2022 IEEE 19th International Conference on Smart Communities: Improving Quality of Life Using ICT, IoT and AI

(HONET)
2022 IEEE 19th International Conference on Smart Communities: Improving Quality of Life Using ICT, IoT and AI (HONET) | 978-1-6654-6197-9/22/$31.00 ©2022 IEEE | DOI: 10.1109/HONET56683.2022.10019186

Study of Zero Trust Architecture for

Applications and Network Security
Farhan A Qazi
Department of Cybersecurity, Capitol Technology University
Laurel, MD USA 20708
E- mail: [email protected]

Abstract: As a result of globalization, the COVID-19 pandemic organization’s most valuable assets by assuming that every
and the migration of data to the cloud, the traditional security connection and endpoint is considered a threat. The term
measures where an organization relies on a security perimeter “Zero trust” was coined by Stephen Paul in 1994 in his
and firewalls do not work. There is a shift to a concept whereby doctoral thesis and the concept of zero trust was developed
resources are not being trusted, and a zero-trust architecture by John Kindervag of Forrester Research in 2010 [3]. In
(ZTA) based on a zero-trust principle is needed. Adapting zero
trust principles to networks ensures that a single insecure
August 2020, NIST (National Institute of Standards)
Application Protocol Interface (API) does not become the published a document NIST SP 200-807 for its
weakest link comprising of Critical Data, Assets, Application implementation [4]. Zero trust networks continue to protect
and Services (DAAS). The purpose of this paper is to review enterprise systems and the data involved since its
the use of zero trust in the security of a network architecture development in 2010 [5]. The global zero trust security is
instead of a traditional perimeter. Different software solutions projected to grow from $10.6 billion in 2020 to $51.6 billion
for implementing secure access to applications and services for by 2026 [6].
remote users using zero trust network access (ZTNA) is also
summarized. A summary of the author’s research on the
qualitative study of “Insecure Application Programming In May 2021, the White House recommended the use of
Interface in Zero Trust Networks” is also discussed. The zero trust architecture for improving the Nation’s
study showed that there is an increased usage of zero trust in cybersecurity. In January 2022, President Biden’s
securing networks and protecting organizations from administration in a national security memorandum directed
malicious cyber-attacks. The research also indicates that APIs all U.S. Federal agencies to develop a plan for ZTA adoption
are insecure in zero trust environments and most organization based on NIST SP 200-807 by the end of fiscal year 2024
are not aware of their presence. [7].
Keywords—Zero trust architecture, Network security,
This paper is divided into six sections, discussing how the
Application programming interface, cybersecurity
concept of Zero Trust relates to Application Programming
I. INTRODUCTION Interfaces (APIs) in securing networks that does not use a
traditional security perimeter; the final version of NIST SP
200-807 discusses the implementation of Zero Trust
According to a recent report by Check Point research’s
Architecture (ZTA). Zero Trust Network Access (ZTNA),
[1], weekly cyberattacks on corporate networks increased
an approach that enables organizations to implement a zero-
50 percent in 2021 than 2020. The highest number of these
trust security model, along with the summary of software
attacks per week were experienced by the education and
solutions for large, mid-sized and small businesses is also
research sectors, which were up by 75% from 2020,
discussed. Finally, an overview of the author’s research on
followed by government/military, up 47% from 2020. The
the qualitative study of “Insecure Application Programming
Communication industry experienced the smallest increase
Interface in Zero Trust Networks” is also included.
of cyberattacks per week from 2020. This upward trend in
cyberattacks continues with the increase in teleworking due
to the global pandemic. This is coupled with the increased II. ZERO TRUST AND APPLICATION
usage of internet of things (IoT), industrial internet of PROGRAMMING INTERFACE
things (IIoT), and digital transformation where workers and
their devices are located outside the traditional network Applying zero trust only for network access would not
perimeter. protect enterprise applications. The increased teleworking
The traditional security method applies when an has led to many organizations adapting to various digital
organization has a security perimeter and firewalls applications and cloud-based services. These services can
contained within it [2]. In the case when no resources can be divided into microservices for which the client must
be considered safe or secure, a zero-trust architecture (ZTA) deal with various endpoints and collect data from different
based on zero trust principle in the process of planning an microservices. A new service layer is added every time a
enterprise network consisting of thousands of microservices different API is given to each client which are called API
is required. ZTA is a broad framework that promises gateways. This is shown in the figure below [8].
effective protection of an

111
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on November 04,2024 at 06:50:06 UTC from IEEE Xplore. Restrictions apply.
978-1-6654-6197-9/22/$31.00 ©2022 IEEE
 2022 IEEE 19th International Conference on Smart Communities: Improving Quality of Life Using ICT, IoT and AI
(HONET)

compliance and requirements must be required for

transactions to occur. Applications that are critical to the
network, physical assets and sensitive data must be
identified, and policies must be determined that includes
asking who, what, when, where, why, and how for every
user, device, and network that wants to gain access.
Monitoring the network is the last step in the design of the
architecture [11].

In 2020 NIST released the final version of zero trust

Architecture which discuss the core logical components that
make up a zero-trust architecture [4]. It also includes
elements from industrial organization such as Forrester’s
ZTX and Gartner’s CATA. According to CrowdStrike [12],
it is the most comprehensive set of standards not only for
government entities but also for any organization. In
Fig. 1. Application Programming Interface Gateway based architecture. addition, NIST standards ensures compatibility and
protection against modern attacks for a cloud-first, work
APIs, being invisible to users are the most vulnerable from anywhere model most enterprise need to achieve.
points of attack and most computer professionals are not NIST specifically mentioned seven tenets in 800-27
aware of its weaknesses. All these services depended on publication in 2020. A zero-trust architecture is designed
APIs and because of their power, organizations were able to and deployed in accordance with the following zero trust
implement changes in a short time which would have taken basic tenets as given below [4].
years. There was an 56 % increase in the demand of API
requests between October 2020 and October 2021 [9]. API- • All data sources and computing services are
driven services can have thousand of microservices, making considered resources.
it difficult for security teams to track and have become fast
growing threats to API security. Approaching it from zero • All communication is secured regardless of
trust security paradigm ensures that each microservice network location.
communicates with least privilege, preventing the use of
open ports and enable authentication across each API. Zero • Access to individual enterprise resources is granted
trust for applications would ensure a behavioral analysis of on a per-session basis.
each application where the application performs appropriate • Access to resources is determined by dynamic
functions and interacts only with needed data. The goal of policy—including the observable state of client
adopting zero trust principle will safeguard that one insecure identity, application/service, and the requesting
API does not become the weakest link comprising of critical asset—and may include other behavioral and
data, assets, application and services (DAAS) of user [10]. environmental attributes.

III. IMPLEMENTATION OF ZERO TRUST • The enterprise monitors and measures the integrity
ARCHITECTURE and security posture of all owned and associated
assets.
Zero Trust Architecture (ZTA) is a token-based • All resource authentication and authorization are
architecture based on the principles of zero trust access or dynamic and strictly enforced before access is
on the concept that nothing can be trusted. ZTA is a set of allowed.
guidelines that strengthens the security for the design of the
systems and operations to protect the assets of an enterprise.
• The enterprise collects as much information as
Authentication is implemented at every step of access,
possible about the current state of assets, network
internal or external. Multi-factor authentication (MFA) is
infrastructure and communications and uses it to
popular among vital assets with an increasing trend towards
improve its security posture.
two-factor authentication (2FA) among consumer
applications. Token-based authentication is also used for
API security and access control of microservices. The above tenets enforce zero trust policies including:
Identities of user and type of credential, credential privileges
for each device, behavior patterns for normal connection for
In the implementation of zero trust networks, a policy of
devices, Geo locations and endpoint hardware type and
zero trust and continuous verification of authentication of
function, firmware versions, authentication protocols and
users and devices is important. Visibility of networks is
operating system versions and attack recognition.
required as segmentation and access to the most sensitive
parts of the network should be performed under the zero-
trust policy. Complexity among applications arises since
organizations are not only required to implement a policy
over a l l s e r v i c e and privileged accounts, but
also
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on November 04,2024 at 06:50:06 UTC from IEEE Xplore. 112
Restrictions apply.
 2022 IEEE 19th International Conference on Smart Communities: Improving Quality of Life Using ICT, IoT and AI
(HONET)

The following NIST diagram illustrates the basic IV. ZERO TRUST NETWORKS ACCESS
building blocks and their interactions in a Zero Trust
Architecture (ZTA). These blocks or components can be Currently, there is a shift from traditional networks
controlled via a cloud-based service or locally within the security where everything inside an organization’s network
architecture. As defined below, the policy decision point is can be trusted to a zero-trust network access (ZTNA) where
comprised of the policy engine and administrator. Various no one, internal or external can be trusted unless validated.
planes are used to communicate in the ZTA, control planes ZTNA is a set of technologies that enable secure access to
for logical components and data plane for application data. zero trust architecture, cloud-based networks, and the
increasing number of mobile users. ZTNA allows secure
one-to-one encrypted connection between users and the
resources which are needed by the users, verification and
recreation of the connection taking place periodically.
Although the resources being used are connected to other
networks, applications, servers, and other resources the
users are not aware of them. This mode of access is like the
software defined perimeter (SDP) where the rest of the
cloud is shrouded in dark, and the users are connected to
only the resources which they need and are allowed to
access, whereas VPNs give users encrypted access to an
entire interior network all at once. Access control is granted
Fig 2. Zero trust architecture given by NIST. on a need -to-know, least -privileged basis defined by
minutely detailed policies [ 13,14].
The Zero Trust Architecture can be effective when the
following core components are employed [4]:

1. Policy Engine. The Policy Engine is the basic

component of the Zero Trust Architecture. This
Engine is the decision maker or gatekeeper, deciding
which resource gets access to the network by enforcing
policies generated by the organization’s internal and
external security procedures. Access is consequently
granted, denied, or revoked based on the security
parameters defined by the policies. The final decision is
then passed onto the policy administrator to execute the
decision.

2. Policy Administrator. As mentioned above, the policy

administrator implements access decisions
communicated from the policy engine while also Fig. 3. Zero Trust Network Access taken from cloudfare.
having the ability to grant or deny the communication Zero trust networking access is implemented by
between a subject and resource. The policy using appropriate zero trust networking software. This
enforcement point is used by the policy administrator to implementation will allow organizations to ensure the
grant or deny a session. proper user’s identity through authentication and
attribute verification before allowing access to network
3. Policy Enforcement Point. The Policy Enforcement resources at a reduced cost and security risk than the
Point (PEF) is the police-cop for managing connections traditional security approach. There are many software
between resources. Even though the PEF is a single tools that exists and emerging in the zero-trust security
entity of the zero-trust architecture, it controls access to market [15].
the client side (the source) and the resource, which acts
as a gateway to control access. V. SOFTWARE TOOLS FOR IMPLEMENTING
ZTNA

According to Kime [16], these software tools for

implementing ZTNA have been divided into 80 products

113
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on November 04,2024 at 06:50:06 UTC from IEEE Xplore. Restrictions apply.
 2022 IEEE 19th International Conference on Smart Communities: Improving Quality of Life Using ICT, IoT and AI
(HONET)

with the following six categories to differentiate between the The second example is called Beyondcorps, which is
product’s specifications. Google’s solution to implementing the zero-trust network.
applications in the cloud or on premises can be accessed by
The first category, Comprehensive Zero Trust Solutions, users, corporations and employees securely. google has
is the comprehensive networking solution developed by the created an access control policy, an access proxy and user
well-known brands in software applications market. These and device-based authentication and authorization so that
software applications tend to require multiple licenses the google global network can be reached from any
among users and is expensive. The top six software untrusted network [19].
applications within this category are Check Point, Cisco
Zero Trust/Duo, IBM, Ivanti, Microsoft Azure, and Palo VI. AUTHOR’S RESEARCH
Alto Networks. The remaining six software applications that
further provide a suite of zero trust services from discovery Part of this paper is based on the author’s research on the
to identity and verification management are Broadcom / qualitative study of “Insecure Application Programming -
Carbon Black / Symantec / VMware, Forcepoint, Fortinet, Interfaces (APIs) in Zero Trust Networks.” [20]. A zero-
Google, SkyHigh Security, and Tanium. trust environment, unlike traditional models of network
security, is based on a never-trust concept that uses various
credentials to verify the authentication of a user or system.
The other five categories below focus on different aspects
In these zero-trust environments, data breaches still occur
of Zero Trust Solutions, such as access verification, device
verification, ZTNA and network segmentation, data because of the insecurity of APIs [22]. This survey-based
study was performed to investigate why the insecurity of
security, levels of access, visibility, and logging:
APIs in zero trust networks is being overlooked and find
ways to mitigate the vulnerabilities. The goals of this study
• Zero Trust Identity Solutions were to research the phenomenon of the insecurity of APIs
• Zero Trust Endpoint Solutions in zero trust networks.
• Zero Trust Network Solutions Qualitative purposeful sampling of population was used
• Zero Trust Data and Application Solutions for this research because information-rich cases must be
• Zero Trust Visibility, Automation, Logging and identified and selected [23]. The population sample group
Record Keeping. for this study consisted of developers, users, and technical
personnel of various organizations. Some of the
Chad [17] has also suggested the following software for respondents work with cyber security while others have
low cost and easy to implement zero trust security software engineering experience but all of them are either
solutions for small and mid-sized businesses. users or developers of various APIs. Three levels of
analysis were performed in this study and were based on
thematic analysis [24]. Three levels of analysis were
• Appaegis
performed in this study and were based on thematic
• Banyan Security
analysis. The first level of coding or axial coding was used
• Cloudflare to analyze the respondents’ data from the survey to
• GoodAccess organize the data into codewords and categories to
• NordLayer eventually identify themes from codewords and categories,
• OpenVPN as shown below.
• Perimeter 81
• Sentry Sentry

Two examples software applications for ZTNA are

given below:

The first example is based on Microsoft adaption of zero

trust technology via Multi Factor authentication with
conditional access depending on user account risk and
device status, Appropriate security is essential in
configuring identities, devices, data, applications and
network, monitor and control user activities. Some
Microsoft customers like Siemens, Johnson Controls, Fig. 4. Themes from author’s research.
Brunswick and Heineken have started using zero trust
networks [18]. The Themes are as follows:

Theme 1: To increase awareness of insecurity of APIs

and use existing security technology
capabilities to secure APIs.

Theme 2: Vulnerability of APIs; Mitigate the

vulnerabilities of APIs by the proper usage 114 apply.
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on November 04,2024 at 06:50:06 UTC from IEEE Xplore. Restrictions
 2022 IEEE 19th International Conference on Smart Communities: Improving Quality of Life Using ICT, IoT and AI
(HONET)

of authentication and authorization by REFERENCES

managing keys, rate limiting, and securing
the access to the end points of APIs. [1] Check Point Research. Corporate blog, “Cyber Attacks Increased
50% Year over Year,” [blog]. [online] Available:
https://blog.checkpoint.com/2022/01/10/check-point-research-cyber-
Theme 3: False Sense of Security; Introduce and track attacks-increased-50-year-over-year.
security infrastructure locally for the APIs
separate from the central security of an [2] M. K. Pratt. “What is zero trust. A model for more
organization effective security.” CSO from IDG, January 2018. [online] Available:
https://www.csoonline.com/article/3247848/what-is-zero-trust-a-
model-for-more-effective-security.html.
Theme 4: Improvements in security of APIs;
Implement improvements in security of [3] History of Zero Trust Security Infraon Blog [online] Available:
https://infraon.io/blog/history-of-zero-trust-security/.
APIs.
[4] S. Rose, O. Borchert, S. Mitchell and S. Connelly, “ SP 800-207 Zero
This study verified that APIs are insecure in zero trust Trust Architecture,” National Institute of Standards (NIST) document
networks, organizations lack resources and training to NIST SP 200-807, August 2020. [online] Accessed:
https://csrc.nist.gov/publications/detail/sp/800-207/final.
educate users about APIs, and users depend on the
overall security of the network instead of standalone API [5] N. Fisher. A brief history of zero trust security, August 2018.
security. The study also showed that most users and [online]. Available: https://www.okta.com/blog/2018/08/a-brief-
organizations are unaware of the APIs they use and rely history-of-zero-trust-security/.
on third party providers to control their APIs. This can
[6] B. Violino, “Why companies are moving to a ‘zero trust’ model of
be dangerous in that the user or organization do not have cyber security,” August 2020. [online]. Available:
any control over their APIs which can lead to third party https://www.cnbc.com/2022/03/01/why-companies-are-moving-to-a-
providers misusing their customer’s APIs leading to non- zero-trust-model-of-cyber-security-.html
transparency in API design. Given the increasing number
[7] White House, “Memorandum on Improving the Cybersecurity of
of APIs in organizations over the years, it is crucial to National Security,” January 2020. [online]. Available: Department of
ensure that API security protocols must be followed at Defense, and Intelligence Community Systems
every step of the process to safeguard the security of the
[8] G. Levin, “The role of api gateways in api security. Dzone
zero trust networks [21].
Integration,” August 2020. [online]. Available:
https://dzone.com/articles/the-role-of-api-gateways-in-api-security.
VII. CONCLUSION
[9] S. Campbell. “Postman’s 2021 State of API Report Finds APIs Key to
Sparking Innovation During Pandemic, Ushering in API-First
Zero Trust Architecture is a popular concept based on World,” Business Wire, January 2020. [online]. Available:
zero trust concepts, which is different than the concept of https://www.businesswire.com/news/home/20211028005033/en/Post
man%E2%80%99s-2021-State-of-API-Report-Finds-APIs-Key-to-
variable trust traditional networks. This new architecture
Sparking-Innovation-During-Pandemic-Ushering-in-API-First-World)
is considered normal in these current times and will
become permanent as time progresses. Instead of a [10] J. Bansal. “Why Zero Trust Must Be Extended To APIs,” Forbes
security perimeter, ZTA is comprised of policy Technology Council, January 2021. [online]. Available:
https://www.forbes.com/sites/forbestechcouncil/2021/11/02/why- zero-
implemented components which interact with each other.
trust-must-be- extended-to-apis/?sh=14be865e8da3.
These components define, administer, and enforce
network traffic based on authentication and authorization [11] Curity.io. “Zero Trust Architecture is a Token-Based Architecture “
techniques. For zero trust applications, APIs are used to Curity, 2022. [online]. Available:
https://curity.io/resources/learn/zero-trust-overview/
communicate between different servers in microservice
networks. During the current environment whereby, [12] Paloaltonetworks.com. “Implementing Zero Trust Using the
hacking is prevalent and attack surfaces are increasing, it Five-Step Methodology,” PaloAlto Cybersecurity, 2022. [online].
is imperative to strengthen APIs. The results of a Available: https://www.paloaltonetworks.com/cyberpedia/zero-
trust-5-step-methodology
qualitative study showed that data vulnerabilities can arise
from using insecure APIs in a secure environment and the [13] K. Raina. “Zero Trust Security Explained: Principles
ways of mitigating attacks from insecure APIs. Better of the Zero Trust Model,” May 2021. [online]. Available:
training and security protocols must be implemented at https://www.crowdstrike.com/cybersecurity-101/zero-trustsecurity/
each step of the design process. Secure APIs within ZTA’s
[14] Z Scaler. “What is ZTNA,” 2022. [online] Available:
will contribute to a more robust network and can help deter https://www.zscaler.com/resources/security-terms-glossary/what-
data breaches. In addition, organizations must implement is-zero-trust-network-access.
zero-trust networks and their application quickly to avoid
data breeches and surety risks. [15] A. Welekwe. “9 Best Zero Trust Networking Software for 2022”.
Comparitech, August 2022. [online]. Available:
https://www.comparitech.com/net-admin/zero-trust-networking-
ACKNOWLEDGMENT software/

[16] C. Kime. “Best Zero Trust Security Solutions for 2022,” eSecurity
I would like to thank Dr. Sondria Miller and Capitol Planet, July 2020. [online]. Available:
Technology University for helping me to finish my research. https://www.esecurityplanet.com/products/zero-trust-security-
Thanks are due to my family for their patience and support. solutions/.

[17] C. Kime. “Top 8 Zero Trust Network Access Products for Small
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded Businesses.”
on November IT Business
04,2024 Edge, June
at 06:50:06 UTC2022.
from [online]. Available:
IEEE Xplore. 115
Restrictions apply.
 2022 IEEE 19th International Conference on Smart Communities: Improving Quality of Life Using ICT, IoT and AI
(HONET)

https://www.itbusinessedge.com/security/smb-zero-trust-
solutions/.

[18] Microsoft.com. “Implementing a Zero Trust security model

at Microsoft, “June 2022. [online]. Available:
https://www.microsoft.com/enus/insidetrack/implementing-a-
zero-trust-security-model-at-microsoft.

[19] D. Son. “Google Zero Trust: Ultimate Guide to BeyondCorp |

Google Cloud,” November 2021. [online]. Available:
https://securityonline.info/google-zero-trust-ultimate-guide-to-
beyondcorp-google-cloud/.

[20] F. Qazi. “A Qualitative Study of Security in Application

Programming Interfaces (APIs).” 20th International
Conference on Security Management, (SAM'21), USA, July
2021.

[21] F. Qazi. “Insecure Application Programming Interfaces (APIs)

in Zero-Trust Networks”. Capitol Technology University
ProQuest Dissertations Publishing 2022. 28966153, 2022.

[22] Mello, J. P. (2019). Toward zero-trust: 8 steps to boost apps sec.

Techbeacon.. Retrieved from
https://techbeacon.com/security/toward-zero-trust-8-steps-
boost-app-sec.

[23] Gerring, J. (2007). Case study research: Principles and

practices. Cambridge, England: Cambridge University Press.

[24] Patton, M. Q. (2014). Qualitative research & evaluation

methods: Integrating theory and practice (4th ed.). Thousand
Oaks, CA: Sage Publications.

116
Authorized licensed use limited to: Indian Institute of Technology Hyderabad. Downloaded on November 04,2024 at 06:50:06 UTC from IEEE Xplore. Restrictions apply.