As cyberattacks become more sophisticated, traditional security models become outdated. Older models, where internal devices and users are trusted by default, are increasingly inadequate due to the increase of cloud apps, services and hybrid work environments. Zero-trust architecture (ZTA) is a security framework in which internal or external users or devices are not trusted by default. It works on a “never trust, always verify” approach. It’s a comprehensive model that leverages multifactor authentication, continuous access evaluation, identity and access management, network isolation and real-time monitoring. This model helps protect remote and hybrid environments where users connect from various locations, networks and devices. In addition, it increases cloud security as requests are verified every time, helps enterprises comply with the General Data Protection Regulation (GPDR) and the California Consumer Privacy Act (CCPA) by restricting data access, aids in mitigating internal user threats and uses real-time monitoring and artificial intelligence (AI) to detect anomalies. While this type of architecture has many benefits, it can be challenging for companies because of a static mindset, increased costs and continuous maintenance. 

Benefits of ZTA 

The National Institute of Standards and Technology (NIST) defines the tenets of ZTA and provides a simple overview of the benefits in section 2.1 of NIST-SP 800-207. These benefits include: “all data sources and computing services are considered resources, all communication is secured regardless of network location, access to individual enterprise resources is granted on a per-session basis, and access to resources is determined by dynamic policy and may include other behavioral and environmental attributes.” 

These tenets illustrate the versatility and value of the architecture and link to several key concepts in contemporary IT and security landscapes. A core concept of ZTA is the logical division of assets into data and control planes. The policy administrator (PA) and the policy engine (PE) interface with the data plane through policy enforcement points (PEPs). The benefit is that each resource access is verified on a per-session basis. The dynamic aspect of the policy is that the PE is not simply one access policy or firewall but a robust suite of tools, policies and protocols that act as a trust algorithm (TA) and can be changed with evolving threat landscapes. This format is then scalable and localizable to different resource needs. Supplanting perimeter-based approaches to defense and focusing instead on leveraging data assets to verify trust and user behavior. 

With one in five employees working remotely in 2023, access from public networks, multiple devices and location changes are now standard norms of remote work security concerns. These sprawling needs have made perimeter and permission-based trust-based systems increasingly vulnerable to exploitation. As seen in Techcrunch’s yearly list of the most significant breaches, many are attributable to outdated security models, legacy infrastructure and poor data management. These realities necessitate a shift in cybersecurity. ZTA utilizes continuous monitoring through the PE and the PA to “never trust, always verify” a resource access request. TAs provide analytical tools to weigh or evaluate user behavior and determine how trustworthy the request is. This added reporting and data collection layer of the PE and the PE’s unique role as an adaptable aggregation of policies and tools make ZTAs adaptable. 

ZTA Implementation 

The dual pressures of current business function needs and existing security solutions in cybersecurity create precarious risk scenarios. With some incident responses resulting in patchwork solutions or uneven rollouts of security updates across network and asset infrastructure, technical debt accumulates significant risk to security. As global market pressures and the sophistication of cybercrime continue to mount, the price of technical debt and the severity of breaches are primed to increase.  

Ideal implementations of ZTA are ground-up implementations that can build assets with control planes, data governance and policy in mind from the start; in reality, most enterprises work with what they have and go from there. The NIST-SP 1800-35 series provides examples of integrating ZTA into existing infrastructure. The emphasis on continuous monitoring and data integrity is necessary for ZTA solutions and pairs well with master data management (MDM), data governance and incremental development models. These continuous development practices integrate into the record of truth concepts in MDM and complement data governance needs. The complement of MDM, data governance, and ZTA cannot be overstated. ISACA and NIST identify the synergy of value in data integrity, governance and security. 

ZTA and Good Governance 

As social engineering and sophisticated syndicate cybercrime continue to leverage new technologies, ZTA and MDM offer some level of protection through data integrity. By leveraging continuous monitoring and having a flexible policy engine that can adapt trust algorithms to unique business needs, threats can be more quickly mapped as deviations from the norm, supporting and protecting data plane governance efforts. While continuous monitoring is a tenet of ZTA, it differs from other threat detection solutions in that it reinforces data integrity. In this way, ZTA complements the maintenance of business processes rather than being just another layer of technical debt. Investing in data management is the first step in investing in ZTA, opening the door to a suite of emerging technologies, including AI and machine learning (ML) solutions whose performance relies on data integrity. 

In an increasingly integrated future, adaptation to new technologies and security configurations is part and parcel of contemporary business practices. As the scope and scale of cybersecurity breaches continue to escalate, a shift in mindset and architecture is required. The arms race for security can cool down by adopting ZTAs. These segmented networks allow cybersecurity professionals to contain breaches and limit damage while learning from attackers. Applying and harnessing innovative technologies require good governance and expertise. Zero-trust solutions provide tools to remain flexible while mitigating the risk and extent of breaches. The future of cybersecurity is least privilege, never trust and multifactored. To adopt the “always verify” mindset is to embrace architectures that secure assets, build user confidence and trust and reinforce good governance practices. ZTA for technology leads the way to a more trusted future for society.