Zero Trust Architecture: In Brief

John Cavanaugh
Vice President, Chief Technology Officer

The Zero Trust security model is a concept that has been around for several decades but was popularized by John Kindervag’s seminal paper Build Security Into Your Network’s DNA: The Zero Trust Network Architecture published by Forrester in 2010.

Essentially it defines an environment where there are literally no trusted devices, networks, or users.  Previous concepts defined a perimeter where devices such as firewalls, IPSs, and the like would protect an enterprise (where everything is trusted) from the Internet or business partners (where no trust could exist).

So, what is it?

The Zero Trust security model merges networking and security for a holistic approach that assumes assets, users and resources need protection from each other – not just from the outside.  It is a set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on protecting data.

A Zero Trust Architecture (ZTA) uses these principles to plan industrial and enterprise infrastructure and workflows. It assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both user and device) are discrete functions performed before a session to an enterprise resource is established.

Zero Trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero Trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.

It’s been around forever, so why now and what has changed?

There has been a dramatic expansion of the Internet of Things (IoT) and Operational Technology (OT) usage of IP protocols.  These environments can consist of thousands to millions of devices that supply mission-specific real-time data, and most do not support users.  These types of systems are often used in physical security (cameras, keypads, etc.) or industrial controls (PLCs, SCADA systems, etc.).

Protecting these systems has become an area of national concern.  The U.S. Departments of Homeland Security and Defense (DHS and DoD) have significant concerns about protecting critical infrastructure. As a result, several Executive Orders have been issued concerning requirements for strengthening security.  The US National Institute of Standards and Technology (NIST) developed the Framework for Cyber-Physical Systems (NIST Special Publication 1500-201) in response to these issues.

Starting in 2018, NIST began work in earnest to develop a formal architectural standard on Zero Trust to support these initiatives.  This was published in August 2020 as the Zero Trust Architecture (NIST SP 800-207) and formally establishes requirements for products and services in both security and networking.  This provides enterprises with a standard with which to compare vendor offerings and a set of design paradigms that can be used to protect their environments.

What do ZTA Systems provide?

Forrester has developed a series of papers reviewing the emerging offerings and is explicitly arguing that Enterprises need to merge their networking and security work or sunset their business altogether.  They describe the previous model as moats and castles – where security teams provided kit to protect enterprise castles – a largely perimeter-based view.

Forrester’s view is that ZTA defines a Zero Trust Edge (ZTE).  A Zero Trust Edge solution securely connects and transports traffic, using Zero Trust Architectural principles, in and out of remote sites leveraging mostly cloud-based security and networking services.

Potential Value to a Business

All enterprises are subject to regulatory and privacy oversight.  However, there are specific industries such as utilities that are subject to U.S. executive orders regarding critical infrastructure. One only needs to go as far as the recent headlines regarding Colonial Pipeline to see the impact of inadequate security and the value a ZTA approach would have made.

As a result, systems developed supporting the federal guidelines in the Zero Trust Architecture, and the framework for Cyber-Physical Systems will both provide the protection needed and establish an enterprise as following best practices for their Industry.

In addition, integrated ZTA/ZTE systems are typically software-defined and can replace significant amounts of existing networking and security hardware and software.  So, an integrated approach can also simplify management and save money over the long term.

Call to Action

Executives should be examining their IT, cybersecurity, physical security, compliance, and risk teams.  The work should include examining workflow and budgets. This will involve looking for synergies, examining current incentives, and restructuring the existing silos to create a more holistic approach.  Zero Trust principles should be built into the modified organization, and methods and procedures should be developed to establish a “Whole of Enterprise” approach to protecting critical data.

NetCraftsmen consultants have a long history working with clients in regulated industries such as those found with utilities, healthcare, and the financial sectors.  We can work with your teams to identify and mitigate the risks your firm faces in a cost-effective and comprehensive manner.