Palo Alto Networks has a Zero trust explanation:
“Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control.”
Zero Trust was created by John Kindervag while he was at Forrest Research as VP and principal analyst. Basically the old model of trusting everything behind the firewall is not a good model anymore. If a users identity is compromised or a system has malware on it, then you are allowing the compromised system or user to run anywhere they want(because the system is ‘trusted’ behind the firewall).
Above diagram shows some principles of the zero trust network in open, hybrid , and closed form.
Here is a diagram of a normal network:
Image is from techbast.com
Some people have taken zero trust in many different directions, like you don’t need a firewall anymore and place all your stuff on the cloud. That is not the point of Zero trust. Zero trust just means you can’t implicitly trust everything that is in your network.
The basic idea is that you assume any machines inside the network have hackers already on them, do not assume all your systems are unhackable and are therefore trusted to do whatever the user on them wishes to do.
So you can build a zero trust architecture by building more checks than a username and password. And a big point of Zero trust is to test and review which means you might need a next gen firewall (which can do more than just prevent unwanted traffic from the internet). Adding MFA (multi factor authentication) would be good Authentication management.
To me it does not make sense to put all of your devices on the Internet without a firewall, since some attacks that the firewall is preventing you would have to hope your desktops and servers can handle on their own. Every firewall manufacturer has their own method of of Zero trust architecture. It is dependent on the additional safeguards a firewall can build for your now untrusted local network.
So my diagram is designed for you to think about what exactly should be created? It all depends on what you are defending: Email and webserver, database server, and possibly an ecommerce server. Every application that has an Internet profile (has to face the Internet) could still be partially protected by the firewall, but ultimately the application will have to be out on the Internet. What does this term mean? ‘Out on the Internet’: It means that anyone on the Internet can access the system – so anyone in China, Iran, North Korea will have access to the server. For example an email server (to accept email one must be on the Internet).
So to recap zero trust architecture in my opinion should be used to create an ‘untrusted’ environment behind the firewall. This means that one dose not just implicitly trust everything behind the firewall. One must start to create better methods to create trust between systems and applications.
there are some ways to create better trust even with the hackers in your network. By setting up direct authentication models between the client and server applications specific to the apps and users using them. For example if as database has to feed some data to a webserver (as the user uses queries of an ecommerce nature). The webserver and ecommerce database could have an authentication setup. This way the system cannot be modified or stolen by the hacker in the network.
open network — Hybrid network — Closed network
VPN not needed — VPN gateway could be used — VPN gateway used
Critical App is in cloud –firewall used to protect some — Critical app behind firewall
Desktop connected to minimal firewall defense — Servers, desktop, may be behind firewall — desktop is filtered and behind firewall.
The end result is that even in zero trust architecture a firewall is useful. So don’t assume that a firewall and VPN gateway is not necessary, it is just set up in a different manner.
Contact us to discuss Security policies and more