Zero Trust is a term that is often misunderstood and misused, which is why I wrote an article not long ago entitled Zero Trust: What These Overused Cybersecurity Buzz Words Actually Mean – And Do Not Mean.
But, even those who have a decent grasp on the meaning of Zero Trust seem to frequently confuse the term with Zero Trust Network Architecture (ZTNA). While both terms may seem relatively simple and straightforward, I can tell you with certainty that both are regularly misused – including in many of the pitches sent to me every day by cybersecurity product and services vendors who are seeking to have me write about them.
So, let’s push aside the marketing fluff, and define clearly, concisely, and precisely what the terms Zero Trust and Zero Trust Network Architecture mean, what they share in common, and how they are different.
The term Zero Trust refers to a concept, an approach to information security that dramatically deviates from the common approach of yesteryear; Zero Trust states that no request for service is trusted, even if it is issued by a device owned by the resource’s owner, and is made from an internal, private network belonging to the same party.
Simply put, in a Zero Trust model there is no inherent trust assigned based on the location from which a request was made – every single request for a resource must be properly authorized, and that applies whether a request is made by a human using a device or by an electronic device on its own. By requiring a denial of all requests for access to a resource unless a requesting party proves that it is authorized to access the relevant resource at the time of the corresponding request, the Zero Trust approach accounts for the fact that organizational networks may be breached at any time; in order to minimize exposure, no resources should, therefore, ever be provided to anyone or any device unless the party asking for them proves that he/she/it is authorized to receive access, is authorized to do so from the device and network from which the request is being made, and actually needs such access.
Zero Trust Network Architecture, on the other hand, is not conceptual; it refers to an actual information technology architecture – including hardware, software, data, and workflow – that employs the principles of Zero Trust in its design so as to enforce a Zero Trust model.
In a Zero Trust Network Architecture, for example, all systems behave as if there is an attacker present on their network:
Because the attacker may be making requests, all connections must be authenticated, and
Because the attacker may be listening to the data moving across the network, all traffic must be encrypted.
Likewise, no users or processes are inherently trusted – security must be checked every time a request is made.
Contrast such an approach with widely-used earlier models in which, in order to improve performance, internal network traffic was transmitted without encryption, and resource requests were automatically granted if they came from internal machines and networks.
In the post COVID-19 world, the need for organizations, large and small, to implement a ZTNA has grown dramatically. Numerous people regularly work from home, using networks that they share with children and others. Employers have no control over those networks – and many such networks may have suffered breaches at some point. As such, all connection requests and requests for services made by remote users deserve to be treated with significant suspicion; there is a real chance that responses to user requests are being monitored by hostile parties that have gained access to users’ routers or systems (on users’ networks) that have since been set into “promiscuous mode” in order to capture all local network traffic.
In short, Zero Trust is an approach. Zero Trust Network Architecture is an architecture of systems, data, and workflow that implements a Zero Trust model.
This post is sponsored by Perimeter 81. To learn more about Zero Trust, and why you should explore it in 2023, please watch the fireside chat with cybersecurity experts Magda Chelly and Joseph Steinberg, viewable here: Why Make Zero Trust a New Year’s Resolution