Zero trust architecture (ZTA)
Zero trust architecture (ZTA) is a security framework focused on protecting infrastructure and data. The central idea behind ZTA is that subjects in a system should not be trusted by default. This includes applications, users and devices. If ZTA had a motto, it would be, "never trust; always verify".
In a traditional cyber security framework, systems can remember users and grant them continued access without additional verification. This might mean that a user could sign in on one platform and be granted access to other, more sensitive data without being re-verified. While this is convenient for the user, it greatly increases the risk and potential impact of cyber threats.
In a ZTA model, a user isn't trusted by default. In the above example, the ZTA system would not automatically remember a given user. Instead, it would assess the need for re-authentication whenever the subject needed access to a new resource, (such as data or another tool). Instead of focusing on protecting the system perimeter (in other words, at the initial log in or access point), ZTA builds protection throughout the network.
ZTA also replaces dated ideas of security based on physical location. The framework moves to a dynamic policy model driven by users, devices and context.
ZTA is built on an array of different, integrated capabilities that work together to create more secure IT environments. Some of these capabilities include:
- multi-factor authentication (MFA)
- contextual access control based on the principle of least privilege, which gives the minimum amount of access required for a user to complete their tasks
- network segmentation
- continuous monitoring and risk assessment
- end-to-end encryption
In the journey towards ZTA, some inherent challenges will also need to be addressed, including:
- organizational commitment to shifting to a new security model
- investment in legacy technologies and processes
- legacy security standards and guidelines
- resource constraints
How are we approaching ZTA at SSC?
ZTA is a core principle of the Cyber Security Services Roadmap, as part of Delivering Digital Solutions Together for Canada. This roadmap is focused on an approach to security that is based on continuous verification, where users can seamlessly and securely access the tools they need through a single secure digital identity. By building zero trust principles into the future planning of SSC, ZTA will continue to feature heavily in the department's overall security approach.
Presently, SSC is transitioning the current GC cyber security approach towards more modern cyber security concepts like ZTA. In the future, the roadmap will support strengthened cyber security resilience across the GC to better prevent, prepare for, respond to and recover from cyber incidents.
Want to read more examples of ZTA at work in SSC? Read about zero trust in science, Innovation story: Zero trust architecture for scientists.