Identity is Essential to Zero Trust

When it comes to network security, traditional IT systems have been far too trusting. They’ve operated on the classic castle and moat paradigm — meaning that it’s all about stopping attackers from getting in to begin with. A castle, surrounded by a deep moat of water, is a good analogy because it’s a type of physical architecture that’s intended to be impenetrable to attackers. Network security based on this model makes sense in theory. Networks should be secure, so it’s understandable that their owners would place plenty of emphasis on stopping bad actors from breaking in.

The problem, of course, is that if they do — and, when it comes to cyberattackers, human error, software vulnerabilities and more, no system is 100% secure — the defenses collapse. According to the analogy, once a person is inside the proverbial castle walls, it’s assumed that they have a right to be there, and that they should be free to move about as they wish. That means that they can cause all kinds of problems without reprisal.

“Zero trust network architecture” architecture changes this calculus. Its name might sound harsh , but it’s a certified game-changer when it comes to network security.

The central concept of zero trust security can be summed up in two words: Identify verification. Wherever a device or user is within (or without) the network perimeter it’s assumed that they may pose a threat. That means that strict verification of identity is the name of the game. While there is no one single technology or principle that makes zero trust possible, it describes an holistic approach that can be applied to network security in a way that keeps networks, their owners, and users, safe from attack. Even if that attack comes from inside the castle walls.

Don’t Trust Anyone
Zero trust is based on providing access to resources on a case-by-case basis, with access decisions based firmly on access controls, defined based upon the principle of least privilege. That means granting a user account or application only the abilities that are strictly needed for them to perform their designated job. For instance, users whose job involves making backups don’t need to be able to install new software.

A typical “identify, protect, detect, and respond” zero trust workflow goes something like this: First of all, a user authenticates their identity via MFA (multi-factor authentication) over a secure channel. Next, it grants access to specific applications and network resources based on that user’s identity. While they are using the system, their session is constantly monitored for possible anomalies or signs of strange behavior. If something is detected, threat response can be initiated in real-time. At no point should zero trust stop the user from carrying out their job correctly. But it will also stop them from potentially overstepping those bounds and behaving in a malicious manner if they turn out to not be a legitimate user.

Identity is Key to Zero Trust Enforcement
This approach to network security is transformative. But it only works if it’s able to be enforced with consistency across an organization’s entire environment. Inconsistent enforcement can lead to loopholes or security workarounds. Access controls and identity management have to apply across the entire environment. Otherwise, it’s difficult to determine if a particular user should have access to a certain resource.

Fortunately, SASE is able to help. Short for Secure Access Service Edge, SASE is next generation network architecture that blends the latest security functionality with WAN capabilities. SASE has come into its own as the world has largely shifted, especially during the pandemic, to working in a geographically dispersed manner, most often physically separated from the corporate office.

One of the elements of SASE — and, specifically, SDP (software-defined perimeter) — is its zero trust network access (ZTNA). This is an essential part of SASE, baked into the technology from the ground-up. SASE makes it possible to route all traffic through a security solution without performance issues. It can also consistently enforce access controls across the enterprise WAN in a consistent, scalable, and sustainable way.

Zero trust network architecture is one of the biggest revolutions in network security in years, if not decades. Along with related innovations like SASE, it promises to transform the way that we work: not only making it more seamless, but more secure and safe as well. That’s a win-win for all involved.

Sure, no user wants to feel like they’re not trusted. But given the potential risks that could be posed by having a malicious actor break into a system and cause chaos, the trade-off is more than worth it.