Most IT managers have heard of Zero Trust, but few companies have implemented this security strategy so far. We explore what Zero Trust means and how it is connected to security concepts such as SASE, ZTNA and SSE.
Network security today is mostly based on the question of who gets access to the network. Once a machine gets access to the network, it is usually also possible to access all the resources in it including data, applications or servers. Users or devices are considered as “trusted” once they are connected.
Zero Trust questions this approach and true to its name, assumes that users and devices are not to be trusted by default. The Zero Trust principle is often stated as “Never Trust, Always Verify”.
Development of the Zero Trust concept
Zero Trust isn’t entirely new. It took almost 20 years, however, for the concept to really pick up speed. Initially the ideas behind it were formulated within the Jericho Forum. This group was formed in 2004 under the leadership of David Lacey, the former Director of Information Security of the British Royal Mail Group. Ten years later, the Jericho Forum was merged with the Open Group, a globally active organization with a Unix background focused on developing new standards.
At first, however, there was no fixed term for the ideas proposed by Lacey. In 2010, analyst John Kindervag from Forrester Research coined the catchy term Zero Trust. The year 2010 is therefore often referred to as the birth of Zero Trust.
Fundamental principles of Zero Trust
Zero Trust does not automatically trust data from the network just because it comes from the protected zone. Instead, it pursues a four-stage model for verifying data, users and machines:
- Access is blocked by default.
- Users, applications, and devices need to authenticate to prove that they are who they claim to be.
- Each individual access is then authorized on the basis of defined security policies.
- In addition, any changes that may have an impact on the session are monitored continuously. If an irregularity is detected, access is terminated immediately.
Zero Trust is therefore not a product from a specific provider but a fundamental security approach. Users or devices are only granted access to the data they actually need for their current tasks. Zero Trust thus follows the “Least Privilege” principle.
Even successful cyber attacks when hackers are able to gain access to the company network can now be stopped in their tracks. In classic networks, an attacker can, for example, connect to another server and cause further damage there. With Zero Trust, the attack cannot succeed because the attacker will not pass security checks.
There are now a number of other security concepts such as SASE, ZTNA and SSE that have been developed on the basis of Zero Trust. In the following, we will explain the most important differences.
How SASE and Zero Trust differ from each other
As we have discussed, Zero Trust is more of a basic concept that describes how authentication and authorization should be carried out. However, there is no definition of how these objectives can be achieved in practice.
Secure Access Service Edge (SASE), on the other hand, is a cloud-based network and security service that goes far beyond mere protection. The concept was presented in 2019 by the market research company Gartner. SASE connects network architectures such as VPN (Virtual Private Network) and SD-WAN (Software-defined Wide Area Networks) with security functions from the cloud such as web gateways, cloud access security brokers (CASB), firewall services and the Zero Trust concept. It is easy to manage thanks to a central management console.
However, SASE cannot be introduced overnight. SASE is rightly regarded as very complex and time-consuming to implement. For example, in a survey by market research company Techconsult, 36 percent of respondents said that Zero Trust and SASE were too complex for them to introduce. 33 percent reported a lack of expertise in the company and 26 percent said that costs were too high. This is why, two years after SASE, Gartner has presented another concept, Security Service Edge (SSE).
What is the difference between SASE, SSE and ZTNA?
SSE is in principle part of SASE, the part that focuses on security. Other aspects of SASE that relate to optimizing the bandwidth in the network or the WAN have been removed from SSE. This makes it easier to implement.
The most important components of SSE are zero-trust-based access to the network, also known as zero trust network access or ZTNA for short. ZTNA does not release the entire network, but only certain defined resources. Relevant questions include:
- Who wants to access the resource?
- Where does the request originate from?
- What policies are implemented for the situation?
- Did the access attempt lead to suspicious behavior?
ZTNA is usually supplemented with a Cloud Access Security Broker, which is intended to protect access to cloud applications and remote processes, as well as by Secure Web Gateways (SWGs) for filtering and monitoring content and firewall-as-a-service solutions (FwaaS).
How companies can gradually implement Zero Trust
How can you get started with Zero Trust? The software-based security solutions from NCP already meet the essential criteria of Zero Trust. With the NCP Secure Enterprise Management Server, access rights of user groups and individual users can be configured granularly. In addition, the solution supports modern methods for verifying the identity of users and end devices such as multi-factor authentication, machine certificates and endpoint policy checks.
This allows you to check, for example, whether the operating systems, virus scanners and certificates on the end devices are up to date. You can also manage applications and updates centrally and securely. Further, you can specify in detail which users, groups and applications are allowed to access which resources. This protects far more than just the classic perimeter.
Learn more about Zero Trust security from NCP now.