The ZT architecture approach assumes that no connection, user, or asset is trustworthy until verified. Conversely, the traditional perimeter security paradigm trusts connections once authenticated and grants them access to the entire network, leaving enterprise assets potentially open to cybercriminals. Transformative and time intensive, ZT projects build upon and rework existing architecture.
ZT architecture is an evolving concept that at present has no certifications or practical standards. Many enterprises rely on certifications such as International Organization for Standardization (ISO) compliance, and the absence of well-defined parameters in the case of ZT creates a measure of confusion.
Adding to the confusion, some vendors label a product or a service as a complete ZT solution, ignoring the basic premise that ZT is an approach that utilizes existing and new products and services but does not reside in a particular set of products or services. Worse, many will apply this practice of “zero trust washing” to legacy products despite missing core properties.
Various ZT frameworks and approaches are available. ZT is a concept, but the basics of a ZT framework have been defined by the National Institute of Standards and Technology (NIST) and by analyst firms such as Gartner, Forrester, IDC, and ESG.
Analyst firms are beginning to offer roadmaps along with valuable guidance, and organizations can find excellent information from those sources to start their ZT journey.
ZT starts with a set of principles that each enterprise implements according to its business and security needs.
A ZT deployment comprises different components. Some may be in-house services, and others may be cloud based. Recognize that any ZT architecture you implement will roll out over time. During this period, it's critical to educate stakeholders on all the moving pieces and convey that ZT is a continued effort without clearly defined start and finish. Stay mindful that as changes in your IT and business needs disrupt your progress, you can maximize the impact of your ZT approach by continually reassessing your architecture.
Experts emphasize there is no one-size-fits-all ZT infrastructure. Every enterprise, and thus every ZT deployment, will be different. Additionally, ZT infrastructure is typically implemented over time in a series of smaller infrastructure modernization projects. The ideal ZT model rarely, if ever, exists.
One of the attributes of the ZT model is its dynamic nature, so today’s ideal ZT model may not be ideal tomorrow.
Example diagram from the NIST document, page 18. Zero trust model components.
A number of data sources provide input to assist the policy engine in making access decisions.
Other critical considerations include prioritizing components within your existing architecture that are outdated and those that have a significant impact. Another key factor is focusing on one of the most often neglected aspects in early ZT projects - visibility. As early adopters of ZT have remarked almost universally, you can only trust what you see.
Micro-segmentation is a viable technique, but without a strong ZT identity component, extra investment in segmentation has diminishing ZT returns.