Zero Trust Security: Definition and Architecture

There are only two types of companies: Those that have been hacked and those that will be hacked

Robert Mueller

Former FBI Director

Legacy cybersecurity systems rely on identifying every possible angle of attack against your environment and employ preemptive measures against them. The flaw in such systems is that you will be spreading yourself too thin. The avenues that cybercriminals utilize are endless.

Think of your system as a castle; everything outside of it is deemed malicious. Once they gain access and use the proper protocols to enter the castle they are automatically considered “trustworthy”.

However, if someone gains access to your system, that does not mean that they should be trusted. That’s a slippery slope.  Zero trust security eliminates “trust” from the equation and does not focus on the “attack surface” but rather on a “protect surface.”

What Is Zero Trust Security?

Zero Trust is a cybersecurity strategy that maintains access points and controls them strictly through verification. Even if a user is inside your security perimeter they would still be required to authenticate themselves regularly, which prevents unrestricted access even if a cybercriminal were to break through your initial defenses. 

Zero Trust protects your systems by employing network segmentation, lateral movement prevention, and providing Layer 7 threat prevention.

  • Network segmentation: Divides your network into specific parts granting access to a particular part only to users who need it.
  • Lateral movement: Refers to a cybercriminal’s efforts to further penetrate your system after the initial breach.
  • Layer 7: Application-human interaction.

Zero Trust Security Architecture Breakdown

Instead of focusing on an attack surface, with zero trust security, you identify a protect surface. The protect surface is compiled from your network’s core data, assets, applications, and services abbreviated to DAAS. Since the core DAAS varies from company to company, your protect surface will be unique.

  • Data: payment card information (PCI), protected health information (PHI), personally identifiable information (PII), and intellectual property (IP) 
  • Applications: off-the-shelf or custom software
  • Assets: SCADA controls, point-of-sale terminals, medical equipment, manufacturing assets, and internet of things (IoT) devices
  • Services: DNS, DHCP, and Active Directory

The main advantage of identifying a protect surface over an attack surface is that it is much smaller in terms of magnitude since it only contains your DAAS, and it’s always visible to you.

After identifying a protect surface, you can pinpoint how traffic moves around and across the protect surface. The only way to effectively enforce secure access to your core data is to understand what, who, and how users gain access to said data. Once the latter is understood, access point controls are installed as close to the protect surface as possible, essentially creating a microperimiter around it. This perimeter moves simultaneously with the protect surface no matter where it might reside. 

To create a microperimiter around the protect surface, a segmentation gateway is utilized. Zero trust answers two questions when it comes to segmenting.

  • Why are you segmenting? With Zero Trust, segmentation is done from the inside out. As said beforehand, you first determine what you are protecting (DAAS), which defines your protect surface.  The reason you are segmenting is to secure your protect zone and to reduce the attack surface as much as possible. 

  • How are you enforcing your segmentation? Every cybercriminal who knows what they are doing can get past Layer 3 controls. Zero trust enforces your segmentation in Layer 7. Accessing Layer 7 traffic allows you to create more secure and granular controls which are enforced in real-time by the Segmented Gateway.

Why Zero Trust Security?

Zero Trust might seem complex however the security associated with it is the lucrative factor that pushes many large and small businesses alike to adapt it.

Furthermore, Zero Trust improves business agility and continuity. On the occasion that you are breached, only a small portion of your network, and not all of it, will be compromised due to the microperimiter’s parameters.

Additionally, Zero Trust increases your organization’s cloud network efficiency, making processes more navigable and user-friendly. 

With proven experience, HybridValley will be able to guide you through Zero Trust’s implementation and architecture. So reach out to us if your security is of any concern.