Making the Case for Zero Trust Network Architecture

It used to be that the strength of your security depended on the strength of your firewall. But today’s cloud platforms and SaaS solutions have obliterated the ability to rely on firewalls and VPNs. The security perimeter has expanded with cloud-based solutions and remote workforces, requiring changes to the traditional security model. Identity-centric security based on the Zero Trust model (where no one receives automatic trust) secures the expanded perimeter. 

As you might expect, network design evolved to meet the challenges of this new perimeter. Today’s organizations need a Zero Trust network architecture that facilitates zero standing privilege. Here’s what that network architecture looks like and how an identity-based perimeter functions with it.

Additionally, the VPN doesn’t prevent insider attacks, and it doesn’t allow simple and secure access for contractors and partners. Companies no longer need to know where people are and what device they’re using, but rather if the user, device, or application seeking access is actually an authorized identity. Gartner predicts that by 2023, 60% of enterprises will phase out most of their VPNs in favor of Zero Trust network access.

Zero Trust network architecture consists of the entirety of an organization’s valuable data, assets, and applications. To implement Zero Trust, it’s crucial to identify what these resources are, who your users are, what each user needs to access and how, and the frequency with which they need to access each element. With this information, you can then establish policies, set up automation, and employ AI tools that evaluate identity and make risk-based access decisions.

Establishing Identity as Perimeter

Because security now hinges on identity, let’s explore how identity works within the Zero Trust framework.

Zero Trust Access according to NIST SP 800-207

Never Assume Access

The foundational premise of Zero Trust is that access is never assumed. Standing privilege no longer exists. Privileged access is evaluated (and reevaluated) whenever a user (or device or application) seeks access. Each time an access request is made, the privileged access management (PAM) system evaluates contextual information such as job role, peer permissions, request history, and other identifiers to determine whether or not to grant access. If activity is deemed questionable, an alert goes out to an admin for further scrutiny. 

Eliminate the VPN 

VPNs are quite vulnerable to compromised credentials and insider attacks, whereas security based on identity, by nature, are significantly less vulnerable and the impact is minimized. Because Zero Trust assumes all traffic is dangerous, no one is given the metaphorical key to keep for use whenever desired. Instead, access is granted only if the identifying information checks out. Ditching the VPN in favor of identity-based security allows organizations to limit the damage from insider attacks, reduce the risk presented by compromised credentials, and facilitate secure access for employees working from home. 

Protect Hard-to-Secure Items

Traditional security strategies do a poor job of protecting access to web servers, cloud services, and other publicly-available items. Because Zero Trust doesn’t depend on firewalls, each of these cloud-based items can be kept secure from anyone and anything that doesn’t pass the identity evaluation. Additionally, access is granted only for the amount of time necessary for the user to complete the task at hand (which could be a matter of hours, weeks, or months). Because access is time-limited, employees who leave for another organization will no longer be able to access the CRM, PM tool, etc. after they’ve left. And if an attacker uncovers access credentials without being caught by the security system, they won’t have access for long.

With the right security solution, monitoring applications and devices can be automated to flag possible attacks. Learn more about stopping attacks cold.

Zero Trust Network Architecture is the Future, Today

While VPNs and traditional network architecture will soon be things of the past, the reality is that the future is already here. Today’s remote work revolution and cloud-based platforms and tools require an overhaul in the way we think about security and build for it. 

Access based on identity is the surest way to prevent a breach, either external or internal. But to implement identity-based security, you must have a thorough knowledge of all your assets, data, and applications. You must also be able to analyze activity and continually monitor for out-of-the-ordinary requests. A Zero Trust network architecture and a powerful security solution based on automation and AI will allow you to implement Zero Trust with less risk.

Start Your Zero Trust Journey  

Find out how Saviynt facilitates Zero Trust and learn how you can reimagine security for your entire workforce at a time when identity is the only security perimeter left. Watch this on-demand webinar, Securing Your Remote Workforce with  Microsoft, Saviynt, & Avanade.