component to safeguarding enterprise data, a zero-trust strategy shifts its line of sight to identifying and authenticating users and devices. Zero-trust encompasses a set of principles that safeguards subjects, enterprise assets, and resources. These principles include “never trust, always verify”, “assume breach” and “least privileged access”.

ZTA, with its “never trust, always verify” principle, holds no implicit trust when it comes to subjects within the network perimeter. This allows it to enforce more granular levels of security control. When every stage of a digital transaction is evaluated for authorization, users are less likely to overstep the boundaries of what they are allowed to access.

By assuming that a data breach has already happened, ZTA prepares for worst case scenarios and protects sensitive data accordingly when attacks do occur. This goes hand in hand with its principle of enforcing “least privileged access”, where users and applications are granted the least amount of access needed to complete their duties effectively.

ZTA comic strip

Why Zero Trust Architecture?

Combined with dynamic automated controls, ZTA allows enterprises to easily reach regulatory compliance, achieving a balance of security, availability, usability, and cost efficiency. Especially in an environment full of collaborative information sharing, ZTA’s enforcement of “least privileged access” helps to safeguard business-critical information from unauthorized access. With real-time access control, users are reliably verified and authenticated before each session.

ZTA also allows organizations to better track and monitor patterns in user behavior. With increased visibility over resources, enterprises can detect suspicious activity and protect data accordingly. Due to the absence of a “trusted” network and location, every connection is subjected to verification, reducing the overall risk of malicious attacks. When security events do happen, the simplified security architecture of ZTA allows enterprises to respond swiftly and effectively.

How to Implement Zero Trust Architecture

Setting up a ZTA solution for enterprises typically involves the core, functional, and device and network infrastructure components.

ZTA architecture overview

Think of ZTA’s core components as the brain of the system. A policy engine (policy decision point) makes decisions on granting access to a user. The policy administrator (policy administration point) helps you create, edit, and manage policies used to grant access, and generates session-specific authentication credentials for users. The policy enforcement point is responsible for managing connections between users and resources.

The functional components of ZTA consist of data security, endpoint security, identity and access management (IAM), and security analytics:

  • Data security component: Protects data at rest and in transit with data access policies that are used to protect data at rest and in transit.
  • Endpoint security component: Safeguards endpoints from both external threats and threats from managed or unmanaged devices.
  • IAM component: Creates, stores and manages user accounts and identity records, making sure the right people have their access to enterprise resources.
  • Security analytics component: Covers all threat intelligence feeds and activity monitoring for an IT enterprise, gathering behavior insights to actively respond to threats.

Finally, the device and network infrastructure components include assets (devices) such as laptops, tablets, and other IoT devices that connect to enterprise resources. Assets are connected to enterprise resources, like data, applications, and resources that can be hosted on-premise, in the cloud, or at the edge. Along with assets, are enterprise resources which include data, resources, and applications that are hosted and managed on premise, in the cloud, or at the edge. The network infrastructure components cover all the network resources that an enterprise may need to deploy to keep everything running smoothly.

As for extending the efficacy of ZTA, one approach is to incorporate the National Institute of Standards and Technology (NIST)’s recommendation on using a policy engine to implement an attribute-based access control (ABAC) model. With ABAC and dynamic authorization, authorization decisions are made by evaluating attributes in real time, giving you greater flexibility and a more secure way to manage access. This approach offers better scalability and improved security compared to traditional methods.

To learn more about ZTA and its importance, please refer to NextLabs’ interview with Alper Kerman, author of the Implementing a Zero Trust Architecture document, on Why is Zero Trust Architecture (ZTA) Important?