Zero trust network architecture best practices

Historically, Security teams have defended company resources by relying on a physical network perimeter. You go to the office, your device connects to the local network and you do your work — IT and Security teams defend that local network.

As work became more mobile, this strategy didn’t work as well. Employees were working on-the-go outside this physical perimeter. Companies implemented Virtual Private Networks (VPN) for remote workers to tunnel through to the company’s local network from wherever. And this does get the job done. But it also means that one login to a VPN can give a remote device full access to a company’s network, even if the device is requesting access from an unsecured network (or even by an attacker). This leaves a pretty big hole in security.

So how do you close up this hole? If instead of focusing on this perimeter, you focus on verifying the legitimacy of users, devices and resources, you’re on your way to implementing zero trust architecture.

What is zero trust?

If you log into a traditional VPN, you are likely connected to your company’s network until your computer sleeps or the VPN otherwise times out. In other words, your VPN is trusting that you are who you say you are, and therefore grants you network access until that time. It assumes nothing bad is going to happen to your device during that time.

Zero trust never trusts an access request. As the U.S. National Institute for Standards and Technology (NIST) says in their Zero Trust Architecture publication,

• Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).

To further summarize NIST’s guidance, the foundation of zero trust is:

• All communication is secured, independent of network location.
• Access to resources is granted on a per-session basis.
• Access to resources depends on a dynamic set of behaviors or attributes (like if a device’s software is up to date or if a request is coming from an unusual location or time).
• The integrity and security posture of all devices and assets is monitored.
• The network, assets and communications are monitored to improve and influence security.

Why your organization needs zero trust

As hinted at earlier, zero trust is a more effective way to secure your company data in a world where users aren’t always working in the office. Granting trust to a device or a user is risky, especially in a relentless cybersecurity landscape where bad actors are constantly attacking systems. And they only need to be successful once to wreak havoc on your data.

That’s exactly why zero trust is necessary. Every access request could potentially be an attacker, so it’s best to verify that the user and the device are legitimate — every time. This is at the heart of zero trust.

Implementing zero trust architecture

Assessing your current security posture

You may already have policies and procedures that align with zero trust, and it’s common to operate with both zero trust and perimeter-based models at the same time while transitioning. Migrating to zero trust first involves understanding your security posture. To do so means cataloging your:

• Users
• Assets
• Work and data flows
• Business processes

… and how these all relate together. Knowing this, you are better equipped to perform a risk assessment. We won’t go into detail in this blog, but check out our e-book to learn more.

Choosing the right zero trust solutions

Once you‘ve gotten a solid grasp on your business processes, you can start looking for solutions. NIST brings up these questions for consideration:

• Does the solution need to be installed onto a device, and how does this affect devices that are not enterprise owned?
• Does the solution work for resources that are fully on premises?
• Does the solution allow for logging and analysis?
• Does the solution support the necessary applications, services and protocols?

Upon answering these, it’s easier to choose the right solutions for your organization.

Zero Trust Network Access

One implementation of zero trust architecture is Zero Trust Network Access (ZTNA). ZTNA defines how devices and users connect to company resources by using context-aware policies. These policies could be:

• If the device is on an encrypted connection
• If the user’s identity is verified (usually enforcing multifactor authentication (MFA))
• If the device is within compliance

ZTNA doesn’t care about certain things. It still enforces these policies, regardless of:

• Whether a device is company- or personally-owned
• Whether a device is within a company’s network perimeter
• Whether the user authenticates successfully (i.e. types in the right password) — if the device and user don’t meet other requirements

Instead of granting holistic access like a traditional VPN, ZTNA works on a per-app basis and with least-privilege access policies. Access to each app has to be granted, meaning the device and user have to meet ZTNA requirements every time. This per-app design means ZTNA tunnels individually into each app, segmenting that connection from other parts of the network. This significantly lowers the risk of lateral movement.

ZTNA goes beyond monitoring a device’s health and choosing whether or not to grant access. It can also deploy remediation workflows to help devices get back into compliance. This helps get devices back into working order while reducing the interruption to users.