WHITE PAPER

An Introduction to Zero Trust

A Compelling Cybersecurity Strategy for
Defending the Enterprise
Notice

Infoblox publications and research are made available solely for general information purposes. The information
contained in this publication is provided on an “as is” basis. Infoblox accepts no liability for the use of this data.
Any additional developments or research since the date of publication will not be reflected in this report.
Table of Contents

Executive Summary....................................................................................................................................... 4
The History and Evolution of Zero Trust ...................................................................................................... 4
Zero Trust: A Response to Digital Transformation ...................................................................................... 5
Zero Trust: Basic Capabilities....................................................................................................................... 7
Implementing Zero Trust ............................................................................................................................... 8
Important Zero Trust Technologies .............................................................................................................. 8
Microsegmentation .................................................................................................................................... 8
Identity and Access Management (IAM) .................................................................................................... 9
Two-Factor Authentication (2FA) ............................................................................................................... 9
Security Information and Event Management (SIEM) ............................................................................... 10
Security Orchestration, Automation and Response (SOAR) ..................................................................... 10
Cloud Access Security Brokers (CASB) with Encryption, DLP and DRM .................................................. 10
Deception Technology ............................................................................................................................ 10
Network Detection and Response (NDR) ................................................................................................. 10
User and Entity Behavior Analytics (UEBA) ............................................................................................. 10
Adaptive Access Control (AAC) ............................................................................................................... 10
Foundational Security Using DNS Is a Core Component of Zero Trust .................................................... 11
Introduction to BloxOne Threat Defense .................................................................................................... 11
Summary...................................................................................................................................................... 12
Executive Summary
Zero Trust architectures have become a compelling means for modern enterprise and government institutions
to secure sensitive data in the face of digital transformation and the loss of the traditional network perimeter.
The paper describes a Zero Trust architecture’s essential components, its core capabilities and some important
use cases that support it. In addition, it explains the critical roles that Domain Name System (DNS) and
foundational security can play in your deployment of Zero Trust architectures.

The History and Evolution of Zero Trust

Nearly a decade ago, Forrester Research introduced the concept of Zero Trust. One of its leading analysts,
John Kindervag, is credited with designing the original Zero Trust framework.1 Zero Trust posits that the
concept of a trusted internal network zone and an untrusted external network zone should be eliminated. In
essence, no data traffic can be trusted. As data flows through your network, it is essential that all parties
involved undergo restriction, reauthentication and validation at every point.

Zero Trust declares that all network traffic inside and outside the perimeter
and the users and processes that create it should not be trusted at any
time. “Security professionals must stop trusting packets as if they were
people.”1
John Kindervag, Forrester Research

At its very core, Zero Trust is both platform and technology agnostic. It enables you to build additional layers of
security for your networks by using a wide variety of vendor tools and technologies.

Kindervag defined five basic tenets of Zero Trust that are still applicable today:

1. Data is the central element that must be protected. Access to this data, at any time, must be continually
and carefully revalidated.
2. To best protect your data, you must understand the flows of your data, both to be able to validate it later
and to build out what he called micronetworks.
3. With an understanding of the critical data that must be protected, you can then create the
micronetworks that map best to the flow of the data.
4. Visibility and monitoring are key. You must have visibility into all activity within your network, log it and
be able to analyze it comprehensively to determine if any malicious behavior is present.
5. You should wrap Zero Trust best practices into your security automation strategies and use
orchestration tools to support your efforts.

Forrester recently expanded and clarified its original notion of Zero Trust.2 Its goal was to draw a road map to
implementing a Zero Trust architecture: the Zero Trust eXtended (ZTX) ecosystem. Forrester identifies key
vendors that support its view of the Zero Trust ecosystem and turns Zero Trust from the basic concepts of 10

1 http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf
2 https://www.forrester.com/report/The+Zero+Trust+eXtended+ZTX+Ecosystem/-/E-RES137210

An Introduction to Zero Trust – December 2019

4
years ago into a concrete framework and architecture for building out cybersecurity resilience across all of your
networks.

Zero Trust: A Response to Digital Transformation

The rise of digital transformation has made Zero Trust compelling. The prevalence of Internet- and cloud-
connected transactions has lead to growing numbers of security breaches and the failure of legacy, perimeter-
based cybersecurity architectures.

Initially, the key to this legacy defense was the firewall, which protected trusted network systems within the
perimeter. Systems outside of the perimeter were, correspondingly, untrusted, and communications with them
were often automatically blocked. This architecture and the accompanying cybersecurity strategy remain
dependent on defending a perimeter, primarily by identifying known threats that attempt to move through the
perimeter.

To achieve this defense, data centers were typically divided into large network zones with perhaps a few
firewalls between these zones. This approach can indeed restrict traffic between these zones. However, the
setup of rules for the various firewalls is often complex. In many cases, unmanageably so, with the effect that
the use of these zones cannot adequately protect the enterprise. Moreover, increased granularity often adds
considerable expense both for hardware and for setup and administration.

To augment firewalls, organizations turned to signature-based security, which identified threats by looking for
their telltale patterns. This strategy initially proved to be highly effective. That’s because at the time, virus and
malware threats had distinctive patterns in their code and files that made identification relatively simple. One of
the shortfalls of signature-based security is that it is reactive in nature. You can respond to threats only after
they’ve been detected. However, once the first infection point in the cyber kill chain has been documented, it
can be used to identify the presence of additional attacks. Signature recognition is a key part of that process.

In the wake of digital transformation and the rapid transition to the cloud, legacy cybersecurity strategies are
increasingly dated and ineffective. Areas where security requirements have changed include:

Mixed infrastructures. Today you likely have multiple cloud deployments, perhaps a mix of private and
public cloud, along with custom applications and several legacy on-premises data centers. You may
have more than one cloud vendor—so your administration of basic capabilities likely varies from cloud to
cloud. You may also have third-party clouds managed and administered for you for major applications,
such as CRM, finance and marketing operations. All of these may be patched together with varying
security controls that move between on-premises and the cloud as well as between the platforms of
different cloud providers.
SD-WAN deployments. In the past you might have had one or more enterprise data centers, likely
connected by dedicated or leased lines to your branch offices. In this architecture, it was reasonable to
expect that your perimeter defenses were more viable than not. The Internet has continued to deliver
more cost-effective capabilities to scale connectivity and communications. Today, your branch offices
and distant facilities are likely connected by SD-WAN to leverage the cost benefits of the Internet.
Internet of things. The explosion in Internet of things (IoT) devices has created many endpoints that
cannot be easily protected using standard endpoint detection and response (EDR) software. In the
health-care industry, for instance, many medical devices are network connected as IoT devices. The
U.S. Food and Drug Administration requires certification of medical devices, and this requirement, in
effect, makes them closed devices. For reasons of both potential liability and maintenance of valid FDA
certification, you cannot install any third-party cybersecurity software on these medical devices.
Industry-specific factors. In the manufacturing industry, old embedded operating systems in IoT
manufacturing control points are also highly vulnerable and often out of date, presenting attackers with a

An Introduction to Zero Trust – December 2019

5
 multitude of known vulnerabilities to exploit. In the banking industry, ATM networks with embedded
board operating systems have continually, and often spectacularly, been breached over the past few
years. In retail, point-of-sale systems provide additional points of compromise within the card reader
electronics and inadvertently provide attackers with immediate connectivity into sensitive networks.
In many industries, heating, ventilation and air-conditioning systems are centrally controlled through the
Internet. The same is true for large-scale enterprise access control (EAC) systems that lock and unlock
doors using keycard technology, as well as the security systems that may manage hundreds of security
cameras within your facilities. All of these IoT devices have presented a multitude of opportunities for
sophisticated malware tools to find safe harbor and establish command and control (C&C)
communications. Once undetected attackers infiltrate, they can reach out to load additional tools and
exfiltrate sensitive data.
Mobility. Ten years ago, connectivity through mobile devices was new, and the threats leveraging them
were just starting to develop. Today, the situation has changed. Mobile devices have greatly increased
the porosity of corporate networks. Accommodating the soaring demand for BYOD access has become
an essential and increasingly unmanageable part of business operations. The explosion in the number of
mobile devices has greatly expanded the attack surface and provided cybercriminals with a multitude of
ways to bypass traditional defenses to spread malware and gain access to internal network data and
resources.

To most security operations and information technology teams, the conclusion is obvious: The enterprise
network has become a patchwork quilt of siloed security controls that unfortunately present abundant
opportunities for cybersecurity breaches.

“Attackers will successfully and regularly penetrate your networks. A Zero

Trust architecture enables you to minimize their successful
reconnaissance of your network, minimize their access to your protected
data and intellectual property, slow their progress and detect them early in
the execution of their cyber kill chain. When you can identify and stop
them before they can exfiltrate targeted data and/or funds, your
cyberdefense strategy will have prevailed.”

Anthony James, Vice President, Product Marketing, Infoblox, Inc.

Attackers remanufacture and repackage existing malware on a real-time basis. This continuous threat evolution
significantly reduces your ability to stop attacks relying solely on a hardened perimeter and signature-oriented
malware security tools. Cybercriminals are adept at using evasive techniques, such as malware-laced memory
sticks, compromised websites, malware-hijacked advertising networks and socially engineered emails to
achieve their mission.

The bottom line is that given the limitations of traditional security measures, attackers will repeatedly penetrate
your network. Once inside, if your strategy is to allow any permission and activity to those already within your
networks as trusted, it is a near certainty that they will access and compromise key assets, and even potentially
devastate your network and computing resources.

An Introduction to Zero Trust – December 2019

6
Zero Trust: Basic Capabilities
Historically, access to the network implied trust and access to all of the data it contained. Zero Trust turns the
paradigm upside down with a critical focus on the data. Essential Zero Trust strategy is to deny access to all
data by default and without exception wherever it resides.

Encryption is an essential component of Zero Trust. And yet it is important to acknowledge the many recent
examples of cyber breaches that involved the theft and use of data encryption keys. At no time should your
data encryption keys be stored on or near the data they protect, and never give your data encryption keys to a
third party. Beyond the basic data protection principles of Zero Trust, sharing encryption keys with third parties
can expose your organization to unknown risks.

Zero Trust Architecture

Figure 1: Key capabilities of a Zero Trust architecture

Zero Trust promotes the idea that enhanced visibility is key to success. Visibility includes authenticated traffic,
access and attempted access to data and user behavior, information that can reveal the presences of malicious
and threatening behavior. Zero Trust also entails the use of verbose logging (which captures more data than
standard logging). In turn, data from those logs is well-integrated with other systems, enabling it to be analyzed
by machine learning and analytics tools. With this data, your security teams can flag cyberattacks early in their
life cycles, shut them down sooner and prevent their spread.

Zero Trust architectures generally offer many of the same basic capabilities (Figure 1). They should:

Enable access to data resources and key applications based upon the continuously authenticated user,
the permissioned and properly protected computing device and the physical location when it must be
limited by policy.
Provide minimum access to other than the smallest “microsegments” of the network and then only when
necessary to complete the requirements of related tasks.
Allow access only to specifically designated applications.
Enable monitoring of user behavior with analytics and machine learning to identify potentially dangerous
behavior, noting that all anomalous behavior is not necessarily malicious nor is all malicious behavior
identified as anomalous.

An Introduction to Zero Trust – December 2019

7
 Support complete end-to-end encryption of data at rest and in motion through APIs and the network.
Enable high visibility of data traffic to identify unusual movements of sensitive data.
Supply high visibility of the movement of known attackers, malware tools and other malicious activity.
Enable a consistent user experience for application access and utilization, regardless of the additional
security mandated by Zero Trust security controls and policies.
Provide high visibility to outside destinations by address and use threat intelligence to reject new
untrusted domains and those that have been identified as malicious and high risk.

Implementing Zero Trust

Next, you must determine the roles for every employee within your organization and consider carefully the
absolute minimum of privileges and access these roles require. A role must be thought through carefully; it
defines an employee’s strategic identity and purpose at work based on looking closely at the key components
of the job. Roles include accountability, areas of ownership and decision rights, among others. Roles should
empower the employee to the bare minimum necessary for success but no further. Then you need to logically
view the workflow of these roles against the sensitive data, networks, systems and applications required to
perform associated tasks.

It is essential to this implementation that you integrate security controls and techniques that maximize visibility.
Best practices include extensive logging of data at all times and continual analysis by inspection and through
the use of machine learning.

Once you have completed the basic identification and analysis of critical sensitive data and roles, you can
begin to lay out the architecture for your Zero Trust network.

Important Zero Trust Technologies

At its core, the primary tenants of Zero Trust assume that all networks are hostile and dangerous environments
at all times. This includes your internal corporate network and any other network. Based upon the
establishment and maintenance of a trusted identify, you will get access to the data, networks, systems and
applications that you need to do your job and nothing more. This trust must be continuously revalidated to
provide certainty of security and privileges granted.

The Zero Trust approach segments the allocation of trust into slices that provide broader protection against the
breach of sensitive data. If a user authentication is compromised, Zero Trust will not automatically grant access
to the cyberattacker to additional systems and network resources necessary to obtain and exfiltrate sensitive
data.

Currently available security controls that can be an essential part of your Zero Trust strategy include SIEM,
SOAR, UEBA, CASB, deception technology, foundational security using DNS, microsegmentation and identity
and access management. Let’s take a closer look at some of these key technology sets.

Microsegmentation
Microsegmentation is a critical architectural component of a Zero Trust deployment and is available through
software and/or specialized hardware appliances. Vendor security controls to implement microsegmentation
can interoperate with or, in some cases, require that the entire Zero Trust deployment use security controls
from only one vendor.

An Introduction to Zero Trust – December 2019

8
Microsegmentation implements the concept of a Software-Defined Perimeter (SDF) to segment the network in
more granular pieces, organized around the critical data that must be protected. The use of SDF prevents and
limits access, both in and out of the network. Microsegmentation focuses on security and provides the
automation and agility security teams need to rapidly implement configuration changes.

Microsegmentation can lock down and highly restrict lateral movement (“east-west”) within a network with
almost any level of granularity required. In addition, microsegmentation also enables administrators to express
security implementation in terms of application-oriented constructs such as the web and databases instead of
IP addresses, subnets and virtual local area networks. Applications are workloads that address very specific
business needs, and workloads are operating system instances that are running various software services,
containers and the like.

In a legacy architecture that does not use Zero Trust microsegmentation, the procedure to provide basic
network segmentation can be slow and cumbersome. The business analyst defines application requirements,
which are, in turn, reviewed by the security analyst and described as connectivity or access policies. These
policies are then reviewed and translated by the network administrator into specific firewall rules and IP
addresses. All of these steps are limited by analyst time, firewall costs, compatibility and other factors. It rapidly
becomes untenable to meet the challenges of digital transformation at scale using this approach.

In sharp contrast, microsegmentation can be set up fast. Microsegmentation offers the ability to rapidly
automate the deployment of revised security policy to key logging and restriction points. It should be noted that
these restriction points do not have to be firewalls. That flexibility enables microsegmentation to meet
economies of scale. Once policies are set up, their implementation and subsequent changes can be highly
automated. The entire setup is a simpler and more collaborative effort by business, security and network
analysts.

Depending on the vendors you use, microsegmentation can bring a variety of strong defensive benefits. For
example, microsegmentation might be configured to automatically quarantine certain network segments with
automated policy change. Because microsegments are often smaller and defined around very specific business
operations, they can be implemented using a “white list” approach, where connections are explicitly enabled by
administrators, as opposed to a much larger—and almost immediately out-of-date— “black list,” of the sort
traditional firewall configurations typically use.

Identity and Access Management (IAM)

Identity and access management (IAM) defines and manages the roles and, correspondingly, grants access
privileges for authorized users. The source of truth used in IAM can be an integration of data contained in
human resources and other systems.

Two-Factor Authentication (2FA)

Two-factor authentication has rapidly become an essential best-practice security control for building out any
Zero Trust architecture. A federated two-factor authentication single sign-on technology makes it very difficult to
steal and use authentication data. Federated to support all applications across an enterprise, it presents a
highly effective front end to access any entrusted application, system or data repository.

Typically, two-factor authentication uses an electronic key that generates a constantly changing, algorithmically
generated alphanumeric key that then must be appended to a password, a hardware device such as a YubiKey
or, at a bare minimum, a mobile device that supports SMS-based authentication. Still more secure are some of
the mobile device–based authentication applications designed and dedicated to supporting two-factor
authentication.

An Introduction to Zero Trust – December 2019

9
Security Information and Event Management (SIEM)
A SIEM will integrate with and aggregate all of your data sources and alerts from across your IT infrastructure,
analyze this activity and escalate priority events and notifications. It will include special analytics algorithms and
often will have machine learning capability.

Security Orchestration, Automation and Response (SOAR)

SOAR enables the collection of alert data and is in some ways similar to a SIEM, but it further aggregates and
automates this data for continued investigation. SOAR integration allows automated incident response and
execution of related workflows based on identified and dangerous incidents of compromise. This automated
response can happen much faster than a process gated by human intervention. SOAR integration is often
structured into “playbooks” that define the response to various threats, the steps to be taken and the key
integrations with critical security controls. One vendor can provide SIEM and SOAR technology in a single
integrated platform.

Cloud Access Security Brokers (CASB) with Encryption, DLP and DRM
CASB is a security control that is placed between the consumers of cloud services and cloud service providers.
CASB is a “single wrapper” around cloud applications that provides extended visibility into cloud access and
use, encryption or tokenization of cloud-based data, policy creation and implementation, data loss prevention,
digital rights management and more. CASB can extend protection to a wide variety of cloud-based third-party
software as a service (SaaS) applications and applications developed in-house that are deployed to cloud
platforms.

Deception Technology
Deception technology is a security control category that deploys lures (fake password lists) and “honeypots”
(fake endpoints and network devices with a few open vulnerabilities) within a network. Unauthorized east-west
traffic and attacker reconnaissance will touch, if only with a ping, these devices and generate a high-integrity
alert and incident of compromise.

Network Detection and Response (NDR)

Network detection and response provides enhanced visibility, threat detection and detailed forensic analysis of
anomalous activity within the network. This security control uses machine learning to identify potentially
dangerous actors within secured internal networks.

User and Entity Behavior Analytics (UEBA)

UEBA is a software control category that analyzes user activity from log files, network traffic and other sources
to identify malicious or highly unusual user behavior. Malicious user behavior is typically associated with
excessive file downloads, access to sensitive data in unusual activity patterns, activity during unusual periods
for that user and other suspicious actions.

Adaptive Access Control (AAC)

Adaptive access control analyzes user access based on platform, location and time and maps these factors to
established policy. AAC is context-aware and balances the level of trust against access. Seemingly valid user
authentication data may be rejected based on the platform (specific endpoint such as a personal device not
authorized by policy) or the geographic location (such as a valid attempted login from Shanghai, China). A user

An Introduction to Zero Trust – December 2019

10
with valid authentication data might also be rejected based on, for example, login from a city in the United
States, followed by an attempted and seemingly valid login from a city in Australia perhaps only two hours later.

Foundational Security Using DNS Is a Core Component of Zero Trust

DNS is a central component of your current information technology and network architecture. DNS handles the
domain name translation from user-friendly formats in the syntax of www.xxxxxxxx.com to an Internet Protocol
(IP) address in the numeric format 222.222.222.222 to reach the desired server.

During the rapid deployment of the changes necessary to support digital transformation, many enterprises have
failed to include DNS controls, administration and management within their cybersecurity strategy. Often these
capabilities have defaulted to a mix of ISPs, on- and off-premises local hardware and multiple, disparate cloud-
based capabilities. These diverse and separate DNS capabilities generally have no integration with modern
cybersecurity threat intelligence, web filtering or other important defensive capabilities. Most of these
capabilities have no integrated support for the most common cyberthreats or for distributed denial of service
(DDoS) attacks; they also lack the centralized visibility essential to making DNS and foundational security a
cornerstone of Zero Trust for their enterprise.

Network management teams in most enterprises are now partnering more closely with their cybersecurity
counterparts. One of the key areas for collaboration has been to position DNS and foundational security as a
core component of Zero Trust. In this scenario, the basic foundational core network services you rely on to run
your business (e.g., DNS and related services) become your most valuable security controls and threat
intelligence assets.

These foundational security services, including DNS, DHCP and IP address management (DDI), are essential
to all IP-based communications. Foundational security using DNS further offers an ideal opportunity to gain
centralized visibility and control over all of your computing resources, per the tenets of Zero Trust. DNS can be
a source of telemetry, helping to detect anomalous behavior (e.g., a device going to a server it usually doesn’t
go to) and to analyze east-west traffic. DNS can also continuously check for, detect and block C&C
connections. For every cloud and on-premises data center that your enterprise uses, DNS can be a centralized
point of visibility and risk reduction.

Introduction to BloxOne Threat Defense

“Infoblox BloxOne Threat Defense brings all of your DNS controls, administration,
and management into one hybrid architecture that gives all of the control back to
you. This provides one single point of control for DNS management for all of your
on-premises and cloud-based resources. Once you assert this control, you have
very effectively enabled the defensive weaponization and build-out of DNS as part
of what is called foundational security.”

Anthony James, Vice President, Product Marketing, Infoblox, Inc.

DNS can become a powerful control point where every Internet address can be scanned for potentially
malicious behavior as identified by integrated threat intelligence. DNS can also supplement your internal
resources for web and content filtering to reduce your costs and enhance performance. Finally, the capabilities
of DNS also integrate with your DDI strategy to provide comprehensive data that can be used to identify and

An Introduction to Zero Trust – December 2019

11
resolve cyberthreats that are already present within your network. Using DNS in this fashion provides critical
visibility into security events by location, physical device, session and user—a key aspect of a Zero Trust
deployment.

BloxOneTM Threat Defense from Infoblox provides the foundational security that gives you one architecturally
efficient, centralized point of control and visibility to any traffic requiring resolution of a domain name with DNS
services (see Figure 2). BloxOne Threat Defense also enables you to detect and block data exfiltration and
malware C&C communications via DNS. It maximizes brand protection by securing traditional networks, as well
as digital imperatives like SD-WAN, IoT, the cloud and mobility. It powers SOAR solutions, substantially
reduces the time to investigate and remediate cyberthreats, optimizes the performance of the entire security
ecosystem and reduces the total cost of enterprise threat defense.

Figure 2: BloxOne Threat Defense provides foundational security and supports key aspects of Zero Trust
deployments

Summary
Digital transformation has all but eliminated the traditional perimeter-based security model and has made it
imperative to move to a more comprehensive security strategy such as Zero Trust. Zero Trust brings with it the
philosophy that you cannot trust any user or any activity, whether inside or outside of your network. The
perimeter has moved from enterprise networks, where it has been compromised, to instead surround the key
data elements you want to protect. Zero Trust shines a spotlight on those who would access that data and
makes certain that their identity is authenticated before allowing access. Foundational security, leveraging the
visibility and protection offered by DNS services, should be a core part of your Zero Trust strategy.
Foundational security enables you to reduce cyber incidents, further minimize risk and substantially strengthen
your compliance and governance initiatives.

An Introduction to Zero Trust – December 2019

12
Infoblox enables next-level network experiences with its Secure Cloud-Managed Network Services. As the pioneer in providing the
world’s most reliable, secure and automated networks, we are relentless in our pursuit of network simplicity. A recognized in dustry
leader, Infoblox has 50 percent market share comprised of 8,000 customers, including 350 of the Fortune 500.

Corporate Headquarters | 3111 Coronado Dr. | Santa Clara, CA | 95054

+1.408.986.4000 | 1.866.463.6256 (toll-free, U.S. and Canada) | info@infoblox.com | www.infoblox.com

13other marks
© 2019 Infoblox, Inc. All rights reserved. Infoblox logo, and other marks appearing herein are property of Infoblox, Inc. All
are the property of their respective owner(s).