Zero Trust: What Is It? How Does It Work? Why Should I Use It?

The recent uptick in remote work has highlighted both the promise and the pitfalls of our connected world. Many of the same technologies that give work-from-home employees and contractors access to enterprise networks also create gaps that hackers and other malicious actors can exploit.

To lock down network security without causing productivity to take a hit, Zero Trust has emerged as a best practice and policy of choice for many organizations.


What is Zero Trust?

The origins of Zero Trust are rooted in the shortcomings of traditional network security methods.

Since the early days of enterprise risk management, organizations have typically taken a classic defensive approach to network security. There’s an internal network (the LAN), an external network (the WAN) and a protective firewall separating the two. Anything inside the firewall is trusted. Anything outside is untrusted.

The complexity of modern IT networks and the fluidity of today’s workplaces have proven challenging to this vaguely medieval “inside/outside” mindset. For example, this simple binary design doesn’t suit remote workers who need offsite access to internal resources. And what about contractors who might be physically inside the building but don’t merit full access privileges?

Virtual private networks, or VPNs, offer one way to expand the internal network to include this new class of mobile users. From a security management standpoint, the major problem with VPNs is that they implicitly assume trust. If an attacker manages to gain VPN credentials or exploit the VPN connection, that attacker has more or less unrestricted access to the internal network.

IT professionals therefore started looking for a viable VPN replacement. Zero Trust arose as a more identity based, hardline approach to network security that accommodates the nuance of the modern workplace and its dynamic mobile workforce.

Zero Trust is inherently more skeptical than traditional perimeter network approaches. Rather than eagerly award users with sweeping access to large portions of the internal network, the first instinct in a zero-trust environment is to withhold blanket access and instead grant it only on an as-needed basis to business-critical network resources. This is often called the least privilege model.


How does Zero Trust work?

The first implementations of Zero Trust network access (ZTNA) took a micro-segmentation approach. This made sense as an updated form of risk management, but the underlying inside/outside rationale didn’t change significantly.

As a result, micro-segmentation mainly served to fragment the internal network into smaller perimeter-bound networks that were further subdivided into cloud and on-prem architectures. This worked well enough as a VPN alternative but had the drawback of decreasing network-wide visibility and increasing admin overhead.

Today, the emphasis in ZTNA has shifted more from the how to the who. It’s not about developing complex blueprints for network compartmentalization or the finicky process of creating walls within walls. Instead it’s about verifying trusted users through their identity. That identity—validated by single sign-on (SSO) solutions, cloud-based identity providers (IdPs), or multifactor authentication (MFA)—becomes the basis for determining which resources users are allowed to access.

This has multiple advantages:

  • Tighter, more consistent security management at the gateway
  • Restricted access, even among trusted users, to lateral resources or low-level core infrastructure
  • Better support for hybrid networks that make use of cloud and on-prem solutions
  • A more curated experience for end users stripped of unnecessary functionality
  • Seamless, secure access for remote workers and contractors alongside onsite employees

Within that broad identity-based approach, ZTNA policies can vary depending on the organization or the user pool. They can require end-to-end encryption of all network communications. They can enforce “hygiene” checks by inspecting devices and data streams for malware during authentication or on an ongoing basis. Or they can prioritize the uniformity of the trusted user experience regardless of network location.


Who should use Zero Trust?

Every organization, large or small, can benefit from ZTNA. From agencies that need to allow regular contractor printing to global enterprises with ever-growing fleets of mobile devices, Zero Trust offers a secure, flexible path to better network security and improved risk management.

What form ZTNA ultimately takes will be up to each organization. If they’re looking for VPN alternatives that can scale to support large numbers of remote workers, they might want to explore ZTNA solutions centered around cloud-based digital workspaces. If zero-trust printing is the priority, then solutions that allow for off-network printing will be a logical choice. And if an organization’s business model is heavily reliant on IoT devices, ZTNA will naturally look quite a bit different from the other two.

Regardless of use case, however, Zero Trust is fast becoming the de facto network security standard. The NSA has recently endorsed Zero Trust policies and published detailed guidance on adopting ZTNA models. According to a Deloitte poll in mid-2020, more than 70% of organizations said that ZTNA adoption had either remained on pace or accelerated during the COVID-19 pandemic. All this speaks to the value of Zero Trust and its recognition as critical security practice going forward.