Never Trust, Always Verify - What Matters In Zero Trust


Go back

Never Trust, Always Verify - What Matters In Zero Trust

Murugavel Muthu | January 23, 2023



Zero Trust (ZT) Architecture, also referred as ZT Security (ZTS) has been widely accepted across industries and nations globally as a better approach to protect & respond from the increasing sophisticated cyberattacks that have the potential to paralyze the economies and impact common man’s life.

ZT Architecture (ZTA) is neither standalone product nor a turnkey solution. It’s a set of principles and cybersecurity model (and processes) to be applied across entire digital assets and value chain for it to be effective. At its core, as per NIST ZTA publication:


Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty by enforcing accurate, least privilege per-request access decisions in information systems and services


Overall, most of the Security Professionals understand the importance and how it can help their organizations. Aiding the cause, numerous good resources including recommendations and specs are available from leading standards organizations such as NIST, CISA, DoD and industry forums such as Cloud Security Alliance (CSA) and DSCI.

Despite this, there have been significant discussions and arguments in the industry / Cybersecurity community with significantly different viewpoints in the core architectural models. Add to this mix, usage of solution names and keywords such as SDP, ZTNA and ZT Security, Micro-segmentation for overlapping concepts is unsettling among Cybersecurity practitioners and delaying their ZTA implementation plans for the sake of better clarity


our view of ZT Architecture

Zero Trust Network Access Architecture



Here, we've attempted to look at ZTA from a customer & use cases point of view and tried to connect a few dots on existing recommendations.

Zero Trust Architecture Pillars

In simple terms, ZTA is about a superior approach of securing & protecting the five digital pillars.  While all the pillars are important, few pillars play a critical & sensitive role based on organizational context.  Reference diagrams from CISA and DoD ZT given below:

zero pillar zero trust framework


Key Use Cases and Deployment Scenarios

Use cases are key starting points for arriving at what works best for the organization.  Here are a few well documented use cases for reference:

key use cases


ZTA Challenges

It’s already reported that there are organizational hurdles in adopting ZTA considering:

  • Rethinking overall IT design especially considering legacy systems
  • Continuous Monitoring and Mangement considering that least privilege access likely to disturb regular Operations
  • Technical Debt considering the ZTA’s larger scope and complexity.

Given the above challenges, a wider variety of ZTA use cases and the scope of each of the ZTA pillars, it would be a daunting task for a CIO/CISO and Cybersecurity teams to navigate the ZTA journey given that product/solution providers bringing out products with varying architectural and deployment models. The challenges are:

  • Mapping the scope of the ZTA implementations, pillar-wise and phase-wise.
  • Choosing Architectural approach considering the organization’s use cases and security context
  • Selecting suitable Product/Solution Deployment models

Zero Trust Architecture Approaches

Below is our understanding on how the use cases, architecture and deployment models can be mapped to an organization’s security context and priorities and thus can assist in choosing ZTA implementation plans and roadmap. The below comparison is in no way comprehensive in nature (a lot of overlaps too) but serves as a point of departure.

architecture approaches


While Enhanced Identity Governance and Micro-segmentation has been around for a long time, SDP is a relatively new architecture.  Below is given the SDP reference architecture from CSA’s SDP 2.0 specification. 



ZTA Deployment Models

Below given are the key deployment reference models as per NIST ZTA Framework

architecture

Zero Trust Maturity Model

US’s CISA has defined a Zero Trust Maturity Model to aid organization's gradual transition to ZTA implementation, where progress can be made over time.  This maturity model is one of many paths to support the transition to zero trust.

CISA's Zero Trust Maturity Model given below represents a gradient of implementation across five distinct pillars as shown below.

maturity appraoches

Way ahead

Organizations can start with mapping the scope of thePillars (Identity, Network, Data etc.) considering the use cases.  For each deployment such as Cloud, SaaS, Data Center and branch office and WFH staff: 

  • Map Each Pillar to required CISA Maturity Level (Either Advanced or Optimal) that will meet your Risk Management 
  • Then choose the appropriate Architectural Approach (Enhanced Identity, Micro-segmentation, SDP) 
  • Finally, Deployment models for each use case. 

Cybersecurity has always been a highly dynamic domain with many new threats bubbling up and new solutions unveiled month by month.  It’s not going to be simple.There will be not a single or few bullet(s) that will solve the new age cybersecurity problem.  Everything starts with Use Cases, Cybersecurity goals and Digital Pillars. It’s even more critical for all encompassing ZTA.  Starting Zero trust journey today will enable cyber secure organizations tomorrow.


About Author

Murugavel Muthu

Founder & CEO of COSGrid Networks with 24 years of experience in Product Development and Product & Business Management in leading technology companies, telcos and startups.



Our Blogs


Zero Trust insights from John Kindaverg's Interview

Insights : Emerging Trends on Cyber Resilient Architecture Panel Discussion

VPN vs ZTNA - Based on the Customer Interactions

Cosgrid's Perspectives on OT/SCADA Security & Startup Capabilities

Load balance vs Multi path aggregation - SD-WAN

Work from Home: Convenience or Culture Dilution to fixing employee experience

Outages & downtime happens! but with quick service recovery

Static IP rush in Indian Retail: Convenience vs Resiliency & Security

Logo
Copyright 2023 © COSGrid Systems Pvt. Ltd., All Rights Reserved