The previous part of the blog talked about the concept of Zero Trust security, its relevance, and how it is catching traction in today’s time. This part talks about the different models to implement Zero Trust security in organizations. There are three different ways in which organizations can choose to implement Zero Trust security.
1. Software Defined Perimeter (SDP)
Software Defined Perimeter is an approach in network security that safeguards user access to applications and information irrespective of the location, time, and nature of the device used. Software Defined Perimeter follows a zero trust approach, wherein the network security posture is that of default deny. Access is granted upon authenticating and authorizing both user and device.
By making the applications and resources invisible and preauthorizing users and devices, SDP protects enterprise applications from a range of attacks like- denial of service, credential theft, server exploitation, connection hijacking, and APT/Lateral movement. Unlike the previous security models that worked till the network layer, SDP works right up to the application layer. It provides granular control on applications as users are allowed access only on authorized applications and not others.
2. Network Micro-Segmentation
Micro-segmentation or network Micro-segmentation is slicing the network into small logical segments and controlling access to applications and data on those segments. Diving the network into smaller segments reduces the attack surface for malicious attackers. Micro-segmentation policies are based on logical attributes or resource identity versus the user’s identity or IP addresses. Micro-segmentation creates an intelligent grouping of workloads based on their characteristics. It provides centralized dynamic policy management across networks, independent of the infrastructure.
3. Identity Aware Proxy (IAP)
IAP architecture offers access to applications through a cloud-based proxy. It follows the principle of least privileged access like SDP, but applications are accessed through standard HTTPS protocols at the application layer. Unlike SDP, which uses a direct tunnel for data transfer, IAP architecture provides authenticated and authorized secured access to particular applications using a proxy layer.
Google was the first one to implement zero-trust security architecture in their business using BeyondCorp, through an Identity Aware Proxy model. BeyondCorp is their internal network and access security platform designed for employees to access internal resources. BeyondCorp is a web proxy-based solution that supports HTTP, HTTPS, and SSH protocols. Following BeyondCorp, Google also launched Cloud Identity Aware Proxy for access control and protecting data in the cloud. Cloud IAP shifts access controls from the network perimeter to individual users.
Irrespective of whichever zero trust model companies choose to implement; it should be able to integrate with the company’s existing security infrastructure seamlessly.
(This is Part 2 of the blog and it explains the various models to implement Zero Trust security in organizations. To read on the concept of Zero Trust security refer HERE)