In this world of mobile users, billions of connected things, and public cloud applications everywhere -- not to mention the growing sophistication of hackers and malware -- the Zero Trust movement is the new reality. As the name suggests, Zero Trust means no trusted perimeter -- everything is untrusted and, even after authentication and authorization, a device or user only receives least privileged access. Such is necessary to stop all these potential security breaches.
Identity and access management (IAM) is the foundation of great IT security and key to providing zero trust.
Zero Trust networking (ZTN) is the application of the Zero Trust principles to enterprise and government agency IP networks. Among other things, ZTN integrates IAM into IP routing and prohibits establishment of a single TCP/UDP session without prior authentication and authorization. Once a session is established, ZTN ensures all traffic in motion is encrypted.
To put this in context of a common analogy, think of our road systems as a network and the cars and trucks on it as IP packets. Today, anyone can leave his or her house and drive to your home and come up your driveway. That driver may not have a key to get into your home, but he or she can case it and wait for an opportunity to enter. In a Zero Trust world, no one can leave his or her house to travel over the roads to your home without prior authentication and authorization. This is what's required in the digital, virtual world to ensure security.
In the voice world, we use signaling to establish the authentication and authorization prior to connecting the call. In the data world, this can be done with TCP/UDP sessions, and in many cases, in conjunction with Transport Layer Security, or TLS. The problem is that IP routing hasn't evolved since the mid-'90s. IP routing protocols such as Border Gateway Protocol are standalone; they don't integrate with directories. Network admission control (NAC) is an earlier attempt to add IAM to networking, but it requires a client and assumes a trusted perimeter. NAC is IP address-based, not TCP/UDP session state-based.
The solution is to make IP routing more intelligent and bring it up the OSI stack to Layer 5 where security and session state reside. The next generation of software-defined networks are taking a more intelligent approach to networking with the Layer 5 security and performance functions.
OSI Model with Layer 5 Security Services
Organizations over time have added firewalls, session border controllers, WAN optimizers, and load balancers to networks for their ability to manage session state and provide the intelligent performance and security controls required in today's networks. For instance, firewalls stop malicious traffic in the middle of a network and do nothing within a Layer 2 broadcast domain.
Every organization has directory services based on IAM that define who is allowed access to what. ZTN takes this further by embedding this information into the network and enabling malicious traffic to be stopped at the source.
Another great feature of ZTN is anomaly detection. When a device starts trying to communicate with other devices, services, or applications to which it doesn't have permission to do so, an alert can be generated. Hackers use a process of discovery, identification, and targeting to break into systems; with Zero Trust, you can prevent them from starting the initial discovery.
Related content:
Measuring Network Security Vulnerability
What DNS Encryption Means for Your IP Traffic
Zscaler Private Access Just Might Eradicate VPNs