Zero Trust Architecture: The Basic Building Blocks
What is Zero Trust Architecture (ZTA)?
A zero trust architecture (ZTA) helps plan access control in a distributed environment to better secure assets and resources. The zero trust paradigm shifts from static perimeter-based security to dynamic, asset-based security.
Zero trust architectures aim to provide strong security coverage for enterprise networks allowing remote access, bring your own device (BYOD), and cloud-based assets connecting to the corporate network.
Key zero trust practices include never granting implicit trust to assets and users regardless of location or ownership of an asset, and performing authentication and authorization for all subjects and devices before establishing a session to any enterprise resource.
In this article:
Benefits of a Zero Trust Architecture
A zero trust architecture helps control access to networks, applications, and data, achieving a greater level of visibility. This visibility is crucial to ensure various devices can request access to services and resources in a secure manner. It provides insights into device and service activity across the network.
Unlike traditional perimeter security, a zero trust architecture denies access by default. It employs advanced security techniques and tools to verify user identity and grant access according to behavior, device risk posture, and user risk. As a result, it helps reduce the risk and minimize the attack surface.
A zero trust architecture also helps contain threats. It breaks the network down into microsegments according to functions, groups, and identities, granularly controlling access, privileges, and traffic flow. If intruders breach one segment, the breach is contained in this area and cannot spread across the network.
Related content: Read our guide to zero trust security
Technologies Behind Zero Trust Architectures
Zero trust security incorporates the following stages:
- User authentication – A ZTA requires strong user identity verification that ties role-based access controls (RBAC) to user identity.
- Access management – After verifying user identity, the ZTA must ensure this user is authorized to access the requested resource. It requires ensuring access controls cannot be bypassed to prevent unauthorized access to resources.
Here are key technologies needed to support a ZTA. These are the basic building blocks of a zero trust architecture:
- Identity and access management (IAM) – Helps define and manage user permissions within an enterprise network. A ZTA employs IAM solutions to allow or deny access requests.
- Multi-factor authentication (MFA) – Password-based authentication exposes users to credential compromise due to insecure practices like weak and reused passwords. A ZTA employs MFA to validate user identity and protect against credential compromise.
- Endpoint protection – Compromised endpoints can serve as an entry point, allowing attackers to use an authorized user’s session to access resources. A ZTA employs strong endpoint security to protect against compromised endpoints.
- Zero-trust network access (ZTNA) – ZTNA technology enables continuous monitoring and securing remote connections according to zero trust principles.
- Microsegmentation – This technique moves beyond perimeter-based network firewalls. It involves creating internal network segmentation to enforce zero trust policies within the enterprise network.
- Visibility and analytics – A ZTA applies components to correlate, monitor, and analyze logs continuously for signs of compromise such as phishing and compromised credentials.
Related content: Read our zero trust network guide
Building a Zero Trust Architecture: 4 Best Practices
1. Know your Architecture Including Users, Devices, and Services
A zero trust architecture treats all components on the network with suspicion. It requires comprehensive knowledge of the existing architecture to identify the individual components and assign the appropriate security mechanism.
The goal is to identify all users, devices, services, and various data transmitting in and out of the network and implement the appropriate protection, regardless of the location. Each component is suspected whether it originates from local networking or public Wi-Fi.
2. Create Strong Device Identities
Device identity enables clear visibility into and management of devices accessing services and data on the network. It involves using a single device directory for each device, and policies to manage the devices via compliance and health checks as a basis for granting or restricting access and privileges. Strong device identity helps ensure these checks are authenticated.
The confidence level of each device’s identity depends on the hardware, platform, and device type. Here is the confidence level for each type:
- Hardware co-processors – Offer the highest confidence level. For example, a trusted platform module (TPM).
- A managed device – Must work with a software-based key store. Less secure than hardware, but still offers visibility because it’s managed.
- A software-based key store – Offers a lower confidence level.
- BYOD – The lowest confidence level. However, it should still be linked to an identity.
- Devices from another organization – Involves establishing a trust relationship between two organizations. It means another organization becomes part of the supply chain, applying a high level of governance and security controls.
3. Focus Your Monitoring on Devices and Services
A zero trust architecture implements monitoring not only at the network level, but also for services and devices. Here is how to implement zero trust monitoring:
- Device and service monitoring – Involves monitoring device requests from services, including the performed actions and accessed data. Monitoring should link to predetermined policies to verify these standards are enforced.
- Network monitoring – Required for good cyber hygiene. It works on local networks to identify rogue devices and malicious activity, and to improve correlation and visibility. For example, it can help trace network connections to a specific device process.
4. Don’t Trust the Network, Including the Local Network
Removing trust from the network helps build trust into services and devices. It involves configuring devices to prevent DNS spoofing and protecting against unsolicited inbound connections and Man-in-the-Middle (MITM) attacks. Authenticated and encrypted protocols like TLS can help prevent DNS attacks.
Zero Trust Security with Calico
Calico Enterprise and Calico Cloud enable a zero trust environment built on three core capabilities: encryption, least privilege access controls, and identity-aware microsegmentation.
- Encryption – Calico utilizes WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Calico supports WireGuard for self-managed environments such as AWS, Azure, and Openshift, and managed services such as EKS and AKS.
- Least privilege access controls – Calico implements least privilege access controls by denying all network traffic by default and only allowing connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster. Calico also integrates with native Kubernetes RBAC to provide authorization and authentication for various users and teams.
- Identity-aware microsegmentation – Calico leverages its cloud-native model to divide workloads into smaller security segments and then applies security policies for these segments. This prevents lateral movement of threats by reducing and minimizing the attack surface.