Guides

Zero Trust

What Is Zero Trust? Architecture, Principles, and Technology

Zero trust is a security model that assumes no connection can be trusted, even if the user or account was previously authenticated. It protects the network by enforcing strict authentication and authorization mechanisms, and by applying microsegmentation to ensure threats are contained in case of a breach.

Unlike traditional network security, which distrusts external entities but trusts entities within the perimeter, zero trust security evaluates all components—including those within the network—in real time. This makes it much more difficult for attackers to gain unauthorized access to sensitive information and disrupt critical business processes.

A zero trust model does not trust the underlying network fabric, requiring input and output validation for all microservices and network devices. It involves building and implementing a defense-in-depth architecture that is resilient to compromised microservices, identities, or individual components.

The zero trust model has been adopted by some of the world’s largest and most technologically advanced organizations, including Google, Microsoft, and the US government. According to Statistica, a recent global survey found that 72% of organizations are either implementing zero trust or planning to adopt it soon.

This is part of an extensive series of guides about observability.

In this article:

Why Is a Zero Trust Strategy Important?

Advances in networking and the advent of cloud computing have created complex enterprise architectures with multiple security layers, including network segmentation, application security, cloud security, and container security. The architecture makes it difficult for security and IT teams to provide secure access to employees, both in the office and remotely. The transition to remote work makes it even more important to provide instant and secure connectivity to employees working remotely, both on managed and unmanaged devices.

A perimeter-based approach to security cannot meet the needs of modern organizations. Modern networks have many entry points, which cannot be sufficiently secured, due to a lack of security controls, poor integration between existing controls, and the shortcomings of virtual private networks (VPNs).

VPNs have been the primary method of providing secure remote access to organizational resources, but they are not sufficiently secure, because they provide unlimited access to a network once users are authenticated. This makes VPNs yet another entry point for attackers. Once attackers have penetrated a network, they can perform lateral movement and privilege escalation, and can dwell in a network for months or years.

Zero trust is a solution to this problem. The zero trust model blocks attackers both inside and outside the network, facilitates monitoring and management of security policies in one place, provides fine-grained service segmentation, and provides visibility and auditing at a level that was not possible with traditional security tools.

What Is Zero Trust Architecture?

The concept of zero trust architecture (ZTA) is that implicit trust should never be granted to accounts and devices based on the fact that a device, network, or application is located inside the network perimeter. When anyone creates a connection on a corporate network, the user or device must be properly authorized and authenticated in accordance with zero trust principles.

At the heart of any zero trust architecture is the idea of eliminating pre-authorized access and enforcing specific user access controls at a highly granular level.

According to the US National Institute of Standards and Technology (NIST) Zero Trust Architecture guide, zero trust solutions must be designed according to the following principles:

  • Any access to resources should be governed by company policies, which should take into account multiple factors including the user; operational attributes such as IP address and operating system; work schedules; and locations.
  • Access to corporate resources or networks must be on a per-request basis and must require secure user authentication.
  • Authentication of a user or device should not automatically provide access to other resources.
  • All communications with or between corporate resources and networks must be encrypted and authenticated to provide secure access. Systems must apply the appropriate security level depending on the user’s context—for example, whether a request comes from within the network or a remote access point.
  • All devices and data must be defined as corporate resources and secured using zero trust principles. This includes servers, workstations, mobile devices, and any device with access to corporate networks or data.

Learn more in our detailed guide to zero trust architecture

What Is Zero Trust Network Access (ZTNA)?

Zero Trust Network Access (ZTNA) is a key component of the zero trust model. It uses identity-based authentication to establish trust, providing access to authorized entities while hiding information about physical networks (such as IP addresses).

ZTNA provides centralized management and flexibility for IT and security teams. It grants access to each entity for specific applications or data depending on the current time, their location, device, or other criteria.

As organizations add more remote users, move workloads to the cloud and deploy internet of things (IoT) devices, ZTNA protects these distributed environments, identifying anomalous behaviors such as attempts to access restricted system functions or abnormal data flows.

Learn more in our detailed guide to zero trust network

What Are the Principles of a Zero Trust Security Model?

Zero trust is an abstract security model, not a formal model of controlled access. Most zero trust definitions created by industry groups or standards bodies recognize the following set of components:

  • One source of identity for users and non-personal entities (NPEs), collectively known as principals.
  • User and machine authentication.
  • Additional context such as policy compliance and device health.
  • Authorization policies for application or resource access.
  • In-application access control policies.

All these components support identity-based access control mechanisms that “deny all” by default and allow access by exception.

To comply with the zero trust principle, trust boundaries should be as small as possible. By definition, a principal can be trusted within a trust boundary, and access controls can be limited or fully bypassed. Within the boundary, authorization should be granted only for certain business functions. If a boundary includes additional business functions, it should be narrowed.

Some security boundaries in a system architecture might not fit the criteria of zero trust. For example, systems that filter unwanted IP addresses, allow network access only using specific protocols, or restrict social media use, can work in parallel to zero trust. However, in a zero trust architecture, those traditional boundaries should not be used to evaluate trust. Only boundaries that meet zero trust principles should be used to determine whether a principal is trusted or not.

Zero trust should always maintain separation between individual entities. There is always a boundary of trust between two principals and every interaction requires multi-factor authentication and direct authorization. Even if two entities are on the same network, in the same physical location, or part of the same line of business, there should be no implicit trust between them.

The zero trust security model works by enforcing these trust boundaries. This is usually done by creating an enforcement point before any interaction with any resource. As these interactions change over time, system identities, resource health, and other aspects also change. This requires continuous re-evaluation of identities and resources, as well as continuous enforcement of authentication and authorization.

Learn more in our detailed guide to zero trust security

Zero Trust Solutions: Technologies and Techniques

Microsegmentation

Microsegmentation is a technology that divides networks into logical units, securing them by applying policies that guide how data and applications are accessed and controlled.

By segmenting the network and limiting traffic between network segments, businesses can dramatically improve security. Network microsegmentation can be applied both to on-premise data centers and cloud environments. It allows security teams to determine how applications share data within the system, where data can be transferred to, and whether security or other means of authentication are required for specific interactions.

Learn more in our detailed guide to microsegmentation

Identity and Access Management

Identity and Access Management (IAM) is a business process and technical framework that makes it possible to manage digital identities.

IAM lets administrators control user access to sensitive information within their organizations. It securely stores identity and profile data, and enables governance to ensure that users only gain access to applications and data that are necessary for their roles. IAM is the basis for mechanisms like single sign-on (SSO), multi-factor authentication (MFA), and privileged access management (PAM).

Next-Generation Firewall (NGFW)

NGFW is a third-generation firewall technology, which provides all the capabilities of traditional enterprise firewalls, with additional security features. It can be deployed as hardware or software. An NGFW detects and blocks advanced attacks by applying security policies at the application, port, and protocol level.

Most NGFWs provide advanced security features including application control, integrated Intrusion Prevention System (IPS), identity awareness, malware prevention, and the ability to access and use threat intelligence data.

These features allow NGFW to add context to the firewall decision process. An NGFW understands the details of web application traffic passing through it, and takes action to block potentially malicious traffic.

Secure Access Service Edge (SASE)

SASE is a cloud-based framework that bundles networking and security functions into one integrated cloud service. Its goal is to provide simple security and networking tools that allow employees to securely access corporate resources, regardless of an employee’s location or the location of the accessed resource.

SASE consolidates multiple technologies, including software defined wireless area networks (SD-WAN), firewall as a service (FWaaS), cloud access security brokers (CASB), secure web gateway (SWG), and zero trust network access (ZTNA), into one platform with a single management console. It provides a convenient, agile, and scalable SaaS model for deploying networking and security in modern IT environments.

How to Implement a Zero Trust Model

Here are some useful concepts for implementing a zero trust model.

Protecting the Workforce, Workplace and Workloads

The three Ws are a handy slogan for remembering what an organization needs to protect.

The workforce
Organizations must protect users and personal devices against phishing, stolen credentials, and other attacks that exploit legitimate user identities. This protection is achievable using tools like multi-factor authentication that help prevent unauthorized users and devices from accessing the network. Authentication tools verify the identity of each user or entity and provide visibility into each user device. They help enforce dynamic security policies controlling access to all applications. Users must pass two or more authentication challenges. When the system grants them access, it allows security teams to view who is accessing each application, what devices they use, and the actions they perform.

The workplace
Protecting the corporate network at the central or branch office allows IT and security teams to gain insights into the devices and users accessing applications. Controlling the network’s connections helps teams identify and block threats using a software-defined access control approach. Organizations can secure network access from the workplace to vet the requests originating within the corporate network from local users or connected IoT devices.

The workload
Protecting the information flows across a corporate network requires end-to-end workload security, encompassing the data center, cloud, and connected endpoints. Organizations may use tools to protect their application workloads across multiple clouds and data centers by restricting lateral movement, identifying and analyzing anomalous workload behavior, and minimizing the overall attack surface.

Incorporating New Architectures and Tooling

An organization’s existing security architecture and tools rarely meet the needs of an effective, enterprise-wide zero trust model. Administrators must add new tools to provide additional layers of protection and fill in the security gaps they identify when implementing a zero trust security model. Many advanced security tools can perform the functions that legacy tools might not cover.

For example, IT departments often implement tools like secure remote access control and microsegmentation to support zero trust requirements. These may use SSO and MFA techniques. Advanced cyber threat protection tools can detect threats, prioritize security incidents, and enforce security policies by intercepting connections to specific, protected assets within the network.

Implementing Detailed Security Policies

With all the necessary tools in place, administrators must know how to use them to build a zero trust security framework. An effective zero trust strategy relies on creating and implementing a detailed zero trust policy that administrators can apply to various tools.

A zero trust policy is a set of rules that details who can access specific resources and what they can do with the resources. Each policy should conform to strict standards, defining the users, applications, and devices allowed to access the relevant service or data. Zero trust policies should outline the permissions context to ensure that only necessary access is possible.

After building high-level security policies, administrators can configure security tools to enforce the permissions based on an allowlist of users and actions, denying all other access by default.

Setting Up Monitoring and Alerts

The final core concept of zero trust is to monitor the network and set up alerting tools. These tools are important for providing visibility into the system, ensuring the implementation of zero trust policies, and evaluating whether these policies are sufficient. Continuous monitoring and alerts allow security teams to identify gaps in the zero trust framework, including exploited vulnerabilities.

Nothing is 100% secure, even in a zero trust environment. Security and IT teams must use tools to identify malicious activity and respond quickly. It is also important to perform a regular root cause analysis to find security flaws and keep the zero trust policies up to date.

Zero Trust Security with Calico

Calico Enterprise and Calico Cloud enable a zero trust environment built on three core capabilities: encryption, least privilege access controls, and identity-aware microsegmentation.

  • Encryption – Calico utilizes WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Calico supports WireGuard for self-managed environments such as AWS, Azure, and Openshift, and managed services such as EKS and AKS.
  • Least privilege access controls – Calico implements least privilege access controls by denying all network traffic by default and only allowing connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster. Calico also integrates with native Kubernetes RBAC to provide authorization and authentication for various users and teams.
  • Identity-aware microsegmentation – Calico leverages its cloud-native model to divide workloads into smaller security segments and then applies security policies for these segments. This prevents lateral movement of threats by reducing and minimizing the attack surface.

Next steps:

See Our Additional Guides on Key Observability Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of observability.

Distributed Tracing

Authored by Lumigo

Serverless Monitoring

Authored by Lumigo

Exit Codes

Authored by Komodor

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!