If your company needs a robust way to secure access to resources and audit user activities, the term “Zero Trust”, “Zero Trust Network Access (ZTNA)” or “Zero Trust Architecture (ZTA)” may come to mind. While the Zero Trust model receives a lot of focus as a preferred way to replace the traditional “Trust But Verify” model of access, many organizations struggle to build the infrastructure necessary to implement it. In this article, we’ll look closely at the Zero Trust model, discuss its benefits, share some common barriers companies face, and discuss a simpler way to apply it to your infrastructure.
What is Zero Trust?
Zero Trust is a security concept of “never trust, always verify” that requires all devices and users, regardless if they are inside or outside an organization's network, to be authenticated, authorized, and regularly validated before being granted access.
History of the Zero Trust Model
John Kindervag developed the original Zero Trust model in 2010. As principal analyst at Forrester Research, Kindervag realized that traditional access models operated on the outdated assumption that organizations should trust everything within their networks. As more and more workers started remotely accessing systems through all types of devices, this trust structure proved insufficient to effectively manage a distributed workforce.
Around the same time, Google began developing its own Zero Trust systems. Google created BeyondCorp for migrating traditional virtual private network (VPN) access policies to a new infrastructure in which no systems are trusted and all endpoints gate and monitor access. Google later developed BeyondProd, which provides a Zero Trust method to securely manage code deployment in a cloud-first microservices environment.
Kindervag’s Zero Trust model and Google’s BeyondCorp center around a few major tenants:
- Segmentation -- Traditional networks exposed direct access to all data assets, servers, and applications. The Zero Trust model segments various subsets of these resources and removes the ability for users to directly access them without first going through a tightly controlled gateway. This is sometimes referred to as “network isolation”. Microsegmentation takes this concept further by isolating workloads from one another so that administrators can monitor and control the flow of information between different servers and applications rather than just between client and server.
- Access control -- Regardless of whether users are physically located in an office or working remotely, they should only be able to access the information and resources that are appropriate for their respective roles. Each segment of the network should authenticate and validate authorization to ensure that traffic is being sent from trusted users regardless of the location or source of the request.
- Visibility -- Gateways should inspect and log all traffic, and admins should regularly monitor logs to ensure that users are only attempting to access systems that they’re permitted to. Commonly, administrators will use cloud access security broker software to monitor traffic between users and cloud applications. and warn when they see suspicious behavior.
With the Zero Trust model, organizations can eliminate direct access to networks and resources, establish granular access controls, and gain visibility into user actions and traffic. However, they need models to guide them through implementation.
Google provides extensive documentation for those wanting to emulate BeyondCorp, which sets an industry standard for Zero Trust. However, most companies find Google’s approach to be interesting in theory, but impossible in practice. (Its implementation essentially required a rip-and-replace of Google’s existing network components and global architecture.) Instead, companies must rely on a combination of third-party services to implement Zero Trust architecture across their infrastructure.
4 Barriers to Implementing Zero Trust Network Access (ZTNA)
Even with third-party services, many businesses still struggle to successfully implement Zero Trust Network Access (ZTNA). According to a report by Cybersecurity Insiders, only 15% of companies already have a Zero Trust strategy in place, while another 63% of companies intend to develop a strategy in the near future. Similarly, in a survey conducted in 2019, only 16% of physical data centers have implemented a Zero Trust architecture.
A number of practical barriers have slowed and impeded the adoption of Zero Trust in many organizations, such as the complexity of infrastructure, the lack of a single tool for Zero Trust, the cost and effort involved in adoption, and the mindset adjustment that it requires.
1. Complex Infrastructure and Hybrid Environments
Modern companies have highly complex and distributed infrastructures. IT leaders face the challenge of creating a Zero Trust strategy that accounts for an environment that may have hundreds of different databases, servers, proxies, internal applications, and third-party SaaS applications. To further complicate matters, each of these may run in multiple different physical and cloud datacenters, each with its own network and access policies.
Additional challenges arise with legacy systems and third-party applications. Organizations often cannot configure legacy or third-party applications in a way that conforms with a Zero Trust model without rebuilding them. Administrators often have to create their own frameworks and infrastructure to support them.
For many organizations, bringing a network to a level that conforms with Zero Trust protocols requires a large number of custom configurations and time-intensive development projects. This burden may drive organizations to take shortcuts that are not scalable or secure.
2. Trying to Operationalize Zero Trust with A Hodgepodge of Tools
To build infrastructure to support a Zero Trust model in such an organization, you’d have to implement a number of different micro-segmentation tools, software-defined perimeter tools, and identity-aware proxies. This set of tools may include VPNs, multi-factor authentication (MFA), device approval, intrusion prevention systems (IPS), single sign-on (SSO) solutions, and more.
However, many of these systems are specific to cloud providers, operating systems, and devices. Many organizations do not support one homogenous set of devices, but instead run in multiple clouds and physical data centers, have users on both Mac and Windows, servers running perhaps multiple Linux distributions or Windows Server versions, and support all sorts of different network-connected devices.
Vendors for these tools often require organizations to buy redundant technologies to support all of these environments. These vendors may also add unnecessary complexity by focusing on the network layer rather than placing controls near users and applications.
3. Cost and Effort
Ultimately, to build a Zero Trust framework that approaches the feature set of BeyondCorp and is also tailored to your specific environment, you will need to build a lot of infrastructure from scratch. This means a long-term, multi-phase process that requires significant resources and time. In fact, it took Google about eight years to build BeyondCorp.
Even after project development, organizations need to put aside resources for ongoing maintenance. For instance, micro-segmentation requires regularly updating IP data and configuring and verifying changes to minimize access for users. Further, as administrators introduce new systems and applications into the network, they must add them in such a way that conforms to the Zero Trust protocols, often requiring additional framework development.
4. Adjusting Mindsets
Building a Zero Trust model in a large organization requires buy-in from key stakeholders to ensure proper planning, training, and implementation. The project touches nearly everyone in the organization, so managers and leaders all must agree on the plan. With many organizations slow to implement such change, the politics of this alone can add a lot of strain on the successful performance of the project.
Implement a Zero Trust Architecture (ZTA)
An effectively implemented Zero Trust model should go beyond security. It should enable businesses to operate more effectively, enabling secure, granular access for everyone, including:
- Decreasing infrastructure complexity
- Working in hybrid physical and cloud environments
- Working with a variety of different devices and in different physical locations
- Complying with internal and regulatory standards
strongDM, a Zero Trust as a service solution, simplifies the implementation of Zero Trust to your infrastructure by providing:
A single Zero Trust tool for all of your infrastructure: strongDM integrates out-of-the-box with any identity provider via OIDC protocols to secure access to any server, database, or other firewalled resource regardless of where it's hosted. You don't have to worry about complex configuration of access controls or using a range of micro-segmentation tools to authenticate users. From a central control plane, admins can view all connected resources, all active users, and all user permissions.
Segmentation: strongDM architecture creates a software-defined network (SDN) that proxies client traffic through a centralized gateway to monitor and manage access to your resources. By doing so, the backend network topology and configurations can be greatly simplified by only processing traffic from the gateway, allowing access logic to be implemented and managed in a single location.
Access control: strongDM allows admins to create and assign roles, or a collection of permissions, to groups of users. By doing so, admins can manage access control at a higher level of abstraction and can easily assign permissions across different subsets of users. The implementation of the configuration and network changes is handled automatically and the changes are deployed across the network. In addition to ensuring proper Zero Trust infrastructure, this makes it very easy to onboard and offboard employees, contractors, and vendors. The administrators simply have to link their identity account and assign the appropriate roles, with the backend registrations and access controls automatically set.
Visibility: By centralizing logic into a control plane, strongDM allows administrators to easily audit usage. This greatly simplifies the process and reduces the possibility of human error.
Implementing Zero Trust Model in Your Organization
It does not have to be hard to implement a Zero Trust model in your organization. strongDM provides Zero Trust as a service to make it easy for organizations of any size to implement a Zero Trust infrastructure. Try strongDM for 14 days to see how a Zero Trust model can make your business more secure and efficient.