What is Zero Trust? And Zero Trust Network Access

What is Zero Trust?

There are many definitions, sometimes conflicting, of Zero Trust. Put simply, Zero-Trust security is exactly what it sounds like: it’s a policy of maintaining zero trust toward all users, providers and network traffic—even those inside the network.

It’s not, however, a set of specific tools or a type of security technology. It is a cybersecurity strategy—a mindset that serves as the foundation of modern security. Under Zero-Trust policies, you take network breach as a given and assume that all activity is malicious. Zero Trust asks: how do I best protect my assets if I can’t trust the network itself?

Zero Trust operates under the guiding principle “never trust, always verify.” All users, platform providers and network traffic are treated as potential threats, so additional measures are needed to mitigate risk.

Simply put, Zero Trust means that only the content creator and authorized recipient have access to the sensitive content.

What is the history of zero trust security?

The term ‘zero trust’ was coined by an analyst at Forrester Research Inc. in 2010 when the model for the concept was first presented. A few years later, Google announced that they had implemented zero trust security in their network, which led to a growing interest in adoption within the tech community. In 2019, Gartner, a global research and advisory firm, listed zero trust security access as a core component of secure access service edge (SASE) solutions.

Zero Trust Network Access (ZTNA) is a category of technologies that provides secure remote access to applications and services based on defined access control policies. Unlike VPNs, which grant complete access to a LAN, ZTNA solutions default to deny, providing only the access to services the user has been explicitly granted. It is important to understand the security gaps and benefits ZTNA solutions can provide organizations as more remote users join the network.

How ZTNA works

With ZTNA, access is established after the user has been authenticated to the ZTNA service. The ZTNA service then provisions access to the application on the user’s behalf through a secure, encrypted tunnel. This provides an added layer of protection for corporate applications and services by shielding otherwise publicly visible IP addresses. 

Like Software Defined Perimeters (SDP), ZTNA leverages the concept of a dark cloud, preventing users from seeing any applications and services that they don’t have permission to access. This introduces protection against lateral attacker movement, where a compromised endpoint or credentials would otherwise permit scanning and pivoting to other services. 

Why do security teams need to consider zero trust now?

Zero trust has steadily grown more popular in recent years. However, the disruptions resulting from the COVID-19 pandemic have accelerated interest in how organizations can build resiliency after a major disruption.

Like in most other years, security and risk leaders entered the new decade with rather sophisticated plans for maturing their digital risk management practices. The initial outbreak of COVID-19, however, shifted the focus of security teams to more tactical needs, such as enabling remote workers, securing changes in operations to sustain business functions or to take advantage of new opportunities, re-assessing third-party and supply chain risks, accelerating onboarding and more. Budgets were slashed or frozen, long lists of pending projects were initially whittled down, but then rapidly accelerated. Teams are now faced with securing new digital initiatives that don’t necessary fit neatly into complex, incumbent security and risk regimes.

Zero trust offers a basis for expedient and vetted approach for organizations struggling to keep up with the pace of digital transformation.