Redefining Security Through the Layers of Zero Trust
Trust is a luxury of yesteryear. Traditional measures of security, whether locking a home or securing data, are revealing their vulnerabilities. People and businesses often find themselves struggling to keep pace with the threats and cybercriminals that are gaining effectiveness and presence.
Zero Trust is a groundbreaking approach that challenges the age-old notion of trust and redefines the way we safeguard our networks. A concept that is gaining momentum rapidly in the realm of cybersecurity, Zero Trust is transforming the way organizations approach data protection, access control, and threat mitigation.
When considering the concept of Zero Trust, the perspective that is adopted is one that regards each person as an external entity. They are treated as a stranger until they effectively ‘prove’ that they belong.
The Intent Behind the Strategy
Zero Trust is a security strategy characterized by the strict enforcement of security policies, prioritizing the most restrictive measures. This approach mandates rigorous system hardening, operating under the assumption that a compromise or breach has occurred and that every request is untrusted and requires verification before granting access to the network. The Zero Trust model is adaptive to any organizational environment and embodies the philosophy of perimeter-less security, also known as deperimeterization in system design and implementation. The idea behind deperimeterization is to deconstruct the traditional barriers between cloud, remote work, mobile services, Wi-Fi, and outsourced contracting.
Zero Trust follows the principle of “trust but verify”. It echoes the approach taken by President Reagan during his negotiations with the INF and START 1 treaties with the Soviet Union, regarding nuclear disarmament in the late 1980’s and early 1990’s. This concept underscores the importance of prioritizing trust verification over maintaining a cordial partnership, emphasizing that the end result holds greater significance than the business relationship - a crucial mindset for security professionals.
Recognizing user behavior is a fundamental aspect of Zero Trust, enabling administrators to understand the interactive relationship between users and the objects they access. Security devices, such as adaptive security appliances are configured to identify patterns and observe deviations in behavior and asset states. If regular users attempt to access an executable file outside of normalcy, such actions are flagged for scrutiny. Even when users are working remotely outside the enterprise and are connected to public Wi-Fi, the connection isn’t trusted, and a VPN tunnel needs to be employed. Enterprises may opt to classify personally owned devices as resources if they require access to company-owned assets. Communication must adhere to the most secure methods available, without trust being automatically granted, even for devices within the enterprise network infrastructure.
Access and Authentication
It is important to distinguish between access and privileges. Access pertains to the capability granted to users, such as reading, writing, or executing a file. Access allows users to interact with intangible network assets. In contrast, privileges encompass specific actions that users can perform on data items such as an executable or opening an Excel sheet. The combination of these two elements forms permissions, which dictate how a user can interact with an object or data items. In essence, it signifies the consent of the administrator or the system for individuals or groups to carry out specific actions.
The adoption of centric micro-services and segmentation supports the strategic principle of least privilege within Zero Trust. The foundational principles of Zero Trust encompass an entire security strategy focused on the development of access policies, rigorous user and machine authentication, and a centralized, trusted source for verifying user identities. At the heart of Zero Trust lies the concept of necessitating secure and authenticated access from each resource when a user is prompted to log in or utilize any form of asset. The use of tools such as PKI, MFA, or Authentication and Access control are essential on each endpoint device.
In the realm of Zero Trust, authentication hinges on both identity and context. Users must undergo continuous verification throughout their interactions, gaining access only to the precise resources needed. The Principle of Least Privilege goes beyond rigorous authentication and authorization through augmentation of the Principle of Least Functionality. Administrators must also yield to the Zero Trust principles through stringent verification and authorization for specific actions.
Zero Trust principles can be extended to encompass alternative policy-based access control methods like Attribute-Based Access Control (ABAC) which relies on attributes for user authentication instead of the traditional discretionary access control. ABAC primarily focuses on characteristics derived from the environment and the nature of the object a user is attempting to access. It offers a highly adaptable approach by providing access-based context to the evaluation of attribute requests regarding the subject, the object being accessed, and the environmental conditions.
Environmental controls examined in ABAC encompass factors such as the timeframes during which users seek access to system resources, the type of device in use, and even the communication and encryption protocols employed to secure network traffic. Timeframe-based access controls allow device connectivity actions to be active during specific hours of the day, typically determined by administrators. For instance, administrators can specify that each employee has access to company resources only during regular work hours, such as 9am to 5pm Monday through Friday, taking into account the designated time zone for device operation. If a login attempt occurs outside the specified timeframe, the system refuses to trust the device, resulting in authentication failure.
NAC or Network Access Control is a good stepping stool that can be used to achieve Zero Trust. When devices log into the company’s captive portal, they undergo authentication against the AAA server to verify their presence on the authorized company device whitelist. A server with ‘triple A’ capabilities is able to authenticate, authorize, and account for all users trying to log into the network. This verification may involve inspecting the device’s MAC address or IP address for identification purposes.
Furthermore, location-based access control (LBAC) is another control mechanism in play. LBAC hinges on determining the geographical location or geolocation of a person or device to regulate access based on an authorized list or range of IP addresses. IP addresses falling outside of this predefined range are deemed untrusted devices. Location also serves as an authentication method for identity verification.
Types and Principles
Multifactor Authentication (MFA) plays a crucial role in enhancing security and aligning with a Zero Trust security policy by adding an extra layer of verification to the authentication process. There are four types of MFAs that combine to form a formidable front.
- Type 1 is the most common primary mechanism where users provide information they know.
- Type 2 involves a physical object such as a smart phone, keys, or USB drive that aligns with the primary authentication mechanism, using either asymmetric or symmetric tokens (such as a PIN number).
- Type 3 is considered the strongest, as it incorporates biometrics that require users to provide fingerprinting, facial recognition, eye, palm (hand geometry), or retinal data to authenticate devices for access.
- Type 4 uses LBAC which, as described previously, leans on location-based authentication.
Employing these types of MFAs collectively aligns with Zero Trust principles, and numerous third parties adopt these methods to remain compliant with Zero Trust practices.
Zero Trust Architecture (ZTA) operates within three primary principles that guide companies in aligning their business practices. These principles emphasize safeguarding, enhancing visibility, and maintaining control over network access for networks, data, workloads, individuals, and devices. ZTA is a strategic concept that shifts away from relying on trust within a network, and instead has a primary aim of proactively defending against potential data breaches. In this approach, security practitioners adopt a perspective where they assume that an attacker has already compromised a host, prompting them to proactively segment the network. This segmentation isolates compromised hosts within specific logical areas, creating a barrier that hinders the ability of the attacker to move laterally between hosts or network enclaves.
When implementing a Zero Trust Architecture, it is imperative to consistently re-evaluate trust. Users must adhere to system policies that strictly enforce authorization and authentication before granting access to enterprise resources. According to NIST 800-207 guidelines, a dynamic policy requires the asset management system to continually monitor the client’s identity, application, and the specific type of request made by the user, through evaluation of behavioral and environmental attributes.
In the realm of Zero Trust, the guiding principle is to treat everything as a potential threat, acknowledging that nothing can be entirely secure. Therefore, entities that interact with the network must undergo a thorough verification process. For example, Public Key Infrastructures (PKIs) often employ a hierarchical structure where a root Certificate Authority (CA) issues certificates to subordinate CAs, facilitating efficient communication among computer systems.
This system is meticulously crafted to identify and authenticate users seeking access to shared resources. Even within a closed network, individuals are required to possess authorized certificates before engaging in communication activities over the network. This highlights the critical importance of periodically updating certificates to prevent the establishment of repetitive patterns that could be exploited by attackers for unauthorized system access.
At this point of the ZTA, practitioners must look at everything as an external entity, whether they are internal or external users, and assume that a breach has been committed. This, in turn, will enforce authentication, authorization, and encryption of each user making a request to connect from an internal network entity. The request needs to be explicitly evaluated and validated before proceeding. Much like the Army motto “We train as we fight”, security operators at each level must treat even a simulated Zero Trust scenario as a real security breach.
The Certificate Revocation List (CRL) serves the purpose of invalidating certificates deemed untrusted. This can happen for various reasons, including certificate compromise, expiration, or a policy violation by an administrator or user. Even if the violation was accidental, the Zero Trust approach dictates that the system isn’t permitted to operate on the network using that certificate. The asset management device assumes a compromise of some sort, thus withholding trust until an updated certificate is issued. As long as certificates are kept up to date, the network infrastructure can maintain secure communication without impeding the performance or availability of network services.
Things to Consider
ZTA does have its drawbacks. By implementing numerous authentication and authorization mechanisms, we limit the expedited trust process, potentially impeding fast network performance. Security practitioners are now required to prioritize continuous monitoring, availability, and dynamic scaling to address both security concerns and network throughput.
It is essential to keep in mind that organizations may need to scale their systems both vertically, such as through software upgrades and increasing memory/RAM, and horizontally, involving segmentation and the addition of more devices. Doing so may entail adopting additional external systems to manage credentials and authentication systems. Consequently, organizations might have to invest in additional mechanisms to maintain network performance, whether through micro segmentation to enhance isolation, or the installation of load balancers to offset network connection activity.
By adopting a Zero Trust security model, businesses can fortify their defenses against evolving threats, both from external sources and insider risks. It compels them to focus on verifying identities, reducing trust perimeters, and continuously monitoring and adapting access controls. In an era where data breaches and cyberattacks have become much too common, embracing Zero Trust is more than just a best practice, it is a necessity.
As ZTA transitions cybersecurity from a static, network-centric perimeter approach, it shifts the perspective to consider everything and everyone as existing beyond the protective boundaries. The focus now centers on safeguarding user assets and network resources. It is important to remember that Zero Trust goes beyond a one-time implementation. It is an ongoing strategy that encompasses technology, policies, and user awareness. As technology evolves and threats become more sophisticated, so too must our perseverance.
Through the principles of Zero Trust, your organization will be better equipped to face the challenges of security while safeguarding your valuable information in a world where trust is a precious commodity.