Zero Trust Architecture: In Brief

The Zero Trust security model is a decades-long concept popularized by John Kindervag’s seminal paper ‘Build Security Into Your Network’s DNA: The Zero Trust Network Architecture’ published by Forrester in 2010.  

It defines an environment without trusted devices, networks, or users. Previous concepts defined a perimeter where devices such as Firewalls, Intrusion Prevention Systems, and other cybersecurity mechanisms would protect an Enterprise (where everything is trusted) from the Internet or Business Partners (where no trust could exist).  

So, what is it? 

The Zero Trust security model merges networking and security through a holistic approach that assumes assets, users, and resources need protection from each other – not just from the outside. It is a set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on protecting data.  

A Zero Trust Architecture (ZTA) uses these principles to plan industrial and enterprise infrastructure and workflows. It assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or asset ownership (enterprise or personally owned). Authentication and authorization (both user and device) are discrete functions performed before a connection to an enterprise resource is established. 

Zero Trust responds to enterprise network trends that include remote users, bring-your-own-device (BYOD), and cloud-based assets not located within an enterprise-owned network boundary. Zero Trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component of the security posture of the resource.  

It’s been around forever, so why now? What has changed? 

The Internet of Things (IoT) and Operational Technology (OT) usage of IP protocols has expanded dramatically. These environments can consist of thousands to millions of devices that supply mission-specific real-time data, and most do not support users. These systems are often used in physical security (cameras, keypads, etc.) or industrial controls (PLCs, SCADA Systems, etc.).   

Protecting these systems has become an area of national concern. The US Departments of Homeland Security and Defense (DHS and DoD) are concerned about protecting critical infrastructure. As a result, several Executive Orders have been issued concerning requirements for strengthening security. The US National Institute of Standards and Technology (NIST) developed the Framework for Cyber-Physical Systems (NIST Special Publication 1500-201) in response to these issues. 

In 2018, NIST began working earnestly to develop a formal architectural standard on Zero Trust to support these initiatives. This standard was published in August 2020 as the Zero Trust Architecture (NIST SP 800-207), formally establishing requirements for products and services in both security and networking. The ZTA provides enterprises with a standard to compare vendor offerings and a set of design paradigms that can be used to protect their environments.   

What do ZTA Systems provide? 

Forrester has developed a series of papers reviewing the emerging offerings and explicitly argues that Enterprises need to merge their Networking and Security work or sunset their business altogether. They describe the previous model as Moats and Castles – where Security Teams provided devices to protect Enterprise Castles – a Perimeter-based view.   

Forrester believes that ZTA defines a Zero Trust Edge (ZTE). A Zero Trust Edge solution securely connects and transports traffic, using Zero Trust Architectural principles, in and out of remote sites leveraging mostly cloud-based security and networking services. 

Potential Value to a Business: 

All Enterprises are subject to regulatory and privacy oversight. However, specific industries (such as Utilities) are subject to US Executive Orders regarding critical infrastructure. One only needs to read headlines regarding the Colonial Pipeline incident to see the impact of inadequate security and the value a ZTA approach would have offered instead. 

As a result, systems developed supporting the Federal Guidelines in the Zero Trust Architecture and the Framework for Cyber-Physical Systems will provide necessary protection and establish best practices for Enterprises in their Industry. 

In addition, integrated ZTA/ZTE systems are typically Software-Defined and can replace significant amounts of existing networking and security hardware and software. So, an integrated approach can also simplify management and save money over the long term. 

Call to Action: 

Executives should examine their IT, Cybersecurity, Physical Security, Compliance, and Risk teams. This examination should include an analysis of workflows and budgets, any synergies, existing incentives, and restructuring the existing silos to create a more holistic approach. Zero Trust principles should be built into the modified organization, and methods and procedures should be developed to establish a ‘Whole of Enterprise’ approach to protecting critical data. 

BlueAlly consultants have a long history of working with clients in regulated industries such as utilities, healthcare, and the financial sector. We can work with your teams to identify and mitigate the risks your Firm faces in a cost-effective and comprehensive manner. 

To learn more, contact us about the assessments we can perform to address any concerns and improve your security.