Zero Trust: How Does It Work?

Click here to read about what the zero trust economy is and how it can improve your cybersecurity.

Ernie Regalado - Product Marketing Director
Zero Trust: How Does It Work?

The Zero Trust model was introduced in 2010 by Forrester Research. The approach can be summed up in a few words: trust no one, not even employees. Over the next decade, new cloud applications were born and cloud adoption accelerated. Salesforce, ServiceNow, Shopify, Workday, Atlassian, Square, DocuSign, Slack, Box and other must-have apps became a part of the corporate digital toolset.

These tools improved employee productivity, required no upfront capital, and scaled to support users anywhere. Unfortunately, these applications also wreaked havoc on the traditional security model that was defined by protecting the corporate perimeter. Traditional security could not protect the remote workforce who accessed apps from home or the road. The arrival of COVID only magnified the problem by significantly adding to the remote workforce, bringing the urgency to adopt the zero-trust security to the forefront.

Zero Trust Philosophy

There’s a famous line in an old horror film that, even if you’ve never seen the movie, you’ll recognize instantly: the call is coming from inside the house. The chilling implications of the phrase made it almost an instant horror cliche. It perfectly articulates the terrifying prospect that, even in the most secure of locations, our assumption of safety could be an illusion. And the more you trust that assumption, the more vulnerable you are to the threats lurking right underneath you.

The old model of corporate security was built on the faulty idea that once a secure corporate perimeter is in place, the trust could be widely extended to anyone or anything inside of it. However, the reality of security is that even trusted users can behave in untrustworthy ways. If trusted users are given access to the entire network every time they log in, a single client with a weak password or employee who opens up a suspicious email attachment could expose the entire network and applications to attack. In other words, security protocols that place unlimited trust in anyone with network access is essentially granting anyone inside the network permission to do unlimited damage.

Zero trust limits the damage bad actors can do by removing automatic access from everyone and everything inside and outside a network. Rather than granting wide permissions to certain users, programs, and entities, it insists that verification is ongoing and access is only granted on a case-by-case basis, granting users the minimum permissions needed to perform a specific action. Finally, each session is monitored for suspicious or risky activity, with protocols in place that respond to threats in real-time.

In recent years, evolving technology has made the assumption of trust not only problematic but irrelevant. Even before the pandemic made remote work the norm for most businesses, the widespread adoption of mobile devices, cloud-based computing, and other technological advances had already expanded the business beyond the corporate perimeter. To fix the problems of legacy security and adapt to the new digital landscape, companies had to embrace a new security philosophy—the idea of zero-trust.

Evolution of Security Architecture

Legacy security products were built for a world where determining which users, devices, and programs to trust was a relatively straightforward matter—at least in theory. Rather than using the public Internet, where bad actors could gain access to their network, companies would build private networks at a centralized location. Physical firewall boxes and DDoS appliances were used to keep this private network safe. Employees could only access the Internet through gateways connected to physical hardware at that location, allowing security teams to tightly control traffic. It was a bit like building a safe house or a bunker with a single point of entry—ensuring the safety of that bunker was essentially a matter of reinforcing the entry point and keeping a careful watch anytime someone enters or exits.

But as technology evolved and Internet usage became more ubiquitous, this process became more challenging. Storing data in a centralized location means that anyone accessing it from outside that location must wait for data to travel to and from that single point of origin. This could create long wait times for faraway clients or employees located at different branches of the company, or lead to bottlenecks when many users are attempting to access that origin point at the same time. To address this problem, companies had to purchase expensive MPLS links and deploy their own IT teams to manage routing between branches, VPN hardware, and clients. Data was no longer stored on a private network in a centralized location, but distributed across data centers. This is less like barricading oneself inside a bunker with a single reinforced entry point and more like living in a house with multiple doors and windows that need to be guarded at all times. And with more and more people going in and out of those entries all the time, it becomes nearly impossible to carefully monitor who’s inside the house—and to predict what they’ll do once they get inside.

Today, protecting digital property isn’t akin to building a bunker or even hiding in a house with multiple entry points—it’s like wandering through an open range while wearing a blindfold. Workers are no longer stationed in office branches—they are remote and mobile, making their behavior harder to predict and their identity harder to verify. With the advent of cloud computing, data no longer lives on-premises in a corporate headquarters or protected data centers. Companies are subscribing to cloud-based applications with SaaS rather than maintaining their own servers, infrastructure, and in-house support staff. Monolithic architecture is increasingly replaced by microservices composed of small, loosely connected, independently deployable components. Modern security must be able to adapt to these changes, extending protection to cloud-based and edge-native apps, containers, microservices, and workers everywhere.

Implementing Zero Trust with Azion

In today’s complex digital landscape, detecting and preventing malicious traffic has never been more difficult. That’s why trust must not only be established once, but again and again, across multiple vectors. Modern security solutions must not only ensure networks, users, and workloads are secure but provide ongoing visibility and orchestration so that malicious traffic can be detected and automatically dealt with. Azion provides companies with the tools needed to control, monitor, and deploy security solutions in today’s networks—at the edge, in the cloud, or on premises.

stack de segurança da azion

Zero Trust Networks - Network segmentation is a key component of zero-trust architecture. Yesterday’s monolithic corporate perimeters are not suited for today’s widely dispersed networks. Instead, they must be divided up into microperimeters—network segments that are isolated from each other to contain attacks and allow for more granular control. Azion’s Network Layer Protection allows you to create lists based on the network, users’ locations, or your own intelligent rule system, so that you can implement this crucial component of modern security.

Zero Trust Users - It’s no longer enough to enforce strict user access; permissions should be limited based not only on authenticated users, but the specific functions they need to execute. Azion’s Real-Time Manager is a control panel that allows you to build and assign permissions to specific users, implementing authorization and authentication both for your development team and within the applications hosted on our platform.

Zero Trust Workloads - Workloads encompass the entire application stack, from the application layer to the processing components such as containers and VMs. Each of these components comprises a different threat vector, which must be secured with zero trust. Azion helps customers implement zero trust workloads by providing serverless management, which allows them to focus on application and client-side security while we handle the security of the edge infrastructure.

Azion serveless security

Visibility and Analytics - Rather than stopping at authentication, zero trust demands constant monitoring to eliminate threats from compromised users or risky behavior—and ensure that any security breaches are found as quickly as possible. Azion’s Data Stream provides that visibility. Real-time, encrypted data can be fed from various data sources, such as your edge applications or firewall, into your own SIEM or Big Data analytic system. This provides your security team with the tools needed to analyze security threats as they occur and orient their defenses to provide the best protection possible.

Automation and Orchestration - Extensive research from Forrester demonstrated that manually handling security threats is almost impossible in the age of IoTs and edge computing. With Edge Orchestration, you can create complex queries to track how effectively you are blocking attacks and view real-time metrics about your applications’ security. Moreover, you can take immediate action on these data and metrics as we allow for zero touch provisioning, using our control panel to configure, stop, and start services as needed.

Conclusion

Unlike legacy architecture, today’s networks and applications are complex, interconnected ecosystems. These systems can be hard to visualize, let alone defend. Achieving comprehensive security in today’s digital world requires zero trust and multilayered security. In the next post, we’ll further examine security for edge applications and go into detail about each component in the security stack.

Subscribe to our Newsletter