Why You Need a Zero Trust Architecture, Tips and Examples

What are the Benefits of a Zero Trust Architecture?

Zero trust enables organizations to effectively control access to their network, applications, and data. Here are the core benefits this architecture offers:

Achieve strict access control and comprehensive visibility

The zero trust model aims to allow organizations to approve each user and device every time they request access to the network while obtaining visibility into the who, how, and why of each request. Organizations employing zero trust with least privileges access can maintain strict oversight of all users and devices on the network and their activity.

Isolate threats using microsegmentation

A zero trust architecture usually leverages microsegmentation to split the network by group, function, and identity to achieve granular control of user access, contain breaches, and minimize the scope of the damage. It helps improve breakout times, the critical time frame between the initial compromise of the first machine and lateral movement to other areas on the network.

Gather intelligence to improve security decision making

A zero trust architecture gathers intelligence from multiple points of telemetry to inform a security strategy that is always evolving and striving to prevent old and new attacks proactively.

Related content: Read our guide to zero trust network (coming soon)

Implementing borderless security

Organizations often leverage the zero trust architecture to securely expand their infrastructure to include cloud-based servers and applications and increase the number of endpoints in their network. Since the zero trust network is borderless, it enables organizations to apply security principles equally across all devices and users regardless of the location.

Enhance the user experience

The zero trust security model offers an enhanced user experience compared to virtual private networks (VPNs). A VPN usually limits application use, requires frequent updates and authentication, and impacts system performance. It typically involves adding multi-factor authentication (MFA) to improve security and single sign-on (SSO) to simplify the user experience.

Zero Trust Architecture Example: The Microsoft Zero Trust Architecture

Microsoft implemented the zero trust model and shared the details on the official website. It focuses on corporate services across the organization, including line-of-business and Office applications, covering devices that run on Android, iPhone, Mac, and Windows. Intune, Microsoft’s cloud-based mobile device management (MDM) service, manages devices.

Here are the four phases of Microsoft’s zero trust model:

1. Verify identity—use two-factor authentication (2FA) to allow remote access to networks using the Azure Authenticator phone app. Microsoft plans to eliminate passwords and shift to full biometric authentication in the future.
2. Verify device health—enroll user devices with the Intune MDM service. It manages the device-health policy specifying the devices Intune needs to manage and monitor for health. It allows only those defined by the policy to access large productivity applications, such as Exchange and SharePoint.
3. Verify access—minimize access to resources and require identity and device-health verification. Microsoft transitions access to primary applications and services from direct access to the network, Internet plus VPN access, and Internet-only access, further reducing the number of users that require access to the network.
4. Verify services—Microsoft intends to add service health verification to ensure a service is healthy before allowing it to interact with users. This option is currently in proof-of-concept.

Zero Trust Architecture: Implementation Process

The National Institute of Standards and Technology (NIST) offers various resources to improve cybersecurity, including a list of conceptual guidelines for designing and deploying a zero trust architecture. Here are the key steps for implementing a zero trust architecture according to NIST:

1. Use infrastructure that supports zero trust

Not all network and security services support zero trust and might require integration with additional resources, increasing overhead. Prefer to use products and services built with a zero trust approach in mind. These products use standards-based technologies that allow easier integration and interoperability between identity providers and services.

2. Map out the environment and identities

According to NIST, the architecture includes all users, services, data, and devices. Organizations implementing zero trust must inventory each component of their architecture to gain visibility into the location of key resources and the main risks threatening the architecture. It helps avoid late-stage pitfalls like integrating legacy services that cannot support zero trust.

Visibility must be extended to all relevant entities – including human users, software-based processes, services, or devices. A zero trust architecture requires making each entity uniquely identifiable to ensure processes can accurately determine whether to allow or grant access to data or services to a specific identity.

3. Use policies to determine access

The NIST recommends using policies to determine access to resources and the state of user identity, the requesting system, and other behavioral attributes. Here is how NIST defines identities:

• A user identity—a network account that can request access and may also have various enterprise-assigned attributes.
• A requesting system—device characteristics, such as network location and software versions.
• Behavioral attributes—user and device analytics and behaviors that deviate from baselined patterns.

4. Monitor the architecture

The NIST recommends monitoring the architecture to ensure all owned and associated systems remain secure. It involves monitoring the state of systems and applying fixes or patches as needed. Additionally, monitoring enables organizations to deny access to resources to non-enterprise-owned systems or those with recently-discovered vulnerabilities.

3 Tips for Success with Your Zero Trust Architecture

Know Your Topology

Building a zero trust architecture requires mapping the network topology and inventorying all assets. You must discover your users, their devices, and which services and data they access.

You should closely observe all network components and consider all networks hostile, including local and public networks. Additionally, you should account for any existing service not designed for zero trust and might not be able to defend itself.

Create a Secure Communication Channel

You must secure all communication channels within your zero trust architecture and ensure they are trustworthy. Protect these channels against key threats like eavesdropping, message modification, and replay attacks.

A communication channel mediating between two devices should:

• Provide confidentiality, integrity, and authenticity of all messages exchanged between the devices.
• In specific scenarios, it might also need to support non-repudiation.
• Protect against Denial of Service (DoS) attacks.
• Authorize devices, such as a client attempting to connect using an unauthorized device.
• Authorize user requests, such as a user attempting to access data without having the required permissions.
• Provide time-controlled access according to the user’s time of day or location.

Establish a Variety of Defensive Measures

Leverage various preventative measures to deter and thwart threat actors attempting to breach the network. Here are common preventative measures to consider:

• Multi-factor authentication (MFA)—this access control introduces an additional layer of verification to each user within and outside the network. Risk increases, deviations, anomalous traffic, and behavior are common factors that can trigger MFA.
• Least privilege principles—after determining the locations of your sensitive data, you need to grant users the least amount of access required to perform their job and set up continuous verification. You must review privileged accounts regularly to assess whether users still need certain privileges as they move between groups.
• Identity segmentation—the practice of microsegmentation enables you to establish micro-perimeters that act as border control within the network, preventing unauthorized lateral movement. You can segment according to various factors, including user group, account type, role, and the accessed applications.

Conclusion

In this article, we defined a zero trust architecture, described its compelling security benefits, and showed a real life example of a zero trust implementation at a technology giant – Microsoft.

We described four steps to implement a zero trust architecture:

1. Selecting zero-trust compatible tools and services
2. Mapping out the environment and identities
3. Implementing flexible security policies for access control
4. Monitoring the architecture and improving it

Finally, we provided tips that can help make your zero trust project a success:

• Know your topology – based your strategy on a clear view of existing network structure.
• Create a secure communication channel – ensure all communication within your network, as well as inbound and outbound, are well protected.
• Establish a variety of defensive measures – implement MFA, least privilege permissions, and identity segmentation.