A zero-trust networking is based on a security model that establishes trust through continuous authentication and monitoring of each network access attempt. It's different from the traditional model of assuming everything in a corporate network can be trusted.
The benefits of a zero-trust network include:
A zero-trust network relies less on specific hardware and more on new approaches to security. These can be incorporated into existing infrastructure using the following process:
Take an inventory of assets and make assessments about the value and vulnerability of corporate assets such as proprietary data and intellectual property.
Intrusions often are initiated through a device that has been spoofed. To maintain zero trust, devices and users must verify they are who or what they say they are. This verification can be supported through multi-factor authentication for users, embedded chips in devices, and behavior analytics for connected IoT devices.
Define who accesses assets, when they should access them, and how and why they should be granted access as part of the normal course of business.
Use assessment results to define policies for authentication, including metadata such as device, location, origin, and time, as well as contextual data such as recent activity and multi-factor authentication (MFA). Automate these processes with firewalls that screen for these attributes.
A zero-trust approach—similar to threat modeling—requires testing to ensure that the impact on productivity is minimal and hypothetical security threats are neutralized. After deployment, security teams need to observe device behavior continuously to detect anomalies that indicate new intrusions, and proactively adapt policies to block attackers.
Protect surface refers to any asset that needs to be protected.
Segmentation is a term for reorganizing a larger protect surface. An example is dividing an entire network into smaller protect surfaces defined by value, use, workflow traffic, and other factors. A segmentation gateway is in effect a firewall that protects a specific segment within a larger network.
A micro-segment is a smaller, secured area within a larger network that is protected by a micro-perimeter. Micro-segments can be used to apply granular access control to specific workflows
A Layer 7 firewall is a new generation of firewall that can examine packet contents to use more of the data within those contents to define authentication criteria.
Multi-factor authentication is a core principle of zero-trust networks. Virtually all zero-trust authentications are multi-factor—that is, the authentications require multiple pieces of information or attributes to allow access to network resources.
SMS authentication is the most popular additional factor added to user authentication today. It's used widely by e-commerce and social media services. With SMS authentication, users receive SMS codes that they provide to a network or service to prove their identity.
Least privilege access refers to the practice of limiting even trusted users to only the specific applications, services, and data for which they have an immediate need.
In a zero-trust environment, security is provided by default through rules and policies written and implemented by software. The elements of a zero-trust environment—segments and perimeters within larger environments—are themselves defined by software.
As with software-defined network infrastructure, software-defined security rules allow more control, better visibility, and more opportunities for automation.
Granular enforcement is another term for what zero trust accomplishes: authentications for very specific actions.