Zero Trust Architecture: Definition, Key Components, and Functions

If you want to significantly reduce the attack surface and data breach risks for your organization, zero trust architecture may be the answer. This approach is becoming a priority for global organizations and tech giants like Microsoft that seek to reduce cybersecurity risks in their IT environments. It’s no wonder then that 10% of large organizations will have a comprehensive and mature zero trust program in place by 2026, according to Gartner’s predictions.

In this article, we reveal the main components of zero trust network architecture and its practical use cases. You’ll discover the key pros and cons of this cybersecurity approach and learn the most effective ways to implement it.

Zero trust in a nutshell

No one can be trusted by default.

First introduced by the Forrester alum John Kindervag in 2009, the zero trust approach centers on the idea that trust is a vulnerability and you should “never trust, always verify”. Zero trust assumes that you need to treat all users as “untrusted” by default and only grant access to your valuable assets to authenticated and verified users — and only to the extent needed to perform their particular tasks.

“Zero trust is a security paradigm that explicitly identifies users and devices and grants them just the right amount of access so the business can operate with minimal friction while risks are reduced.”

Gartner

Zero trust is intended to stop both external attacks and insider threats, thus, limiting the potential damage to your organization. 

How does zero trust work?

Zero trust is an architectural approach that requires all users, whether inside or outside your organization’s network, to be authenticated and authorized. You can follow this approach by 

implementing the principle of least privilege, microsegmentation, user activity monitoring, and a few other technologies and principles.

The National Cyber Security Centre, for example, offers the following principles for establishing a zero trust architecture:

• Know your architecture, including users, devices, services, and data
• Assess user behavior, devices, and services health
• Use policies to authorize requests
• Authenticate and authorize everywhere
• Monitor users, devices, and services
• Never trust any network, including your own
• Choose services and software designed for zero trust.

Implementing zero trust requires a comprehensive approach, and below, we offer the best practices for building a robust zero trust model.

What is zero trust architecture?

Implementing a zero trust model: take it one step at a time.

In Special Publication (SP) 800-207, the National Institute of Standards and Technology (NIST)  describes the areas to focus on when building a zero trust architecture (ZTA) and the principles on which to base such an architecture.

“A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows.”

NIST SP 800-207

NIST suggests that organizations build a zero trust architecture on seven pillars:

According to NIST, your organization can establish a ZTA in several ways: 

• By focusing on user access privileges and context-based identity verification
• By splitting the network into separate segments protected with different policies and access rules
• By using software-defined perimeter approaches

The following zero trust architecture components form its core:

• A policy engine grants, revokes, or denies a particular user access to requested enterprise resources
• A policy enforcement point (PEP) enables, terminates, and monitors connections between a user and an organization’s resources
• A policy administrator sends commands to a PEP based on the decision of the policy engine to allow or deny a user’s connection to a requested resource

These components don’t need to be separate, unique systems. Depending on their needs, an organization may choose to deploy a single asset responsible for performing the tasks of all three components. Alternatively, an organization may combine several tools and systems to implement a single component.

Another example of zero trust architecture is provided by Microsoft. It’s based on the following tenets:

• Validating and securing identities with multi-factor authentication (MFA) everywhere
• Managing devices and validating their health 
• Establishing robust and standardized auditing, monitoring, and telemetry capabilities
• Enforcing the least privileged access approach.

Both of these models are based on the core zero trust architecture principles: strong identity verification prior to granting access, ensuring least privileged access to required resources, and continuous monitoring. 

Building zero trust architecture: core pillars 

It’s all about seven tenets.

Any organization that adopts a zero trust architecture needs to determine what approach best suits its unique environment. You need to balance your risk profiles with access methods and define the scope of zero trust implementation in your environment. For the best protection, NIST in its Special Publication (SP) 800-207 [PDF] recommends building a mature zero trust architecture model that rests upon these seven pillars:

1. Resources — treat all of your data, computing services, and devices as resources that need to be protected. If network users can access your organization’s resources from personal devices, those devices should also be treated as enterprise resources.

2. Communication — treat all communication, both within and outside your network, the same and protect it with the most secure method available.

3. Per-session access — establish each connection to your critical resources on a per-session basis only.

4. Dynamic policy — grant access to your resources according to your policy rules and the principle of dynamic least privilege. Such a policy will determine your organization’s resources, users, and access privileges for these users.

5. Monitoring — monitor all corporate resources and all actions taken with them to ensure proper data protection and security.

6. Authentication and authorization — enforce dynamic authentication and authorization before granting access to any of your corporate resources.

7. Continuous improvement — gather information about the current state of your network assets, infrastructure, and connections to improve the security posture of the network.

Note that you don’t necessarily need to apply all of these tenets at once. You can limit your efforts to implementing several principles that fit your needs the most.

“ZT is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level.”

NIST SP 800-207

Furthermore, the zero trust approach to cybersecurity doesn’t demand a complete replacement of a traditional perimeter-based network architecture. Instead, it suggests augmenting the existing network by adding network segments secured with gateways, improving access policies and rules, and enhancing user activity monitoring measures.

Even if you only implement some of these tenets, you can enhance your security to a significant extent. 

Use cases of zero trust

Explore real-life applications of zero trust.

Organizations can benefit from zero trust in different ways depending on their needs. Here are the most common and effective examples of how zero trust can bolster your security posture.

Reduce the risk of data breaches

According to research by Forrester Consulting, a zero trust strategy can help you reduce the chances of a data breach by 50%. By implementing zero trust, you get the opportunity to inspect every access request, authenticate every user and device, and assess all permissions before granting access. The zero trust model can both help you stop external attackers that manage to enter your network from moving deeper into it and prevent malicious insiders from privilege escalation. 

The 2022 Cost of a Data Breach report by IBM Security [PDF] reveals that organizations with a zero trust architecture pay nearly $1 million less than those without zero trust strategies.

Save on cybersecurity

The adoption of zero trust can transform your entire approach to security and reduce maintenance costs. Microsoft reports that calls to their help desk analysts decreased by 50% and the mean time to resolve an inquiry decreased by 15% over a three-year period after adopting zero trust. 

Zero trust eliminates the need for legacy systems, thus automating cybersecurity processes and saving costs across the entire organization.  

Support regulatory compliance

Zero trust helps you maintain and demonstrate compliance with PCI DSS, HIPAA, ISO 27001, and other regulatory requirements, laws, and standards. Since the zero trust model involves visibility into access requests to your corporate resources, it can contribute to regulatory compliance by enhancing data protection, privacy, and overall security posture. 

Manage third-party risks

Vendor access to your corporate network introduces the risk of supply chain attacks. With zero trust security in place, you can limit third-party access to the bare minimum necessary to perform their duties. Thus, you decrease the potential risk of a supply chain attack and malicious activity caused by your subcontractors.

Secure remote work 

Remote and hybrid work models pose increased cybersecurity risks to your organization. Since remote employees may lack the same protection as on-premise users working on company devices, they can open the door to malware infections or account takeover attacks. Zero trust minimizes the risks of credential compromise and malware. 

Enhance cloud security

While moving data and applications to the cloud has many benefits, it also introduces additional cybersecurity risks. One of the main challenges is managing access within cloud environments. By enforcing zero trust, you can enhance and standardize cloud access management policies.

Contain security incidents

Since zero trust relies on dividing your network into smaller, isolated segments (microsegmentation), you can prevent lateral movement and limit potential damage in the event of a breach. The 2022 Cost of a Data Breach report by IBM Security [PDF] reveals that organizations that implement zero trust minimize the cost of a data breach by 20%.

Pros and cons of implementing zero trust

Consider these benefits and limitations before building a zero trust architecture.

As with any promising approach, zero trust has its benefits and drawbacks. Let’s take a closer look at the key advantages and challenges you should consider before switching to zero trust security architecture.

The main benefits of a zero trust approach include:

• Increased resource access visibility — The zero trust security approach requires you to determine and classify all network resources. This enables organizations to better see who accesses what resources for which reasons and determine what measures to apply in order to secure resources.
• Decreased attack surface — By shifting their focus to securing individual resources, organizations that enforce zero trust principles face reduced risks of hacker attacks targeting the network perimeter.
• Improved monitoring — Implementing a zero trust security strategy is associated with deploying a solution for continuous monitoring and logging of asset states and user activity, like keylogger software. This enables organizations to better detect potential threats and respond to them promptly.

However, we can’t ignore some of the disadvantages of zero trust:

• Configuration challenges — As ZTA can’t be established with a single solution, organizations may struggle with properly configuring the tools they already use. For instance, not all applications provide means for deploying the principle of least privilege, which is the core of the zero trust philosophy.
• Insider threats — While ZTA significantly enhances protection against outside attacks, it isn’t completely immune to insider attacks. If an attacker gets hold of a legitimate user’s credentials or a malicious insider misuses their privilege, an organization’s critical resources may be put at risk of compromise. However, this issue can be partially addressed with a just-in-time approach to PAM administration, multi-factor authentication (MFA), manual approval of access requests, and user activity monitoring.
• Dependence on the policy decision point — ZTA strongly relies on policy engines and administrators. Without their approval, no connection to enterprise resources can be established. As a result, the performance of the entire network will depend on the proper configuration and maintenance of these two components.

Nonetheless, the implementation of ZTA can significantly enhance your cybersecurity posture. The good news is that you can build zero trust architecture step by step, and Ekran System can help you with this.

Implementing zero trust principles with Ekran System

Dedicated software is the key.

The Ekran System platform simplifies the implementation of core zero trust principles while helping you effectively detect and mitigate insider threats.

Ekran System provides robust functionalities for adopting a zero trust security model:

• Identity management helps you verify users within your network. Two-factor authentication allows you to authorize users and make sure that the people accessing your critical assets are indeed who they claim to be, whereas secondary authentication allows you to identify users of shared and built-in accounts.
• Granular access management lets you grant role-based access permissions, generate one-time passwords for temporary access rights, and manually approve access by request.
• User activity monitoring and logging functionality enable you to clearly see who does what with your sensitive data and critical systems. You can view user sessions in real time or review recorded ones. 

Ekran System is a cross-platform solution that can be deployed in all kinds of environments, from on-premises and hybrid systems to the cloud. Thanks to that, you can gain full visibility over all your critical assets.

Conclusion

Building a zero trust architecture is a must for organizations striving to achieve maximum protection of their IT environment. The good news is that you don’t have to apply all of the zero trust principles at once. You can take small steps toward implementing a zero trust architecture: define and classify all of your organization’s sensitive resources, deploy strong user verification mechanisms, and grant users only the privileges they need to perform their duties. 

Ekran System can assist you on your zero trust journey. With robust authentication tools, rich access management capabilities, and real-time monitoring functionalities, it helps build a comprehensive zero trust architecture and prevent insider threats.