Never Trust, Always Verify - What Matters In Zero Trust
![](https://cdn.cosgrid.com/website/strapi/zerotrust_1_b02db45751.webp)
Zero Trust (ZT) Architecture, also referred as ZT Security (ZTS) has been widely accepted across industries and nations globally as a better approach to protect & respond from the increasing sophisticated cyberattacks that have the potential to paralyze the economies and impact common man’s life.
ZT Architecture (ZTA) is neither standalone product nor a turnkey solution. It’s a set of principles and cybersecurity model (and processes) to be applied across entire digital assets and value chain for it to be effective. At its core, as per NIST ZTA publication:
Zero trust (ZT) provides a collection of concepts and ideas designed to
minimize uncertainty by enforcing accurate, least privilege per-request access
decisions in information systems and services
Overall, most of the Security Professionals understand the importance and how it can help their organizations. Aiding the cause, numerous good resources including recommendations and specs are available from leading standards organizations such as NIST, CISA, DoD and industry forums such as Cloud Security Alliance (CSA) and DSCI.
Despite this, there have been significant discussions and arguments in the industry / Cybersecurity community with significantly different viewpoints in the core architectural models. Add to this mix, usage of solution names and keywords such as SDP, ZTNA and ZT Security, Micro-segmentation for overlapping concepts is unsettling among Cybersecurity practitioners and delaying their ZTA implementation plans for the sake of better clarity
![our view of ZT Architecture](https://cdn.cosgrid.com/website/assets/blog_images/MicroZAccess.png)
Zero Trust Network Access Architecture
Here, we've attempted to look at ZTA from a customer & use cases point of view and tried to connect a few dots on existing recommendations.
Zero Trust Architecture Pillars
In simple terms, ZTA is about a superior approach of securing & protecting the five digital pillars. While all the pillars are important, few pillars play a critical & sensitive role based on organizational context. Reference diagrams from CISA and DoD ZT given below:
![zero pillar](https://cdn.cosgrid.com/website/assets/blog_images/pillar%20zero%20trust.png)
![zero trust framework](https://cdn.cosgrid.com/website/assets/blog_images/Untitled-1%20(1).jpg)
Key Use Cases and Deployment Scenarios
Use cases are key starting points for arriving at what works best for the organization. Here are a few well documented use cases for reference:
![key use cases](https://cdn.cosgrid.com/website/assets/blog_images/2.jpg)
ZTA Challenges
It’s already reported that there are organizational hurdles in adopting ZTA considering:
- Rethinking overall IT design especially considering legacy systems
- Continuous Monitoring and Mangement considering that least privilege access likely to disturb
regular Operations
- Technical Debt considering the ZTA’s larger scope and complexity.
Given the above challenges, a wider variety of ZTA use cases and the scope of each of the ZTA pillars,
it would be a daunting task for a CIO/CISO and Cybersecurity
teams to navigate the ZTA journey given that product/solution providers
bringing out products with varying architectural and deployment models. The challenges are:
- Mapping the scope of the ZTA
implementations, pillar-wise and phase-wise.
- Choosing Architectural approach considering the organization’s use cases and security context
- Selecting suitable Product/Solution Deployment models
Zero Trust Architecture Approaches
Below is our understanding on how the use cases, architecture and deployment models can be mapped to an organization’s security context and priorities and thus can assist in choosing ZTA implementation plans and roadmap. The below comparison is in no way comprehensive in nature (a lot of overlaps too) but serves as a point of departure.
![architecture approaches](https://cdn.cosgrid.com/website/assets/blog_images/1.jpg)
While Enhanced Identity Governance and Micro-segmentation has been around for a long time, SDP is a relatively new architecture. Below is given the SDP reference architecture from CSA’s SDP 2.0 specification.
![](https://cdn.cosgrid.com/website/assets/blog_images/SDP%20Architecture%20-%20Copy.jpg)
ZTA Deployment Models
Below given are the key deployment reference models as per NIST ZTA Framework
![architecture](https://cdn.cosgrid.com/website/assets/blog_images/Architecture.jpg)
Zero Trust Maturity Model
US’s CISA has defined a Zero Trust Maturity
Model to aid organization's gradual transition to ZTA implementation, where
progress can be made over time. This
maturity model is one of many paths to support the transition to zero
trust.
CISA's Zero Trust Maturity Model
given below represents a gradient of implementation across five distinct
pillars as shown below.
![maturity appraoches](https://cdn.cosgrid.com/website/assets/blog_images/Router%20(1).jpg)
Way ahead
Organizations can start with mapping the scope of thePillars (Identity, Network, Data etc.) considering the use cases. For each deployment such as Cloud, SaaS, Data Center and branch office and WFH staff:
- Map Each Pillar to required CISA Maturity
Level (Either Advanced or Optimal) that will meet your Risk Management
- Then choose the appropriate Architectural
Approach (Enhanced Identity, Micro-segmentation, SDP)
- Finally, Deployment models for each use case.
Cybersecurity has always been a highly dynamic domain with many new threats bubbling up and new solutions unveiled month by month. It’s not going to be simple.There will be not a single or few bullet(s) that will solve the new age cybersecurity problem. Everything starts with Use Cases, Cybersecurity goals and Digital Pillars. It’s even more critical for all encompassing ZTA. Starting Zero trust journey today will enable cyber secure organizations tomorrow.