What Is Zero Trust Architecture?
Zero trust architecture is a security architecture built to reduce a network's attack surface, prevent lateral movement of threats, and lower the risk of a data breach based on the core tenets of the zero trust security model. Such a model puts aside the traditional "network perimeter"—inside of which all devices and users are trusted and given broad permissions—in favor of least-privilege access controls, granular microsegmentation, and multifactor authentication (MFA).
Zero Trust Architecture and Zero Trust Network Access—What’s the Difference?
Before we examine zero trust architecture in more detail, let's distinguish between these two interrelated terms:
A zero trust architecture (ZTA) is a design that supports zero trust principles, such as airtight access management, strict device and user authentication, and strong segmentation. It’s distinct from, and in many ways designed to replace, a “castle and moat” architecture, which trusts anything inside by default.
Zero trust network access (ZTNA) is a zero trust use case that offers users secure access to applications and data when the users, apps, or data may not be inside a traditional security perimeter, which has become increasingly common in the age of the cloud and hybrid work.
To put the two together, a zero trust architecture provides the foundation organizations need to deliver ZTNA and make their systems, services, APIs, data, and processes accessible from anywhere, at any time, and from any device.
Understanding the Need for Zero Trust Architecture
For the last three decades or so, organizations have been building and reconfiguring complex, wide-area hub-and-spoke networks. In such an environment, users and branches connect to the data center by way of private connections. To access applications they need, the users have to be on the network.
Hub-and-spoke networks are secured with stacks of appliances such as VPNs and firewalls, using an architecture known as castle-and-moat network security. This approach served organizations well when their applications resided in their data centers, but now—with the rise of cloud services, emerging technologies, and rising security concerns—it’s slowing them down.
Today, organizations are driving digital transformation. They’re embracing the cloud, mobility, AI, the internet of things (IoT), and operational technology (OT) to become more agile and competitive. Users are everywhere, and organizations’ data no longer sits exclusively in their data centers. To collaborate and stay productive, users want direct access to apps from anywhere, at any time.
Routing traffic back to the data center to securely reach applications in the cloud doesn’t make sense anymore. That’s why organizations are moving away from the hub-and-spoke network model in favor of one that offers direct connectivity to the cloud: a zero trust architecture.
This video gives a simple yet detailed rundown of secure digital transformation.
How Zero Trust Architecture Works
Zero trust begins with the assumption that everything on the network is hostile or compromised, and access to an application is only granted after user identity, device posture, and business context have been verified and policy checks enforced. In this model, all traffic must be logged and inspected – requiring a degree of visibility that traditional security controls can’t achieve.
A true zero trust approach minimizes your organization’s attack surface, prevents lateral movement of threats, and lowers the risk of a breach. It’s best implemented with a proxy-based architecture that connects users directly to applications instead of the network, enabling further controls to be applied before connections are permitted or blocked.
To ensure no implicit trust is ever granted, a successful zero trust architecture subjects every connection to a series of controls before establishing a connection. This is a three-step process:
Verify identity and context. Once the user/device, workload, or IoT/OT device requests a connection, irrespective of the underlying network, the zero trust architecture first terminates the connection and verifies identity and context by understanding the “who, what, and where” of the request.
Control risk. Once the identity and context of the requesting entity are verified and segmentation rules are applied, the zero trust architecture evaluates the risk associated with the connection request and inspects the traffic for cyberthreats and sensitive data.
Enforce policy. Finally, a risk score is computed for the user, workload, or device to determine whether it’s allowed or restricted. If the entity is allowed, the zero trust architecture establishes a secure connection to the internet, SaaS app, or IaaS/PaaS environment.
Watch a detailed rundown of the essentials of successful zero trust architecture with Nathan Howe, VP of Emerging Technologies at Zscaler.
Benefits of Zero Trust Architecture
A zero trust architecture provides the precise, contextual user access you need to run at the speed of modern business while protecting your users and data from malware and other cyberattacks. As the bedrock of ZTNA, an effective zero trust architecture helps you:
Grant safe, fast access to data and applications for remote workers, including employees and partners, wherever they are, improving the user experience
Provide reliable remote access as well as manage and enforce security policy more easily and consistently than you can with legacy technology like VPNs
Protect sensitive data and apps—on-premises or in a cloud environment, in transit or at rest—with tight security controls, including encryption, authentication, health checks, and more
Stop insider threats by no longer granting default, implicit trust to any user or device inside your network perimeter
Restrict lateral movement with granular access policies down to the resource level, reducing the likelihood of a breach
Detect, respond to, and recover from successful breaches more quickly and effectively to mitigate their impact
Gain deeper visibility into the what, when, how, and where of users’ and entities’ activities with detailed monitoring and logging of sessions and actions taken
Assess your risk in real time with detailed authentication logs, device and resource health checks, user and entity behavior analytics, and more
(Adapted from “Implementing a Zero Trust Architecture,” a National Institute of Standards and Technology [NIST] Special Publication)
One True Zero Trust Architecture: The Zscaler Zero Trust Exchange
The Zscaler Zero Trust Exchange™ is an integrated, cloud native platform founded on the principle of least-privileged access and the idea that no user, workload, or device is inherently trustworthy. Instead, the platform grants access based on identity and context such as device type, location, application and content to broker a secure connection between a user, workload, or device—over any network, from anywhere, based on business policy.
The Zero Trust Exchange helps your organization:
Eliminate the internet attack surface and lateral movement of threats. User traffic never touches your network. Instead, users connect directly to applications through one-to-one encrypted tunnels, preventing discovery and targeted attacks.
Improve the user experience. Unlike static, legacy network architectures with a “front door” that backhauls data to processing centers, the Zero Trust Exchange intelligently manages and optimizes direct connections to any cloud or internet destination and enforces adaptive policies and protections inline at the edge, as close to the user as possible.
Seamlessly integratewith leading cloud, identity, endpoint protection, and SecOps providers. Our holistic platform combines core security functions (e.g., SWG, DLP, CASB, firewall, sandboxing) with emerging technologies like browser isolation, digital experience monitoring, and ZTNA for a full-featured cloud security stack.
Reduce costs and complexity. The Zero Trust Exchange is simple to deploy and manage, with no need for VPNs or complex network perimeter firewall policies.
Deliver consistent security at scale. Zscaler operates the world’s largest security cloud, distributed across more than 150 data centers worldwide, processing more than 240 billion transactions at peak periods and preventing 8.4 billion threats every day.