What is a Zero Trust Network and How Does it Work?

Introduction to Zero Trust Networks

A zero trust network is true to its namesake: zero trust. Zero trust networks provide continuous authentication of users and activities on the network. This is in contrast to what traditional network authorization schemes do: authenticate users once, at the time that they initially sign onto the network.

With a zero-trust network, elements of user authentication, such as ID/password, location, workstation or device ID, etc., are all used to determine if a user should be authorized for network access. The zero trust network performs this authorization continuously, as it re-authenticates each user for security clearance each time the user wishes to access another IT asset on the network.

Definition of Zero Trust Network

Let’s dive deeper into what zero trust networks are and what they do. Zero trust is actually a zero trust network model for security that doesn’t trust or admit anyone to the zero-trust security network or various IT assets on the network without first going through a rigorous user authentication process. What this means is that even though a user is successful in signing onto the zero trust security network, it doesn't mean that they can access every IT system or asset on the network if they are not authorized to do so.

The goal of zero trust networking is only to allow users access to the IT resources that they need to do their jobs. That applies to all users, be they remote workers at home or in a branch office, on-site employees, customers, clients, consultants, and more. The zero trust network monitors every system and IT asset “boundary” that IT has defined in its security scheme for the network. These individually bounded systems and assets are called individual security “segments.” They exist with the zero trust network, and they can be traversed only by those who are authorized to access them.

(Credit: YAY Media AS / Alamy Stock Photo)

Elements of a Zero Trust Approach

The zero trust network concept is a departure from how network security used to be planned and administered. In earlier network security schemes, users only needed to sign onto the network once. At that point, they were assumed to be authorized to use all of the IT systems and assets that were on the network, with no need to go through further security authorizations.

Continuous Verification

A zero trust network never assumes that there is only one network admission point and that, thereafter, users can access any IT resources that they want. Continuous verification of user credentials exists at every security boundary or network edge that is established with the zero trust model. The zero trust network performs this authorization continuously, as it re-authenticates each user for security clearance each time the user wishes to access another IT asset on the network. The network's continuous verification assures that users gain access only to the IT resources that they are authorized to use in order to do their jobs. This reduces the risk of security breaches or unauthorized access to sensitive information.

Limit the Blast Radius

Each time a network security vulnerability is discovered, hackers aggressively launch network attacks to exploit the vulnerability. They strike because they know that IT has limited or “zero day” time to fix the security flaw. The result can be catastrophic for an enterprise network, which can be taken over, locked down, or infected, with the potential of disabling the entire enterprise. Older networks that use monolithic security frameworks, such as user one-time sign-on access without any continuous user verification, are especially vulnerable to these attacks. These networks are vulnerable because there are no internal security boundaries or continuous verifications set up for the different systems and IT assets on the network. Consequently, a zero-day hacker can destroy or impact everything.

Zero trust networks can’t eliminate the likelihood of a zero day attack, but they can limit the blast radius of the attack. They can do this by segmenting the network into individual systems and IT assets that each have their own security boundaries. In this way, a hacker might gain entry into the network, but only as far as the next set of security boundaries around systems and IT assets allow. These additional security boundaries within the network limit the radius of a hacker blast.

Automate Context Collection and Response

A zero trust network and the security verification and automation it uses are applied to each individual user. The network checks each user’s credentials. It also looks at the context in which the user is using the network. For example, if a user is based in California but is now trying to access the network from Europe, that would be a geographical contextual situation that a zero trust network would identify, likely denying the user access. If a user is authorized to access a network asset for read-only information, and the zero trust network detects this same user trying to download information from a workstation onto a thumb device, this would also be a contextual situation where the network would deny the user access.

Such user and use contextual rules are defined in the zero trust network software by IT, and the zero trust network enforces these rules automatically.

Migrate endpoints to a Zero Trust Network

Before you migrate endpoints to a zero trust network, you must define what the entire network’s protect surface is going to be so you know which endpoints will be involved. The next step is migrating and configuring these endpoints so they work with the zero trust security rules that you’ve defined.

Key to this endpoint migration and configuration process is configuring each endpoint device so it can cross-communicate with the central zero trust system’s security ruleset and analytics. The goal of zero trust is to never assume that user access is valid until it is verified. This includes verifications at every network endpoint.

(Credit: Federico Caputo / Alamy Stock Photo)

Implementing Zero Trust Networking

Depending on the corporate environment, there are varying approaches for implementing a zero trust network. However, every approach must include these basic steps:

Step 1: Identify and prioritize critical assets and data

Zero trust networks must have boundaries, so determining what the outermost boundary is for a zero trust network is the first step. Enterprises approach this by identifying which IT systems, assets, endpoints, users, etc., they want to include with each zero trust network. For example, a company might choose to have a zero trust network that solely supports manufacturing in a remote plant. This network might contain a manufacturing and/or ERP system, edge, automation, and robotics for running the plant, but it might not include the corporate risk management system. In other cases, there are some companies that might opt to have a single, all-encompassing zero trust network that attaches to every enterprise IT asset and system.

Whether a company chooses to use one or several zero trust networks, the IT assets and systems that are to be included with each zero trust network must be clearly defined so that IT and users know what the network contains.

Step 2: Map the flow of data

Before a zero trust network architecture with appropriate internal security verification boundaries can be defined, IT needs to understand the traffic patterns for data and user access throughout the IT systems and assets that are to be contained within the network. For instance, the CFO might say that there is no reason why anyone working outside of finance should be able to peruse the risk management system. The general manager of a manufacturing plant might not want anyone to access the plant's internal operations systems except for someone who works at the plant and is authorized to access it.

At the opposite end of the spectrum are the data sharing systems like ERP. Almost everyone within the enterprise uses an ERP system, so the key here is to ensure that each individual user is only authorized for ERP access functions based upon what his or her job requires.

IT must work hand in hand with user managers and also map out the data and business flows that will occur within any new zero trust network. While the goal of zero trust is to trust no one's access to systems and resources without rigorous verification, there must still be enough flexibility to enable employees to do their jobs.

Step 3: Architect your Zero Trust network

After enterprises have identified the systems, IT assets, data, and services they want to include in each zero trust network, and they have mapped all business,data, and user flows that will occur within each network, they are ready to develop a zero trust model and network architecture.

The first question that zero trust network architects must answer is whether they are going to have one monolithic zero trust network for the entire enterprise or a series of smaller zero trust networks that are assigned to different business areas. For each zero trust network, periphery security and a network firewall are set up. The next layer of security under zero trust is to establish security segments or boundaries within the network itself. At each network segment, users must be re-authenticated and verified in order to gain access.

Step 4: Create a corporate Zero Trust policy

Before a zero trust network policy is created, users should have a clear understanding of why the enterprise is moving to zero trust. This can be a political issue for users who are used to accessing any systems that they want and who, under the new scheme, will have more constrained access.

Once user buy-in and understanding are gained, IT can proceed by meeting with user managers and staff to develop user access permissions and policies for the network. User access permissions should answer the questions of who can access specific systems and assets on the network, when and where access should be granted, and what type of access will be allowed (e.g., read-only or update access, for instance). After user permissions are defined, IT can then check the information and packet routing on the network to ensure that all network traffic patterns are aligned with zero trust security standards and policies.

Step 5: Select solutions and services that work for your enterprise

Zero trust networks are still relatively new, and they involve significant work for IT. For these reasons, it makes sense to find an outside business partner with zero trust expertise and solutions that can help you on your journey.

There are a number of zero trust network solution providers to choose from. Price points are always important, but you should also seek out a vendor who will actively listen to you and understand what you want to achieve with zero trust in your company. The vendor should have a comprehensive set of zero trust network software and tools, and it should have a track record of zero trust network implementation success. This vendor must be able to actively assist you in the implementation of zero trust networks, providing both training and ongoing support to IT.

Step 6: Implement and maintain strong identity controls

User identification controls have largely moved to multi-factor authentication that involves an additional element, such as biometric identification, in addition to strong user ids and passwords. Almost all IT networks also require users to change their passwords every 90 days. All of these are traditional “blocking and tackling” techniques for maintaining strong user identity and authentication controls, but there are other considerations as well.

One strategy is to regularly meet with user departments to see if any access permissions need to be changed. As an example, an employee in accounting may have transferred to manufacruring. Should the employee have the same access to financial systems?

Step 7: Monitor network traffic and security

Like traditional networks, zero trust networks have tools that enable you to monitor, observe and intervene with network access attempts and traffic flows. The difference with a zero trust network is that access monitoring becomes more complex because you have multiple security segments or boundaries to manage within a single network. Each of these segments comes with its own access rules and alerts.

Step 8: Regularly evaluate your solution and adapt to new conditions

Zero trust networks are like any other IT asset: they must be able to evolve with the business over time. In the case of zero trust, the likeliest evolution is that you will need to establish more security segments (boundaries) within a single zero trust network or make the decision to break down a larger zero trust network and instead re-implement it as a series of smaller zero trust networks that are assigned to specific company business areas.

No one knows what the next security concern will be, so the key to zero trust network change management is to remain flexible. Flexibility is best achieved by designing your network so it can be easily reconfigured if need be. You should also work with zero trust network vendors that can help with change management and offer flexible solutions that scale with your company.

(Credit: totallyPic / Alamy Stock Photo)

Conclusion: Is Zero Trust Networking Right for Your Business?

Network security is everyone’s concern—but so is cost. Enterprises see zero trust as a way to harden security and prevent painful and financially devastating security breaches that can wipe out sales and company reputations and even bring entire companies down, so implementing zero trust networks is an important corporate directive. Very small companies, on the other hand, also want zero trust networks, but they struggle with fundamental issues like cost and being able to run and maintain these networks themselves when they might only have one person in-house, who is their entire IT department.

Zero trust vendors understand this, and we can expect to see more zero trust solutions that can help small companies as well were large ones. This couldn’t come at a better time, since in 2023, nearly half of C-level executives surveyed expected cyberattacks on businesses to surge, and the year proved them right.

And finally, since many zero trust solutions will likely bring multiple security elements together, keep an eye on interoperability. One of the best ways to ensure success is to keep abreast of emerging zero trust standards, such as those being put forth by MEF.