Coined in 2010 by Forrester Research, the term “zero trust” has long been hijacked by security vendors eager to take advantage of the hype that surrounds the concept. Today, it’s so overused and misused that many see it as a meaningless buzzword—but that’s far from the truth. In fact, its widespread misappropriation demonstrates the power of zero trust security. Why else would countless vendors try to capitalize on it? As they say, imitation is the sincerest form of flattery.

Zero trust is not a mere label. Rather, zero trust is an architecture—though you’ll also hear of a zero trust methodology, framework, paradigm, and infrastructure—and it’s based on the idea of zero implicit trust, meaning no one should be trusted by default. The key zero trust principle of least-privileged access says a user should be given access only to a specific IT resource the user is authorized to access, at the moment that user needs it, and nothing more. Hence the zero trust maxim, “never trust, always verify.”

As a networking and security strategy, zero trust stands in stark contrast to traditional, network-centric, perimeter-based architectures built with firewalls and VPNs, which involve excessive permissions and increase cyber risk. To learn about their weaknesses in more detail, you can read this ebook.

The main point is this: you cannot do zero trust with firewall- and VPN-centric architectures. Those approaches were not designed for today’s world or its sophisticated cyberthreats, and that is why zero trust is now key for cybersecurity.

So, what sets zero trust apart and makes it a good fit for modern organizations?

Key aspects of zero trust

Not all segmentation is equal

Lateral movement is a step in the attack chain that occurs when a threat makes it past an organization’s defenses and onto the network, where it moves across connected apps and expands the reach of the breach. This is an inherent weakness of perimeter-based architectures, which connect users to the network as a whole, giving them wide access to the resources therein.

The solutions to this problem are often assumed to be network segmentation and microsegmentation, whereby the network and its contents are split into smaller segments that are separated by (fire)walls. But this strategy is complex and expensive to set up and maintain, and tries to lessen a symptom of yesterday’s architectures without solving the underlying problems: the architectures themselves.

The actual solution is zero trust segmentation. A zero trust architecture connects users directly to authorized apps in a one-to-one fashion—nobody receives access to the network as a whole. As a result, the potential for lateral threat movement is eliminated, along with complexity and cost.

Secure any entity accessing any resource

Plenty of people hear “zero trust” and assume it’s the same as zero trust network access (ZTNA). But ZTNA is a specific solution, not an architecture. What ZTNA does, despite its inaccurate naming convention, is provide users with zero trust access directly to private apps hosted in data centers and private clouds—it does not give access to the network.

ZTNA is certainly a key part of any platform providing zero trust architecture, but it is not the whole story. Users access more than private applications alone. They also access the web, SaaS apps, and other IT resources across a variety of environments.

Beyond that, it’s not just users that need secure access. There are also workloads, IoT and OT devices, and B2B partners that regularly connect to IT resources. As such, having a complete zero trust architecture means securing any of these entities as they access any IT resource. This is why one will often hear the analogy of an intelligent switchboard that provides secure any-to-any connectivity in a one-to-one fashion.
 

Context, context, context

From the moment we are handed our first devices, we are conditioned to see identity authentication as the standard for cybersecurity. That typically carries through to conversations about identity and access management (IAM), where verifying user identity is seen as the ideal means of determining whether someone should be granted access to a resource. But identity alone is not enough—even if it involves consideration of user group.

There are two reasons for this. First, users’ identities can be stolen, as evinced by countless breaches involving the theft of VPN credentials. Second, users who are who they say they are can still engage in malicious or careless behavior that exposes organizations to cyberattacks and data loss.

Instead of sticking to this risky status quo, zero trust uses context to assess risk and govern access. That does include identity (which is a core part of zero trust architecture), but it goes far beyond it to consider other variables like device posture, destination and content risk, user behavior, and more. As an added point, this contextual analysis typically requires a heavy dose of AI/ML.
 

Cyberthreat and data protection

Zero trust architecture stops cyberattacks in four key ways (some of which we’ve already mentioned):

1. Zero trust eliminates firewalls, VPNs, and their public IP addresses, which are attractive targets for cyberattackers. Instead, apps are hidden behind a zero trust cloud, eliminating the attack surface. In other words, inbound connections are replaced with inside-out connections.
    
2. Zero trust prevents compromise through context-aware policies and, unlike hardware and virtual appliances, a high-performance cloud with the scalability necessary to inspect encrypted traffic (where most threats hide (but more on that below (aren’t parentheses fun?))).
    
3. Zero trust gives direct-to-app connectivity rather than network access, preventing the potential for lateral movement across resources.
    
4. Zero trust stops data loss by, once again, inspecting encrypted traffic (where most data loss occurs), and protecting all modern data leakage paths, including SaaS app sharing, removable storage on endpoints, and a lot more.

In addition to the above, a fully featured zero trust platform should provide cyberthreat protection functionality like cloud sandboxing, DNS security, browser isolation, and more. Similarly, it should provide data protection capabilities like SSPM, out-of-band CASB, EDM, and more.

Special delivery!

To dive a bit deeper into something alluded to above, zero trust is a cloud native architecture. That is, it cannot be achieved merely by deploying another appliance in a data center or private cloud. Rather, it is delivered as a service from a global, multitenant cloud that was built for the purpose of providing zero trust architecture at the edge, meaning as close to end users as possible.

Because this omnipresent cloud provides secure any-to-any connectivity along with all the security functions anyone could ask for, it’s a perfect fit for modern organizations with widely distributed cloud resources, remote workers, and data. These organizations no longer have to backhaul traffic to their data centers or maintain the same complex, inbound, and outbound stacks of security and networking appliances (whether hardware or virtual).

Additionally, unlike appliances, cloud scale means that zero trust has the performance necessary to inspect encrypted traffic. With nearly all web traffic now encrypted and 87% of cyberattacks hiding in encrypted traffic, this inspection is more important than ever.

Zero trust benefits

Reduced risk

The first and most obvious benefit of a zero trust architecture is that it systematically reduces cyber risk. Delivering zero trust segmentation from the cloud, securing every stage of the attack chain, providing comprehensive data and threat protection, and enforcing context- and risk-based policies for every entity accessing any resource ensures airtight defense.

Superior productivity

With zero trust, you can eliminate VPNs and stop backhauling traffic. Instead, you get direct-to-app connectivity through a global cloud with the scalability necessary to handle the traffic surges that appliances cannot. Adding built-in digital experience monitoring (DEM) to the equation further enhances the user experience benefits. The result is more user productivity, and with fewer tickets and managerial headaches for admins, help desk and networking productivity is enhanced, as well.

Reduced cost and complexity

Zero trust eliminates six significant costs of perimeter-based architectures because it:

1. Removes the need to buy a myriad of security and networking point products
    
2. Reduces operational complexity and administrative burden
    
3. Accelerates IT integration during M&A
    
4. Minimizes the risk and, as a result, the cost of data breaches
    
5. Enhances productivity, as mentioned above
    
6. Reduces power consumption and carbon footprint
    

Digital transformation

By transforming security and connectivity with zero trust, organizations the world over can embrace digital transformation both securely and effectively. Rather than force-fitting yesterday’s approach to security and networking onto the modern workplace, organizations can leverage zero trust architecture and seamlessly take advantage of cloud apps, remote work, and whatever else the digital future may hold.

Where to start?

If you’re looking to embrace a comprehensive zero trust architecture that checks all the boxes and connects users and devices directly to applications, data, and workloads using business policy and context, while never accessing the corporate network.

To get started on a zero trust journey a good resource is in this monthly webinar, Zero Trust 101: Start Your Journey Here. In it, zero trust is discussed from an entry-level perspective.