A Zero Trust Network (ZTN) is a network that operates according to the zero trust security model. This requires strong authentication for users and devices trying to access resources from inside and outside the private network.
Traditional network security is based on the concept of a protected network perimeter, which is difficult to access from the outside but implicitly trusts everything inside. The problem with this approach is that once an attacker gains access to the network, they can move freely within the network and elevate privileges to gain access to sensitive assets.
In today’s IT environment, with data and systems distributed between on-premises data centers and public clouds, and employees often working from remote locations, traditional network security models are no longer relevant. A network perimeter approach cannot achieve consistent security controls in a modern IT environment.
Moving to a zero-trust security model means that no one inside or outside the network can be trusted. ZTN solutions continuously ensure that each user and device has access to only the specific resources they need. When authorizing requests, these solutions are sensitive to the time, place and nature of their activity. They can immediately detect unusual access attempts, block them, and alert security teams.
In this article:
Zero trust networking is an important part of the modern security puzzle, focusing on securing internal application traffic. It replaces the traditional assumption that traffic behind a firewall can be implicitly trusted, replacing it with the assertion that no connection should be trusted until proven to be safe.
Traditionally, network administrators trusted every entity within the internal network—applications, servers, network software or hardware. Many applications did not require client authentication, and were not encrypted, even for sensitive services. Many systems relied on static shared credentials. For example, database passwords were often trivial to guess and shared freely within the corporate network—under the assumption that attackers were outside of the secure network perimeter.
Many corporate networks still follow this pattern. However, it is now understood that threat actors can easily penetrate a network environment, either by compromising credentials of trusted entities, infecting the network with malware that deploys a Trojan or backdoor, or exploiting vulnerabilities in software or hardware. Through these and other attack vectors, threat actors can perform sniffing of network packets to detect application passwords, and compromise databases, servers, and network devices, leading to catastrophic data breaches.
Related content: Read our guide to zero trust architecture
The zero trust model enables a production infrastructure that is secure by default. ZTN systems go beyond not trusting client connections—they also verify that the network fabric itself is secure from compromise.
The zero trust network model is not a standard network implementation—it describes a set of principles and goals and leaves the specific technical details of implementation to each organization or solution provider. However, all ZTN solutions have these common features:
Related content: Read our guide to zero trust security
Organizations can apply zero trust principles to containerized environments by building on their traditional network security strategy and adding internal security mechanisms to the network perimeter. A combination of firewalls and client-based zero trust security measures can help secure internal network communication between microservices and containers.
In this context, implementing zero trust involves the following principles:
These zero trust principles and control measures collectively allow organizations to secure their containerized applications in the cloud. They restrict the communication between microservices and containers to prevent any transaction not explicitly authorized.
As a popular container orchestration solution, Kubernetes offers flexibility, scalability, and automation, helping organizations manage their secrets. However, using Kubernetes does not automatically imply a zero trust security model.
Implementing a zero trust approach in Kubernetes requires special configurations and practices. For example:
Organizations can apply these practices to all users, programs, and access requests, ensuring a robust Kubernetes security posture. Controlling access to each Kubernetes pod also helps prevent internal or external attacks.
Calico Enterprise and Calico Cloud enable a zero trust environment built on three core capabilities: encryption, least privilege access controls, and identity-aware microsegmentation.
Next steps: