Page 148 - Cyber Defense eMagazine August 2024

P. 148

Demystifying Zero Trust

By Ashish Arora, AVP - Network Security, Chubb

1. What is Zero Trust

It was 2010 when term “Zero Trust” was coined by John Kindervag, a thought-leader in Cyber Security
industry with a motto of “never trust, always verify”. Many high-tech organizations like Google analyzed
the benefits of Zero Trust security and announced its adoption a few years later.

Zero Trust is a security framework of eliminating implicit trust from entities whether inside or outside of
organization’s environment by authenticating, authorizing, and continuously validating them for security
at each stage, to grant and keep access to application and data.

Zero Trust security includes several implementation models including Zero Trust Architecture (ZTA), Zero
Trust Network Access (ZTNA), and Zero Trust Edge (ZTE) that are described below in brief. However,
all these models are built around the same core concepts of Zero Trust security.

Zero Trust Architecture (ZTA): ZTA is the most popular security model for implementing Zero Trust. It
renders security by eliminating implicit trust for all users whether inside or outside of organization’s
network and continuously validating every stage of communication. In 2020 Zero Trust Architecture (ZTA)
1
was accentuated with release of NIST publication 800 – 27 on the topic. The publication describes
various approaches that can adopted for ZTA based on Identity Governance, Micro-Segmentation, and
Software Defined Network. Furthermore, the publication describes the ZTA use-cases, associated
threats, and migration approach for ZTA.

Zero Trust Network Access (ZTNA): Leveraging ZTNA model organizations can provide secure remote
access to applications by creating identity and context based logical access boundaries based on access
controls policies. Unlike VPN that grants access to entire corporate network, ZTNA defaults to deny and

143 144 145 146 147 148 149 150 151 152 153