What is Zero Trust and Why You Need It
14 Jul 2023
Zero Trust is a modern security strategy that centres on verifying each access request as though it originates from an open network.
Zero Trust eliminates implicit trust and assumes breach, regardless of where the request originates or what resource it accesses. Zero Trust teaches us to “never trust, always verify.”
Principles of Zero Trust
Zero Trust is not a single product or solution, but rather a set of principles and best practices that can help organisations improve their security posture and reduce the risk of data breaches, ransomware, phishing, and other cyberattacks. Some of the key principles of Zero Trust are:
- Verify explicitly: Always authenticate and authorise based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies
- Use least-privilege access: Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.
- Assume breach: Minimise blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defences.
Flaws of VPNs and How Zero Trust Solves Them
A traditional VPN (Virtual Private Network) is a technology that creates a secure tunnel between a user’s device and a remote network. VPNs are often used by remote workers or travelers to access corporate resources or applications over the internet. However, VPNs have several flaws that make them unsuitable for today’s security challenges. Here are some of the main flaws of VPNs and how Zero Trust solves them:
- VPNs create a false sense of security: VPNs assume that once a user is authenticated and connected to the network, they can be trusted. This creates a false sense of security that ignores the possibility of compromised credentials, insider threats, or lateral movement of attackers within the network. Zero Trust, on the other hand, verifies every access request at every step, regardless of whether the user is on or off the network. Zero Trust also applies granular policies based on the context of the request, such as the user’s role, device health, location, time, etc.
- VPNs are complex and costly to manage: VPNs require a lot of infrastructure and maintenance to support a large number of users and devices. VPNs also introduce performance issues, such as latency, bandwidth limitations, and compatibility problems with different devices and applications. Zero Trust, on the other hand, leverages cloud-based solutions that are scalable, reliable, and fast. Zero Trust also supports any device or application without requiring additional software or configuration.
- VPNs provide poor user experience: VPNs often frustrate users with cumbersome login processes, frequent disconnections, slow speeds, and limited access to resources. These frustrations can lead users to bypass VPNs or use unsecured networks or devices, which can compromise security. Zero Trust, on the other hand, provides a seamless and secure user experience by using modern authentication methods such as multifactor authentication (MFA) or biometrics. Zero Trust also allows users to access any resource they need without compromising security.
Benefits of Zero Trust
Zero Trust is not only a security model, but also a business enabler. It can help organisations:
- Secure hybrid work: Enhance the employee experience with adaptable security policies that help you effectively manage and protect all your devices and identities, no matter where people choose to work.
- Enable digital transformation: Accelerate cloud migration and adoption of SaaS applications with intelligent security for today’s complex environment.
- Close security gaps: Reduce security vulnerabilities with expanded visibility across your digital environment, risk-based access controls, and automated policies.
- Minimise the impact of bad actors: Safeguard your organisation from both internal and external risks with a layered defence that explicitly verifies all access requests.
- Get ahead of regulatory requirements: Keep up with the evolving compliance landscape with a comprehensive strategy that helps you seamlessly protect, manage, and govern your data.
How to Implement Zero Trust
Zero Trust is not a one-size-fits-all approach, but rather a journey that requires continuous assessment and improvement. Organisations can start by identifying their most critical assets and data, mapping their workflows and dependencies, and applying Zero Trust principles to secure them. Then they can expand their scope and maturity over time, leveraging tools and frameworks that can help them implement Zero Trust effectively.
One such framework is the Zero Trust Architecture (ZTA) developed by the National Institute of Standards and Technology (NIST). ZTA provides guidance on how to design, deploy, and operate a Zero Trust system using existing technologies and standards. ZTA consists of three main components: policy engine, policy administrator, and policy enforcement point.ZTA also defines seven logical components that interact within a Zero Trust system: data, assets, actors, networks, devices, gateways, and application..
Another tool that can help organisations adopt Zero Trust is the Cloudflare Zero Trust Platform. Cloudflare Zero Trust Platform is an Internet-native solution that secures hybrid work with Zero Trust. It verifies, filters, isolates, and inspects all traffic on all devices you manage, and even devices you don’t. It offers a single-pass inspection for all traffic to ensure consistent, high-speed protections. It also provides a 100% uptime SLA for paid plans that only an Anycast architecture can deliver.
Examples of Zero Trust
Here are some examples of how Zero Trust can be applied to different scenarios:
- Remote desktop: A remote desktop allows users to access another computer or server over the internet. To secure remote desktop access with Zero Trust, users need to authenticate themselves using multifactor authentication (MFA) or biometrics before being granted access. The remote desktop session should also be encrypted end-to-end to prevent eavesdropping or tampering. Additionally, the remote desktop access should be limited by time or location to reduce the risk of unauthorized access.
- SSH: SSH stands for Secure Shell Protocol. It is a network protocol that allows users to securely connect to remote servers or devices using encryption. To implement Zero Trust for SSH connections, users need to verify their identity using public key cryptography or certificates before being allowed to log in. The SSH server should also enforce strict policies on who can access what resources and for how long. Moreover, the SSH server should monitor the activity of SSH sessions and alert administrators of any suspicious or anomalous behaviour.
- FTP: FTP stands for File Transfer Protocol. It is a network protocol that allows users to transfer files between computers or servers over the internet. To apply Zero Trust for FTP transfers, users need to authenticate themselves using strong passwords or tokens before being able to upload or download files. The FTP server should also restrict the access to specific directories or files based on the user’s role or permissions. Furthermore, the FTP server should encrypt the data in transit and at rest to protect it from interception or theft.
Zero Trust is not a buzzword or a fad. It is a necessity in today’s dynamic and distributed world. By adopting Zero Trust principles and practices, organisations can enhance their security posture, improve their user experience, enable their digital transformation, and gain a competitive edge.
If you are interested in learning more about Zero Trust and how it can help your organisation achieve better security and business outcomes, we invite you to contact us for a free consultation. We can help you design and implement a Zero Trust strategy that suits your needs and goals.