How Zero Trust Security Frameworks Work

Mike Engle

In 2010, Forrester analyst John Kindervag coined the term “Zero Trust” in his research – emphasizing that all network traffic is untrusted and that any request to access any resource must be done securely.

Embracing the concepts of Zero Trust can bring your organization’s security to the next level.  It is a concept that you need to know.

What is Zero Trust? From an identity perspective, Zero trust is designed to keep private data secure by requiring all users, customers, employees, etc., to authenticate and authorize who they are to access the data. It follows the premise to “never trust, always verify.”

What Is Zero-Trust Security?

In May 2021, the president issued Executive Order 14028, “Improving the Nation’s Cybersecurity” in response to several high-profile data breaches. One action the order has dictated is the deployment of zero-trust architectures in government and associated IT systems.

Zero-trust security assumes that no user, device, or application has inherent trust within a system. In many security architectures, there are several ways for users and devices to authenticate within a system and navigate through several different resources without undergoing additional pre-authorization protocols.

Under zero-trust architecture, however, there are no such practices. Previous forms of identity and access management typically focused on concepts of perimeters and network edges. Once a user or device authenticated their identity, they were considered trustworthy within specific areas of an infrastructure (including accessing data or running applications).

According to the National Institute of Standards and Technology (NIST) Special Publication 800-207, “Zero Trust Architecture,” zero-trust architecture focuses authorization at the level of users, devices, and ownership. To accomplish this, NIST SP 800-207 established the following tenets of ZTA:

  • All data and computing services are considered resources: Data servers, applications, back-end servers—all are considered resources that must be protected through robust authentication and authorization mechanisms.
  • All communications must be secured on a network: No matter where it resides or transmits. No network location is considered secure for communications by default.
  • Access to resources are granted on a per-session basis: A session is an individual event where a user or device seeks authentication for access to resources. No additional access or authorization is granted beyond the initial session, and access granted during an authentication session is done so according to principles of least privilege access.
  • Access is determined through dynamic policies: This includes combinations of user credentials, resource ownership, and individual user needs based on role.
  • Organizations must monitor and measure system integrity: According to the NIST publication, “no asset is inherently trusted.” This simply means that no system is considered secure by default, and it is up to the organization to continually scan and test these systems to maintain integrity.

What Is a Zero-Trust Security Framework?

A zero-trust security framework, also referred to as a zero-trust security model, is an infrastructure that implements the strict verification controls called for under the definition of ZTA defined in NIST 800-207. This implementation is simplified into the following practices:

  1. Never Trust, Always Identify: This means that no user, device, or resource is considered secure by default and must be authenticated, monitored and controlled.
  2. Least Privilege Access: All accounts and devices should only have access to system resources as minimally needed to accomplish their tasks or complete their jobs.
  3. Full Visibility and Monitoring: All systems must have their data, permissions, and access controls visible and available for monitoring at all times.
  4. Centralized Security Policies: Permissions and access controls should be centrally managed so that policy is applied correctly across an entire system.

Such a framework doesn’t operate through conceptual perimeters but through “control planes,” where policy administrators manage identity and access management across different enforcement points or any location where authorization or authentication should occur. The control plane includes the control mechanisms where network components receive and process requests to access resources.

The control plane includes the following components:

  • The Policy Enforcement Point: At this point, a user or device interacts with the system and requests access to resources. At this juncture, ZTA policies and practices are executed to protect these resources.
  • The Policy Administrator: This component controls connections between resources and users. The administrator can release authentication tokens or refuse interaction with outside users based on credentials and system policies.
  • The Policy Engine: This engine controls how the system makes and logs authentication systems based on credentials, contextual information, resource ownership, and user behavior.

What Are the Challenges of Implementing Zero-Trust Frameworks?

While ZTA is a powerful form of security, implementing such a framework can prove a challenge for some organizations. These challenges can include the following:

  • Secure Applications: Different applications may have old or incompatible internal authentication measures. At the same time, while the network may use ZTA principles, an app that doesn’t do so may provide hackers with a weak point to attack.
  • Network Complexity: While the conceptualization of ZTA seems relatively simple, complex network environments can make such implementations difficult. Furthermore, new interactions between new or updated resources can produce new vulnerabilities that must be addressed to maintain ZTA.
  • Planning ZTA to Protect Assets: A solid zero-trust framework requires an organization to understand resources, assets, users, and permissions to create a plan of action. To implement successful ZTA controls, an organization must therefore take a long, comprehensive look at their own infrastructure—something that many haven’t even done before.
  • Culture and Mindset: Users and developers accustomed to trust-based systems might not initially be happy with ZTA, especially if that requires them to practice more strict security measures. It’s up to organizations to train their teams and create a culture that understands that threats may already exist within their IT system.
  • Zero-Trust Identity: Many platforms provide solid authentication like multi-factor authentication and biometrics. While these are helpful, they often aren’t enough in the face of strict compliance standards and device-oriented security. That’s why modern solutions with advanced biometrics and compliance (with standards like FIDO2 and IAL2) can significantly contribute to ZTA implementation.

1Kosmos: Advanced Identity Management That Can Contribute to Zero-Trust Frameworks

Zero-trust systems call for strict authentication controls at the point of access. This means technologies that can ensure that users and devices are who they say they are. With identity proofing and passwordless authentication, 1Kosmos BlockID offers just that.

With BlockID, organizations get several critical identity tools to support identity proofing and advanced authentication. These features include the following:

  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
  • Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
  • Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.

To discover what 1Kosmos brings to a solid zero-trust framework, read the whitepaper on how to Go beyond Passwordless Solutions. Also, make sure to sign up for the 1Kosmos newsletter for updates on products and services.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Mike Engle

Co-Founder and CSO

Mike is a proven information technology executive, company builder, and entrepreneur. He is an expert in information security, business development, authentication, biometric authentication, and product design/development. His career includes the head of information security at Lehman Brothers and co-founder of Bastille Networks.