Zero Trust is a new way of thinking about access control. The goal is to stop IT teams from managing every user and device individually while not trusting everything that comes through the door. In other words, users authenticate against a centralized identity provider (IDP). They are then authorized by policies enforced at the network edge by something like an IPS or firewall appliance.
What is your definition of Zero Trust?
What is zero Trust? According to Micro Focus experts, “Zero Trust is a security concept that takes the proactive approach of continually verifying devices, services, and individuals, rather than trusting them. The zero trust model operates on a company’s assumption that everything connected to its system needs to be verified, whether it’s coming from someone, or something, inside or outside of the organization.” This differs from traditional security models where users are granted access based on their identity or role, such as allowing employees into the network with their Active Directory credentials.
Zero Trust also differs from other Zero Trust models like Federated Authentication (FIDO), OpenID Connect and OAuth 2.0, which commonly use token exchanges as part of their authentication process.
Do you provide both authentication and authorization?
Authentication is proving that an entity is who they claim to be. Authorization, however, assigns access rights to users or devices. By combining these two functions into one system, you can ensure that only authorized users access your systems—no more rogue users getting in with stolen credentials or weak passwords.
Zero Trust requires both authentication and authorization to function correctly. So when selecting a Zero Trust provider for your organization, make sure it offers both of these features as part of its solution.
How do you manage access to applications outside the firewall – and what about internal applications?
How do you manage access to applications outside the firewall – and what about internal applications?
Your Zero Trust provider should have a software-as-a-service (SaaS) portal that manages access to all resources. You can configure your security policies and quickly add accounts or groups of users. This portal is accessible from anywhere using any device. You can also use this portal to manage access to internal applications, even if they’re in a hybrid cloud environment.
Is your solution hardened against DDoS and other threats?
It’s impossible to know when and where your next DDoS attack will come from. But as the attacks grow in volume and sophistication, you must arm yourself with the right tools to combat them—and not get caught off guard.
To that end, ask your zero trust provider about its DDoS mitigation capabilities. For example:
- Does the solution block or absorb malicious traffic?
- Are there geographic limitations on where you can deploy?
- How often does the solution need to be updated?
Do you support hybrid cloud environments?
You may have heard of the hybrid cloud, but you may not know precisely what it means. A hybrid cloud environment combines public and private cloud services that allow you to use the best features of both types of clouds to build your custom solution.
Now that you’ve covered some of the key considerations around zero trust security and how to select a provider, hope you feel more equipped to make an informed decision.
