„Zero Trust Network” – various implementation concepts

Home / News / „Zero Trust Network” – various implementation concepts

At one point, it was realized that the current approach to security, assuming a certain “edge” of the network – the division into “us” and “them” – is not working. Furthermore – users, systems or services running within our network should not be automatically trusted.


This happened for 2 reasons:

  • There data breaches when hackers who passed through edge firewalls were able to pass through internal systems without much resistance are widespread

  • The “edge” itself – understood as a border, is no longer clearly defined. Applications and data stores reside locally and in the cloud, and users can access them from multiple devices and locations. Often bypassing the central point of security.


The terms Zero Trust, Zero Trust Network or Zero Trust Architecture, coined by a security analyst at Forrester Research, refer to the concept of network security based on 3 principles:

  • Never trust.

  • Always verify.

  • Constantly monitor.


The terms Zero Trust, Zero Trust Network or Zero Trust Architecture, coined by a security analyst at Forrester Research, refer to the concept of network security based on 3 principles:


The assumption is that you should verify everyone and everything trying to connect to your systems before granting access. There are several main ways to implement a zero-trust approach in a corporate network to allow internal and external users to access services and applications – with several layers of security.


By the way … defense-in-depth again.

  • Traditional VPNs – they remain the illusion of a zero-trust approach, but only provide one level of access – authenticate – can user access or not? They lack the necessary levels of authorization. Older VPNs can also cause scalability and bandwidth issues with too many mobile users. Always active – always-on-VPN, which requires device and user authentication, provides results similar to ZTNA.

  • Providing web applications via Web Application Firewall (WAF) – reverse-proxy application layer firewall. WAF allows you to apply different levels of user verification depending on the type of application and access level. In addition, it provides API protocol protection and support with constantly updated exploit database. Since protected services are still visible to attackers on the public Internet, the security level is equal to the effectiveness of WAF.

  • Virtual Desktop Infrastructure (VDI) – providing users on unmanaged devices with access to a selected set of applications. By providing a projection of the work desktop, we ‘project’ the corporate desktop policy at everyone. Currently, locally hosted VDI is giving way to Desktop-as-a-Service, which is offered by large cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. They provide a set of security mechanisms for applications and data stored inside.

  • Remote Browser Isolation (RBI) – Browser isolation provides a security layer for accessing applications over the Internet. In this case, the browser session itself is rendered from the end user’s device and from the cloud service providing isolation on both sides. The user sees the projection of the application and website, and any risk of an attack on the end device is neutralized at the browser level in the cloud service.

  • DMZ – Demilitarized Zones – displaying digital business applications in traditional demilitarized zones remains an alternative. The key advantage is the need to “exit” the DMZ after the application is infected. However, demilitarized zones provide limited isolation from modern attacks – usually as effective as the level of WAF protecting it. In addition, DMZs still leave the application discoverable to all attackers.

  • Content Delivery Network (CDN) – this is another substitute for ZT. CDNs can absorb DDoS attacks, reduce noise and threats associated with bot attacks, and protect your site from deleting assets from it. They usually also have WAF built into them. However, they do not provide adequate protection at the application level or anonymity.

  • API Gateway – Applications that do not require full, interactive connectivity to the Internet, but instead only provide APIs to the public Internet, can be protected by the API Gateway. API gateways enforce authentication, verify authorization, and mediate the correct use of application APIs. This is especially useful if the application does not have API security mechanisms. Most API gateways also provide logs of all activity via a native monitoring tool or integration with popular security information and event management (SIEM) tools. The best API Gateway are those that integrate with directory services and Single Sign On solutions.




We started with the authentication of the user – he confirmed his identity in one place and had access to all resources. Later, authorization was added – the user had the ability to access designated resources. Zero Trust is a call to leverage microsegmentation and inner authentication and authorization based on user roles, locations, and other data to answer one question.


Whether or not to trust a user, machine, or application seeking access to a specific part of the enterprise?

Please be advised that our website is using cookies for marketing, statistical and functional reasons. In order to optimize the content on our website and to adapt them to your individual needs, we use informations saved using cookies on users’ end devices. Cookies can be controlled by the user through the settings of their web browser. By contiuning to use our website without changing your web browser settings, you are accepting the use of cookies.