What Is Zero Trust Architecture?

Zero Trust Architecture and Zero Trust Network Access—What’s the Difference?

Before we examine zero trust architecture in more detail, let's distinguish between these two interrelated terms:

• A zero trust architecture (ZTA) is a design that supports zero trust principles, such as airtight access management, strict device and user authentication, and strong segmentation. It’s distinct from a “castle and moat” architecture, which trusts anything inside by default.
• Zero trust network access (ZTNA) is a zero trust use case that offers users secure access to applications and data when the users, apps, or data may not be inside a traditional security perimeter, which has become common in the age of the cloud and hybrid work.

Putting the two together, a zero trust architecture provides the foundation for organizations to deliver ZTNA and make their systems, services, APIs, data, and processes accessible from anywhere, at any time, from any device.

Understanding the Need for Zero Trust Architecture

For decades, organizations built and reconfigured complex, wide-area hub-and-spoke networks. In these environments, users and branches connect to the data center by way of private connections. To access applications they need, the users have to be on the network. Hub-and-spoke networks are secured with stacks of appliances such as VPNs and “next-generation” firewalls, using an architecture known as castle-and-moat network security.

This approach served organizations well when their applications resided in their data centers, but now—amid the growing popularity of cloud services and rising data security concerns—it’s slowing them down.

Today, digital transformation is accelerating as organizations embrace the cloud, mobility, AI, the internet of things (IoT), and operational technology (OT) to become more agile and competitive. Users are everywhere, and organizations’ data no longer sits exclusively in their data centers. To collaborate and stay productive, users want direct access to apps from anywhere, at any time.

Routing traffic back to the data center to securely reach applications in the cloud doesn’t make sense. That’s why organizations are moving away from the hub-and-spoke network model in favor of one that offers direct connectivity to the cloud: a zero trust architecture.

This video gives a concise rundown of secure digital transformation.

Watch

What Are the Core Principles of Zero Trust?

Zero trust is more than the sum of user identity, segmentation, and secure access. It's a security strategy upon which to build a complete security ecosystem. At its core are three tenets:

1. Terminate every connection: Unlike the passthrough inspection techniques common to legacy technologies (e.g., firewalls), an effective zero trust architecture terminates every connection to allow an inline proxy architecture to inspect all traffic, including encrypted traffic, in real time—before it reaches its destination.
2. Protect data using granular context-based policies: Zero trust policies verify access requests and rights based on context, including user identity, device, location, type of content, and the application being requested. Policies are adaptive, so validation and user access privileges are continually reassessed as context changes.
3. Reduce risk by eliminating the attack surface: With a zero trust approach, users connect directly to apps and resources, never to networks (see ZTNA). Direct connections eliminate the risk of lateral movement and prevent compromised devices from infecting other resources. Plus, users and apps are invisible to the internet, so they can’t be discovered or attacked.

What Are the 5 Pillars of Zero Trust Architecture?

The five “pillars” of zero trust were first laid out by the US Cybersecurity and Infrastructure Security Agency (CISA) to guide the key zero trust capabilities government agencies (and other organizations) should pursue as in their zero trust strategies.

The five pillars are:

• Identity—moving to a least-privileged access approach to identity management.
• Devices—ensuring the integrity of the devices used access services and data.
• Networks—aligning network segmentation and protections according to the needs of their application workflows instead of the implicit trust inherent in traditional network segmentation.
• Applications and workloads—integrating protections more closely with application workflows, giving access to applications based on identity, device compliance, and other attributes.
• Data—shifting to a data-centric approach to cybersecurity, starting with identifying, categorizing, and inventorying data assets.

Each capability can progress at its own pace and may be further along than others, and at some point, cross-pillar coordination (emphasizing interoperability and dependencies) is needed to ensure compatibility. This allows for a gradual evolution to zero trust, distributing costs and effort over time.

How Does Zero Trust Architecture Work?

Based on a simple ideal—never trust, always verify—zero trust begins with the assumption that everything on the network is hostile or compromised, and access is only granted after user identity, device posture, and business context have been verified and policy checks enforced. All traffic must be logged and inspected, requiring a degree of visibility traditional security controls can’t achieve.

A true zero trust approach is best implemented with a proxy-based architecture that connects users directly to applications instead of the network, enabling further controls to be applied before connections are permitted or blocked.

Before establishing a connection, a zero trust architecture subjects every connection to a three-step process:

1. Verify identity and context. Once the user/device, workload, or IoT/OT device requests a connection, irrespective of the underlying network, the zero trust architecture first terminates the connection and verifies identity and context by understanding the “who, what, and where” of the request.
2. Control risk. Once the identity and context of the requesting entity are verified and segmentation rules are applied, the zero trust architecture evaluates the risk associated with the connection request and inspects the traffic for cyberthreats and sensitive data.
3. Enforce policy. Finally, a risk score is computed for the user, workload, or device to determine whether it’s allowed or restricted. If the entity is allowed, the zero trust architecture establishes a secure connection to the internet, SaaS app, or IaaS/PaaS environment.

Benefits of Zero Trust Architecture

A zero trust architecture provides the precise, contextual user access you need to run at the speed of modern business while protecting your users and data from malware and other cyberattacks. As the bedrock of ZTNA, an effective zero trust architecture helps you:

• Grant safe, fast access to data and applications for remote workers, including employees and partners, wherever they are, improving the user experience
• Provide reliable remote access as well as manage and enforce security policy more easily and consistently than you can with legacy technology like VPNs
• Protect sensitive data and apps—on-premises or in a cloud environment, in transit or at rest—with tight security controls, including encryption, authentication, health checks, and more
• Stop insider threats by no longer granting default, implicit trust to any user or device inside your network perimeter
• Restrict lateral movement with granular access policies down to the resource level, reducing the likelihood of a breach
• Detect, respond to, and recover from successful breaches more quickly and effectively to mitigate their impact
• Gain deeper visibility into the what, when, how, and where of users’ and entities’ activities with detailed monitoring and logging of sessions and actions taken
• Assess your risk in real time with detailed authentication logs, device and resource health checks, user and entity behavior analytics, and more

(Adapted from “Implementing a Zero Trust Architecture,” a National Institute of Standards and Technology [NIST] Special Publication)

How Does Zero Trust Architecture Outperform Traditional Security Models?

Zero trust architecture surpasses traditional security models because of its proactive, adaptive, and data-centric approach. Traditional models rely on perimeter defenses, while zero trust acknowledges that threats can come from inside the network as well as outside, and continuously validates the identity and security posture of users and devices.

By enforcing granular least-privileged access controls, zero trust grants users and devices only the minimum access necessary. Continuous monitoring, MFA, and behavioral analytics detect threats in real time, before they can become successful attacks. Its adaptability makes zero trust more agile, in turn making it better suited than traditional models to secure the massive attack surfaces and novel vulnerabilities inherent to today’s remote work and cloud-driven world.

Critically, zero trust focuses on protecting the data, not the network, securing data wherever it lives or flows—in the network, in the cloud, on remote devices, or in the cloud.

One True Zero Trust Architecture: The Zscaler Zero Trust Exchange

The Zscaler Zero Trust Exchange™ is an integrated, cloud native platform founded on the principle of least-privileged access and the idea that no user, workload, or device is inherently trustworthy. Instead, the platform grants access based on identity and context such as device type, location, application and content to broker a secure connection between a user, workload, or device—over any network, from anywhere, based on business policy.

The Zero Trust Exchange helps your organization:

• Eliminate the internet attack surface and lateral movement of threats. User traffic never touches your network. Instead, users connect directly to applications through one-to-one encrypted tunnels, preventing discovery and targeted attacks.
• Improve the user experience. Unlike static, legacy network architectures with a “front door” that backhauls data to processing centers, the Zero Trust Exchange intelligently manages and optimizes direct connections to any cloud or internet destination and enforces adaptive policies and protections inline at the edge, as close to the user as possible.
• Seamlessly integrate with leading cloud, identity, endpoint protection, and SecOps providers. Our holistic platform combines core security functions (e.g., SWG, DLP, CASB, firewall, sandboxing) with emerging technologies like browser isolation, digital experience monitoring, and ZTNA for a full-featured cloud security stack.
• Reduce costs and complexity. The Zero Trust Exchange is simple to deploy and manage, with no need for VPNs or complex network perimeter firewall policies.
• Deliver consistent security at scale. Zscaler operates the world’s largest security cloud, distributed across more than 150 data centers worldwide, processing more than 240 billion transactions at peak periods and preventing 8.4 billion threats every day.