What is Zero Trust?

In the past, all employees worked at the office. It made sense to surround the office with a tall wall of security to stop malicious actors. The security perimeter was well defined. Anything inside the corporate network was OK. Anything outside the corporate network was not OK.

But times are changing. It is no longer possible to hide every single employee behind a corporate firewall. Nowadays, the workforce is distributed. People no longer work in a well-protected office environment. Instead, employees switched to remote work. Remote workers use remote devices and a VPN to access the company’s network. An average infrastructure of a company combines on-premises applications, cloud services, remote users, mobile users, and more. This raises questions about security. With a hybrid work model, it is impossible to define the security perimeter because now employees can log in from all around the world. This generates the need for a robust security strategy.

What is Zero Trust Architecture?

Zero Trust is a security strategy that says you cannot trust any application, user, or device by default, regardless of their location, status, or any other property.

Zero Trust is not a single solution. Rather, Zero Trust is a set of principles that you can adopt to improve your company’s security posture. The most important principle of Zero Trust is “never trust, always verify”. All other principles stem from the idea of not granting implicit trust before thorough and continuous verification (authentication, authorization, and security control). 

While a complex topic, Zero Trust can be summed up in these three principles:

1. Always Verify – Even if somebody gains access to your network, it does not necessarily mean that they are who they say they are or that they access the network in good faith. For example, a malicious actor might hack into the company’s network posing as Mr. Bob Smith while in fact, they are somebody else. A fired employee who still has access to the network might want to retaliate by conducting a malicious attack on their company.
   
2. Always Grant Minimum Privilege – Always grant users, devices, and applications the minimum amount of access that they need to perform an action. For example, if all the user needs to do is read a file, do not permit them to edit the file. Also, if a user wants to access a given application, do not give them access to any other application except for that one.
   
3. Always Assume Breach – Prepare an incident response plan that will have you covered even in the case of the worst possible security incident scenario. If you do, then even if a serious attack occurs, you will be able to utilize a well-prepared response in a short time.

Standard Network Infrastructure

The following diagram depicts a simplified version of standard network infrastructure:

Before the distributed workforce became the norm, an average company’s infrastructure was mainly based on on-premises applications. Unfortunately, this old infrastructure model was found to have security issues. Namely, an attacker that once gains access to a company’s network can laterally move to other systems with no hindrance. Users are authenticated only once when authenticating to the VPN and then can move around the network at will.

In such a standard network infrastructure, users most often connect to a company’s network using a VPN. A VPN can be secured with Two-Factor Authentication (2FA) but it is not always the case. Once the user connects to the VPN, an IP address is assigned to them. Then, the user can move around the network, accessing all on-premises applications at will. Even if they are connected to one particular application or service, they can move laterally to another service within the network. This poses a big threat because a malicious actor who manages to connect to a VPN gains access to all services inside the network.

Another issue with this standard infrastructure is that if users want to use cloud applications, they must have a separate set of credentials for each of them. In addition to that, each cloud application has its own security options and policies which makes it very hard for a company to administer all its applications and get good visibility into what is happening in these cloud applications.

Standard Infrastructure Drawbacks

The standard network infrastructure has few pros and many cons.

1. Scattered Cloud Apps – Cloud apps are not centralized, a different set of policies and credentials for every cloud app introduces chaos to the company.
2. Lenient Verification – Users are authenticated before they access the company’s network; once inside the corporate network, users are trusted.
3. Binary Approach to Security – Users inside the corporate network are trusted. Users outside the corporate network are not trusted. Once inside the network, users do not have to be revalidated, and can freely move from one application to another which poses a great security threat.
4. Little to No Infrastructure Coherence – Apps and services are not centralized, login differs for each application which hurts the user experience.
5. Security Risks  – Lack of modern security measures as well as infrastructure assumptions deepen security vulnerabilities and increase compromise risk.
6. Outdated and Non-Compliant – The standard infrastructure model is obsolete in the contemporary world and does not comply with the regulations and industry requirements.

Zero-Trust Network Infrastructure

The following image portrays a simplified version of the zero-trust network infrastructure:

In a zero-trust network infrastructure, users who want to access an application must first connect to the so-called Policy Enforcement Point (PEP). Thanks to the Policy Enforcement Point, the company gains control over the security policies and can determine what policies are applied to access each application. The same set of policies can be applied to both cloud and on-premises applications, which significantly increases both security and coherence.

The Policy Enforcement Point is directly connected to the Access Gateway. To authenticate the user, the Access Gateway checks the user’s credentials by connecting to an authentication source (e.g., Active Directory, FreeRADIUS). If the application is hosted on the cloud, then after successful identity verification, the Access Gateway sends the user back to the cloud application. If the application is hosted on-premises, the Access Gateway sends the user back to the on-premises application they are signing in to.

With Zero Trust, instead of gaining access to the entire network, the user will be redirected to each on-premises app for individual access. Users cannot tell the difference between authenticating to the cloud and to on-premises applications, as the authentication process looks the same to them. Zero Trust makes both the user experience as well as the behind-the-scenes better and more coherent.

Along with coherence and convenience, Zero Trust also increases security. Applications in the Zero Trust model do not accept any connections that did not come through the Policy Enforcement Point. As a result, even if a user is authorized to gain access to a particular on-premises application, they cannot move to any other application without going through the Policy Enforcement Point again. In the Zero Trust architecture, every component of your system is designed to make an attacker who compromises one component unable to access any other component. In other words, even if a security incident occurs and somebody gains access to one application, they cannot expand the attack and move around your network. Thanks to the Policy Enforcement Point, you can now verify not only the user and their device but also what are the individual things that they can do.

Zero Trust Benefits

The Zero Trust architecture model comes with a wide range of benefits.

1. Centralized Access to Cloud Apps – Zero Trust provides access control over cloud apps.
2. Continuous Verification – Authenticate the user and revalidate policies on each connection to a new application.
3. Microsegmentation – Each login attempt harks back to the Policy Enforcement Point; users cannot laterally move from one application to another within the network.
4. Increased Infrastructure Coherence – The Policy Enforcement Point allows applying policies to the cloud and on-premises applications; PAP adds a centralized identity provider for all apps.
5. Reduced Security Risks – Thanks to higher security achieved via MFA, SSO, Access Policies, continuous verification, as well as its core principles, Zero Trust considerably mitigates security risks.
6. Support for Regulatory Compliance – Depending on your industry, you may be required to comply with one or more regulations, such as GDPR, HIPAA, PCI DSS, NIST. Adopting Zero Trust can help you conform to these regulations.

How Can Rublon Help Me Adopt Zero Trust?

Rublon is a comprehensive security solution that can help you in implementing and complying with the Zero Trust architecture model in your organization.

The most important ways in which Rublon can help you adopt the Zero Trust model are:

1. Rublon Multi-Factor Authentication (MFA) enables strong authentication on all your cloud application, RDP, and VPN logins, and allows you to deploy modern MFA on all services your users sign in to. Rublon MFA uses a set of robust authentication methods and the Rublon Authenticator mobile app to provide you with top protection while ensuring a streamlined user experience.
2. Single Sign-On (SSO) facilitates access to cloud applications by requiring users to undergo primary and secondary authentication (password + second factor) only once while logging in to the so-called SSO Portal. Then, users can use the SSO Portal to access each cloud application. However, to log in to a particular cloud application, a user must re-authenticate with a strong second factor. Lateral movement across applications is not possible without undergoing the second factor every time the user wants to log in to another application. Users do not have to type their password every time, but they must confirm their identity with some authentication method like Mobile Push. A second authentication factor makes it difficult for an attacker to gain initial access to an account. The requirement to re-authenticate every time you want to log in to another application further improves security. If you are a user, this additional security check is negligible as Mobile Push is a seamless, fast, and comfortable way of confirming your identity. But it is also very secure and helps you thwart most attack attempts on your account.
3. Access Policies allow you to create and assign security policies to one or more applications, regardless of the application’s type. You can assign the same Access Policy to a set of cloud and on-premises applications. Rublon’s Custom Policies allow you to increase the security of your user logins by deactivating less secure authentication methods and disallowing users to remember their devices. After a quick and easy configuration of policies in the Rublon Admin Console, you can crucially increase your compliance with Zero Trust principles and strengthen your overall workforce security.

Get Rublon Now

Get Rublon now to enjoy secure Multi-Factor Authentication (MFA), convenient Single Sign-On, and powerful Access Policies. Let us help you adopt Zero Trust principles to improve the security posture of your company.

To check if Rublon fits your needs, start a Free 30-Day Trial.