Zero Trust: A Complete Guide to Remote Access Security
If there were any doubts that Zero Trust Network Access is more than a buzzword, they were erased by the US government’s decision to adopt Zero Trust across all federal agencies. This 21st Century approach to remote access security promises to fix many of the cybersecurity and network management challenges faced by organizations of all sizes.
Traditional access control technologies have an inherent design flaw: they require an assumption of trust. Major security breaches happen because cybercriminals can leverage this assumption to penetrate supposedly “secure” perimeters and exfiltrate company data.
As its name implies, Zero Trust removes trust from the equation to solve modern challenges in cybersecurity and network management. IT leaders recognize the need to replace their old remote access security systems with modern systems. Yet many IT professionals are just starting on their Zero Trust journey. It is more than a buzzword, but how do you cut through the hype to understand what Zero Trust could mean for your organization?
Twingate’s guide to Zero Trust will introduce this modern approach to remote access security and explain how Zero Trust:
- Requires a different way of thinking about network access.
- Fixes problems inherent to traditional access control technologies.
- Delivers benefits beyond secure remote access.
We will give you some tips for evaluating Zero Trust providers and dispel the myths holding back Zero Trust adoption. Despite its early reputation, Zero Trust can be simple enough to deploy without re-architecting your entire network.
Zero Trust (ZT) is an approach to network security and access control that meets the challenges of 21st Century cybersecurity. Also called Zero Trust Network Access (ZTNA) this new framework is based on one fundamental assumption:
Trust does not exist.
Under Zero Trust, you never assume that an on-premises network is any safer than the public internet. You never assume that a user’s laptop is any more secure than anything rack-mounted in your server room. You never assume that the incoming access request from your CEO is actually coming from your CEO.
ZTNA’s assumption that nothing can be inherently trusted overturns decades of network security practice. Traditional systems rely on the creation of a secure perimeter around trusted, managed networks and devices. VPN, RDP, and other remote access technologies open secure, encrypted portals through this perimeter so traveling employees can access company resources.
Often compared to the way moats and walls protected medieval castles, the layered defenses of the secure perimeter supplied a safe haven for an organization’s most critical systems. Of course, medieval defenses eventually fell as cultures changed and military technologies breached walls with ease. Our traditional network defenses share a similar fate.
In the 20th Century, network perimeters existed neatly within the office walls. The distinction between those who could be trusted and everyone else was easy. Most users were employees working at their desks and a relative few traveling employees who needed remote access.
21st Century computing is completely different. Companies today rely on blended workforces of employees, on-demand freelancers, short-term and long-term contractors, as well as 3rd party service providers.
While hybrid workforces existed before 2020, the COVID pandemic forced all businesses to adopt work-from-home policies. As the pandemic eased, employees and employers alike questioned the need to go back to the office.
Modern remote access security systems must be able to handle this varied nature of today’s workforce and the near-universal need for remote access.
Security was much easier when on-premises managed devices were the only things accessing the network. This began to change as company-owned laptops and then smartphones made employees more mobile. But then bring-your-own-device (BYOD) policies gained traction. The sudden shift to work-from-home during pandemic shortages made BYOD essential.
Whether financially motivated or out of necessity, BYOD adoption requires IT departments to deal with a constellation of devices and operating systems over which they have little direct control.
Internet technologies have obliterated our concept of the perimeter. While many companies still use on-premises systems, the cloud is making this less common. Company-owned applications are now cloud-hosted by third-party services. In many cases, the applications themselves are sourced as third-party services.
The cloud’s business case may be compelling, but it stretches defensive perimeters beyond company property and beyond security administrators’ full control. As a result, a company’s perimeter is only as secure as the partner systems it integrates with.
Cybercrime is big business with a sophisticated ecosystem of developers, ransomware service providers, and dark web marketplaces. Criminal syndicates give low-level hackers access to automated malware distribution tools for their high-volume phishing campaigns.
More advanced cybercriminals leverage the trust built into secure perimeters to target networks at scale. Unpatched security systems, third-party networks, vulnerable user credentials, unsecure devices, and the changing workforce give cybercriminals a broad surface to launch their attacks.
Traditional technologies are not up to this challenge which is why the industry has sought new approaches to remote access security.
A particularly sophisticated state-sponsored attack on Google’s network in 2009 was a wake-up call for the search giant. Its forensic review of Operation Aurora concluded that traditional security methods were failing. A few years later, Google unveiled its BeyondCorp initiative.
Using Zero Trust principles, BeyondCorp eliminated the internal network and put all resources behind internet-facing proxies. Strict verification, control over company-issued devices, and role-based authorizations reduce the company’s exposure to attack. Although pioneering, the Google-centric nature of BeyondCorp’s approach to Zero Trust makes it unsuitable for some.
- Cloud-first model - Google’s cloud-centric systems made migrating to an internet-facing architecture easier.
- Internet visibility - While Google may be confident with its public-facing proxies, companies in more regulated industries will prefer less visible options.
- Legacy systems - Companies cannot rewrite legacy systems for Zero Trust compatibility as Google did with its internally-developed systems.
- Google Chrome dependence - BeyondCorp was designed for Google’s Chrome operating system and browser which many companies do not use.
- Google Cloud dependence - Since most companies use AWS or Azure, adopting BeyondCorp adds complexity through integration with Google Cloud.
Over the past ten years, trends in computing and cybercrime have driven a consensus that the secure perimeter’s day has passed. Forrester Research analyst John Kindervag popularized Zero Trust Network Access around the time Google began developing BeyondCorp. Research was already underway, not surprisingly, at the US Department of Defense and the Defense Information Systems Agency. The National Institute of Standards and Technology issued several guidelines for implementing Zero Trust at federal agencies. Finally, a May 2021 executive order required all federal agencies to adopt Zero Trust.
The concept of “zero” trust has nothing to do with the emotional, social, and psychological nature of human trust. In the machine-to-machine context, trust is an algorithmically-generated evaluation of an incoming connection. Based on many factors, the value of that evaluation will fall somewhere between complete trust (+1) and complete distrust (-1). “Zero” trust is simply the case when the system knows nothing about the incoming connection.
Zero Trust Network Access builds upon this algorithmic concept of trust to form three guiding principles: assume breach, verify explicitly, and least privilege access. Combined, these three principles provide the framework for 21st Century security and access control.
Zero Trust assumes nothing is safe. Cybercriminals may be roaming freely on the network. Every user device may be hacked. Every user credential may be stolen. Every protected resource may have backdoors or 0-day flaws.
By contrast, traditional approaches assume that everything within a secure perimeter is safe: trusted employees using secure devices on an uncompromised network. If these old approaches are wrong just once, then the perimeter fails.
With Zero Trust, the principle of assume breach requires defenses around every resource and assumes any access request is a threat. The only correct response is to lock everything down and deny access by default. If the system is wrong, there is no security breach. A user simply will not get the access they need. Help desks get a phone call, but company resources remain safe.
Of course, users need to access protected resources to get their jobs done. But can you trust that they are who they say they are? The Zero Trust principle of verify explicitly requires verification of the user’s identity with every access request — without exception.
Traditional approaches to access control grant access permissions too broadly. VPN gateways, for example, only control access to a network. The user can have full access to any resources attached to that network for as long as they are connected to the VPN gateway.
Verify explicitly requires authentication with every request to access any resource. In addition, identity verification cannot be a one-time check. Assume breach implies that a user’s credentials could be compromised at any time. One click on an email attachment is all it takes for their identity credentials to fall in the wrong hands.
The user could be at the office or working remotely. They could be using a company-managed laptop or their home computer. They could be the CEO or a contractor. Every access request they make requires explicit verification.
Even when you verify explicitly, assume breach makes that verification suspect. Least privilege access uses context-sensitive, role-based rules to give users the least amount of access they need to get their jobs done. This approach reduces the impact of the most common security threats. Here are three recent examples of compromised user credentials enabling cyberattacks:
Verizon’s budget cellular service, Visible, recently suffered a credential stuffing attack that gave criminals access to customer credit card information. Criminal marketplaces with compromised user passwords let the criminals take over the user accounts.
The Cybersecurity and Infrastructure Security Agency recently warned of a new ransomware campaign against critical infrastructure companies. The BlackMatter extortion group uses already-compromised credentials to penetrate networks and encrypt essential data.
Compromised credentials helped hackers launch an attack through a popular enterprise network management tool. Since SolarWinds Orion requires global administrative access privileges, the cyberattack may have penetrated 18,000 organizations including US government agencies and defense contractors.
Privileged credentials are cybercriminals’ preferred target since they give the hackers direct access to higher-value systems and let them penetrate deeper into networks. A 2021 survey found half of all organizations surveyed had privileged credentials compromised. Network administrators were the most common targets of these attacks.
Least privilege access mitigates spear-phishing and other targeted attacks by making compromised credentials less useful for cybercriminals. Rather than giving administrators a single credential for multiple systems, least privilege access requires the use of multiple credentials: one set of general permissions for email and productivity apps plus additional credentials for each system. Every attempt to access a resource requires explicit verification. Furthermore, least privilege access ends the use of shared passwords and other bad habits that open security holes.
Of the three Zero Trust principles, least privilege access is the most important to get right. You can learn more in our article, “Principle of Least Privilege: How to Stop Hackers in Their Tracks”.
Combining least privilege access, verify explicitly, and assume breach in a Zero Trust framework addresses the security weaknesses of legacy technologies. But the benefits of Zero Trust go much further.
ZTNA also improves a company’s network performance and user experience. Traditional remote access solutions such as VPN channel all remote traffic through a limited number of gateways. This approach works for a few remote users, but not when everyone works from home. In addition, remote users’ traffic passes through the gateway even when they access cloud resources. The resulting backhaul reduces network performance and increases the latency of the user’s connection.
By establishing direct, encrypted tunnels between the user’s device and the resource, Zero Trust systems route user traffic through the most efficient, performant path. Traffic to cloud-based resources passes securely across the internet, freeing private networks to handle traffic for on-premises resources.
Managing traditional security technologies is resource-intensive. Gateways, firewalls, and other hardware appliances must be maintained, patched, and replaced on a regular basis. Furthermore, administrators must maintain multiple security systems. Access for remote users requires a separate system from that used for office users. Each cloud service has its own security system that may not integrate with the system protecting on-premises resources.
Zero Trust replaces this patchwork with a single security and access control system. Zero Trust solutions protect resources no matter where resources or users are located. And with detailed, granular activity logs, Zero Trust systems let administrators optimize the performance of their network architectures.
By cutting capital-intensive infrastructure such as VPN access control systems, companies can reduce the cost of building and maintaining their networks. With software-based Zero Trust systems, security and access can scale dynamically without expensive investments.
Still, the most significant savings are the costs companies avoid by preventing the theft of customers’ personal information or their own proprietary data.
Zero Trust systems are much harder to breach due to their smaller attack surfaces. Unlike BeyondCorp, most Zero Trust systems hide resources from view on internal and external networks. Rather than using gateways that publish their presence on the internet, Zero Trust systems create direct, ephemeral, and encrypted connections between devices and resources.
Because they assume breaches have already occurred, Zero Trust systems reduce the damage hackers can cause. Explicit verification and least privilege authorizations limit hackers’ access to the compromised resource. Micro-segmentation prevents hackers from moving laterally to other resources. Extensive logging lets administrators spot unusual activity sooner so they can take action before the hacker penetrates deeper into the company’s systems.
The need for Zero Trust is driven by the failure of traditional access control technologies to keep pace with the way organizations work today. When Network Access Control (NAC), Virtual Private Networks (VPNs), Remote Desktop Protocol (RDP), and similar technologies were developed, the corporate computing landscape was much different.
All users were employees who worked within the walls of a company facility. They used company-owned and managed desktop computers to access resources located in on-premises server rooms or company-owned data centers. The castle-and-moat paradigm works in this context. With direct control over their networks, resources, and devices administrators could build a layered defensive perimeter to keep threats at bay.
Only a relative handful of employees needed to cross that perimeter and access internal resources. NAC, VPN, and RDP solutions provided that access while preserving the perimeter’s integrity.
In the face of today’s more complex computing environment and the threat of modern cybercriminals, these approaches have become security risks. In addition, these technologies undermine network performance and business productivity.
What started out as a series of whitepapers a decade ago has become a dynamic, rapidly-evolving Zero Trust ecosystem. Choosing the right solution will deliver all the benefits we discussed earlier. Choosing the wrong approach to Zero Trust leads to wasted money on projects that are ultimately abandoned. Asking the right questions about potential Zero Trust providers can make the difference between success and failure.
Google’s BeyondCorp initiative kept things simple by issuing company-managed Chromebooks to its employees and requiring the Chrome browser on other devices. Companies that keep a similar level of control will need to find Zero Trust providers that support their unique combination of devices and operating systems.
At the other extreme, companies that have embraced BYOD and blended workforces need Zero Trust systems with more universal cross-platform device support.
Companies with purely cloud-based network architectures tend to be younger and limited to certain industries. Most companies rely on a mix of internally-developed applications, legacy third-party resources, and cloud-hosted services.
Before choosing a Zero Trust provider, security administrators must understand how the provider’s solution protects resources. Those solutions that work at the application layer, for example, will have a much more limited range than those that work at the transport layer. A related question is whether the Zero Trust provider offers APIs that let the company integrate policy enforcement and activity logging into its proprietary systems.
Unlike a user’s identity, device posture is a constantly-moving target. The device’s operating system status, network connection, geolocation, and other factors can change at any time with a resulting impact on the user’s least privilege access.
Some Zero Trust solutions handle this by building walled gardens around applications and data on the device. Besides increasing friction for the user, this approach can be administratively intensive. In a BYOD environment, the provider must support every combination of client device and operating system.
Other Zero Trust providers take a cross-platform approach that collects factors such as the type of network connection and the device’s state. Combining this posture assessment with the type of network request being made, these systems can enforce policies on the device and terminate connections the instant device posture changes.
Providers that claim “complete” Zero Trust solutions pitch the efficiencies of an end-to-end integrated system. But implementing such a system requires more time, planning, and resources to replace the company’s substantial investment in its existing security stack.
When a company uses a third-party identity provider (IdP), for example, the fees paid to the IdP represent a fraction of the total investment. The identity verification system contains detailed user information, role definitions, and policy rules that required substantial effort to create and refine.
Zero Trust providers that integrate with IdPs and other security systems let companies take a phased approach to Zero Trust deployment. They can leverage their substantial security infrastructure without having to reinvent the wheel.
Deploying a Zero Trust solution can be a mega-project on the scale of Google’s BeyondCorp that requires:
- Installation of new hardware.
- Changes to existing network infrastructure.
- Changes to each protected resource.
- Changes to each user device.
The more people are needed to plan, execute, and troubleshoot the deployment, the more expensive and time-consuming the deployment will be.
Zero Trust solutions that use software-defined perimeters (SDPs) to protect resources are much simpler to deploy. A few commands can protect a resource without changing the resource’s settings or reconfiguring network hardware.
To simplify user-side deployment, Zero Trust client apps should require no changes to operating system or software settings. Ideally, users should be able to install the app themselves without help desk support.
The user experience plays a role in the manageability of Zero Trust solutions. Client apps can run seamlessly in the background and “just work” regardless of what resources users access. These solutions will generate fewer help desk calls and improve security compliance. Client apps with more rigid approaches to access control may require multiple logins and could be sensitive to system changes.
On the back end, administrative consoles and seamless integrations with IdPs and other security systems can make Zero Trust much simpler to manage. Another consideration is the extent and granularity of the Zero Trust system’s activity logs. The more visibility administrators have across all devices and resources, the easier it will be to optimize network performance, adjust least privilege access policies, and spot potential security breaches.
As an alternative to the traditional pricing models established by network hardware vendors, many Zero Trust solutions offer subscription-based services. This Zero Trust-as-a-Service approach converts network security spending from a capital expense to an operational expense. Budgets become easier to forecast and justify. Security budgets also become more flexible and responsive to business needs.
Google broke new ground by being the first Zero Trust implementation by a major enterprise. Unfortunately, the BeyondCorp initiative also set expectations that Zero Trust implementations are complicated, time-consuming, and expensive.
That was the only way it could have been at the time. Zero Trust only existed in academic research papers. No vendors offered Zero Trust solutions. Google had to start from scratch by re-engineering its entire network architecture. The company had to rewrite its internal applications. Methods to support Zero Trust had to be developed for the Chrome operating system and browser. As a result, Google’s effort was complicated, time-consuming, and expensive.
Google’s pioneering case does not reflect the reality of Zero Trust today. Still, that and other concerns have slowed the adoption of Zero Trust Network Access.
Ten years ago, Zero Trust did not exist beyond academia and consulting firms. The principles and concepts that define the framework were easy to understand. But that did not make Zero Trust a plug-and-play solution. It took Google nearly a decade to develop and fully deploy BeyondCorp. Few other companies have its resources.
It took time for vendors to respond to interest in Zero Trust. Some simply reworked and rebranded their existing technologies. Newer companies are Zero Trust-native and offer solutions designed from the ground up to support this modern approach to security.
Few companies want to follow Google’s path by developing their own Zero Trust system. If a complete end-to-end solution did exist, however, many companies would hesitate before locking themselves into a single vendor. But stitching together a complete system using elements from multiple vendors requires internal expertise. That expertise must be developed as the migration happens.
Simple, easily deployed Zero Trust solutions can accelerate this learning process. IT staff can run initial pilot projects and use the lessons learned to inform later phases of the Zero Trust migration.
Zero Trust solutions that require changes to resources make that migration more difficult. As discussed earlier, few companies have the luxury Google did when migrating to Zero Trust. They have legacy third-party systems and internally-developed applications that are not — and may never be — Zero Trust aware.
Deploying solutions based on software-defined perimeters avoids the need to change legacy systems. Zero Trust protections can be applied to existing resources without the expense of reprogramming existing systems.
Zero Trust was not the only trend shaping corporate computing over the past decade. The Industrial Internet of Things (IIoT) and other digital transformation technologies have transformed manufacturing, logistics, and other business processes.
When these technologies have security systems, however, they are designed using the old trust-based paradigm. The same is true of the network technologies they run on. This can make IIoT systems vectors for cyberattacks unless covered by Zero Trust protections.
Migrating to Zero Trust, as with many security initiatives, compete with other business priorities for funding and executive commitment. The past few years of pandemic-generated disruption make the perceived cost and difficulty even harder to justify.
Yet, those same disruptions are also forcing business leaders to recognize the need for new approaches to security and access control. The myth that Zero Trust migration is complicated, time-consuming, and expensive is already fading. As more companies focus on cybersecurity, ZTNA implementations will become more common.
Twingate simplifies ZTNA adoption by offering a Zero Trust solution that organizations can deploy in minutes. Using software-defined perimeters, Twingate hides your critical resources not only from the public internet but from your private networks as well.
The Twingate system evaluates identity, device posture, and connection context to authenticate the user and inform role-based authorization processes. Only then will a direct, encrypted tunnel connect the user’s device to the requested resource.
Twingate’s software-based solution scales to meet the needs of small businesses and globe-spanning enterprises alike while providing a range of business benefits.
Twingate integrates with major IdP’s including Okta and Azure AD to work with your existing security stack. Compatible with multi-factor authentication systems, Twingate explicitly verifies every access request and lets you apply role-based, least privilege access policies.
As a software-only solution, Twingate lets you deploy a Zero Trust Network Access pilot project within minutes. You do not need to change resource settings or modify your network. And your existing VPN solution can stay in place as you expand ZTNA further.
Twingate’s Zero Trust solution frees bandwidth and reduces latency by eliminating bottlenecks and efficiently routing user traffic. Creating secure, direct connections between users and protected resources does away with traditional VPN gateways. At the same time, split tunneling automatically routes non-essential traffic away from your network to the user’s ISP.
Users get a more responsive experience. A simple app store-like process lets users install the Twingate client themselves without changing operating system settings. Once installed, the client app runs seamlessly without the need for further user interaction.
The simple user experience reduces help desk calls and ensures user compliance with security policies. A single console lets administrators onboard and offboard both remote and office users in the same system. Extensive identity-indexed logs give network administrators detailed insights into user and device activity.
The modern computing environment has become too complex for traditional remote access security tools. The user space and device space have expanded dramatically. Cloud adoption and X-as-a-Service business models have stretched the network perimeter beyond administrators’ control. On top of these network management challenges, the sophistication of modern cybercrime makes the next big security breach inevitable.
Rather than patching 20th Century technologies and hoping for the best, organizations everywhere are turning to Zero Trust Network Access. Assuming your systems have already been breached, explicitly verifying every access request, and only granting least privilege access provides a 21st Century framework for protecting your company’s critical resources.
Unlike early attempts, migrating to Zero Trust does not have to be complicated, time-consuming, and expensive. Twingate’s Zero Trust solution, based on software-defined perimeters, can get your project up and running in minutes. No need to change your existing network. No need to modify protected resources.
Visualize and Analyze Network Log Data with Twingate and Datadog
Improve security and monitoring by making real-time network log data observable with Twingate and Datadog.