Zero Trust Architecture

What is a Zero Trust Architecture?



Zero Trust is a strategy itself. As an initiative it helps you prevent major data breaches by eliminating the concept of trust from an organization’s network architecture. It is rooted in the principle of “Never Trust, Always Verify.”

Zero Trust is designed to protect modern digital environments by :

1) leveraging network segmentation,
2) preventing lateral movement,
3) providing Layer 7 threat prevention, and
4) simplifying granular user-access control.
Zero Trust was created by John Kindervag for Forrester Research, based on the realization that traditional security models operate on the outdated assumption that everything inside an organization’s network should be trusted. Under this broken trust model, it is assumed that a user’s identity is not compromised and that all users act responsibly and can be trusted.
On the contrary, the Zero Trust model recognizes that trust is a vulnerability. Once on the network, users – including threat actors and malicious insiders – are free to move laterally and access or exfiltrate whatever data they are not limited to.
 Zero Trust is not about making a system trusted, but instead about eliminating trust.
In Zero Trust, you begin by identifying a “protect surface” which is made up of the network’s most critical and valuable DAAS (data, assets, applications and services).
Protect surfaces are unique to each organization. Because protect surface contains only what’s most critical to an organization’s operations, it is very much smaller than the attack surface, and you can always know your protect surface. Right?
Next part is identifying– how traffic moves across the organization in relation to your protect surface. Understanding who the users are, which applications they are using and how they are connecting is the only way to determine and enforce policy that ensures secure access to your data.
Once you understand the interdependencies between the DAAS, infrastructure, services and users, you should put controls measures in place as close to the protect surface as possible, creating a ‘microperimeter’around it. This microperimeter moves with the protect surface, wherever it goes. You can create a microperimeter by deploying a segmentation gateway (which is actually your next-generation firewall), to ensure that only known, allowed traffic or legitimate applications have access to the protect surface.
The segmentation gateway provides granular visibility into traffic and enforces additional layers of inspection and access control with granular Layer 7 policy based on the Kipling Method, which defines Zero Trust policy based on who, what, when, where, why and how.
The Zero Trust policy determines who can transit the microperimeter at any point in time, preventing access to your protect surface by unauthorized users and preventing the exfiltration of sensitive data.
P.S.: Zero Trust is only possible at Layer 7.
Once you’ve built your Zero Trust policy around your protect surface, you continue to monitor and maintain in real time, looking for things like what should be included in the protect surface, interdependencies not yet accounted for, and ways to improve policy.
How To Achieve a Zero Trust Architecture?
Zero Trust is built upon your existing architecture and does not require you to rip and replace existing technology. There are no Zero Trust products. There are products that work well in Zero Trust environments and those that don’t. Zero Trust is also quite simple to deploy, implement and maintain using a simple five-step methodology. This guided process helps identify where you are and where to go next:
1) Identify the protect surface
2) Map the transaction flows
3) Build a Zero Trust architecture
4) Create Zero Trust policy
5) Monitor and maintain
Creative a Zero Trust environment – consisting of a protect surface that contains a single DAAS element protected by a microperimeter enforced at Layer 7 with Kipling Method policy by a segmentation gateway – is a simple and iterative process you can repeat one protect surface/DAAS element at a time.
You should use Zero Trust to gain visibility and context for all your traffic – across user, device, location and application – plus zoning capabilities for visibility into internal traffic. To gain traffic visibility and context, it needs to go through a next-generation firewall with decryption capabilities. The next-generation firewalls enable micro-segmentation of perimeters, and act as border control within your organization.
Thanks –Mrs.Meena for this information.


Pentester , Cyber World Enthusiast

Leave a Reply