Trust is a vulnerability. The protection of the network perimeter and the trust of authenticated users is replaced with a new paradigm in which you trust nothing and verify everything. Welcome to Zero Trust.
Castles and moats
The traditional model of cybersecurity has been compared to a castle and a moat. You bring all your precious possessions inside the fortified walls and you regulate the access with a harrow, a drawbridge, and one pit.
If anyone wants to enter the castle, they must have a conversation with the guards at the gatehouse. If the individual is recognized as someone who should be allowed in, the drawbridge is lowered, the harrow is raised and they are allowed in. If they are not recognized, but have a token attesting to them such as a parchment bearing the signature and official seal of a trusted nobleman, they will be allowed entry. A stranger with no way of identifying himself is left outside.
With a network, you have your precious network assets inside your firewalls and other digital fortifications. Network connections are only allowed after a conversation between the device that wants to connect and the network authentication services. A pair of username and password must travel between them. If the credentials are accepted, access is granted and they are allowed within the perimeter. Obviously, today, your scope has expanded to include your cloud assets.
The person you just admitted may have bona fide credentials, but they can still have malicious intent. And they now have the management of the castle. Or the network.
With Zero Trust, you don’t authenticate once and then trust for the duration of the connection. Zero Trust’s refined maxim is “Never trust, always verify”. And you keep checking even when the visitor – regardless of how often they visit – has been cleared into your perimeter.
The basic concept of Zero Trust is that organizations should never automatically trust anything inside or outside the network. In other words, don’t automatically trust someone trying to get inside, and don’t trust anyone just because they’re on the inside. Zero Trust is built on technology, topology and governance. Many technologies have been around for a long time.
The first consideration is user identification and authentication. It goes beyond a username and a strong password. Multifactor authentication (MFA) is the standard. Passwordless authentication using standards such as FIDO2 can also be used. And the identification also includes the device from which the user is accessing the network. Is this their usual corporate device, from the network? Is this a corporate laptop from outside the perimeter? Or is it a personal device? Is the IP address it connects to from an address already seen?
IT governance comes into play here. You define the behavior that you are going to allow. Can someone use a personal device from outside the network, or only inside the network, or neither? Or maybe staff can use them inside the network, but they are limited to read-only access.
Together the user and the device are given a value, something like a security score. It dictates what that user session is capable of, based on the user’s role and privileges and the company’s knowledge, experience, and trust in the device. If the device is a well-known computing device listed in the IT asset registry and the operating system is updated and Endpoint Protection has the latest signatures, it will be treated very differently from a personal tablet. unrecognized connecting from an unknown IP address.
The second consideration is the design of the network. A flat network topology is like an open-plan office. Anyone can get lost anywhere. A flat network is too easy to navigate and explore laterally. Network segmentation, even at the point of micro-segmentation, using next-generation switches and firewalls will provide granular access controls to restrict access to sensitive or valuable data or assets. Only users with legitimate access rights – and a verified device – will be able to access different segments of the network.
The third consideration is control at the application level. Who can access the various software and services you have on your network? Depending on the network segment in which the app is hosted and the score of the user and the device, you can grant or remove permission for users to run or use particular software packages.
With Zero Trust, you provide controls and protections as close as possible to the item you are protecting. You design your network and its segmentation and protection requirements from the inside out, not from the outside in.
Commercial software is available to help achieve this level of granular control and authentication of users and devices. These provide invaluable reporting, monitoring and alerting that can be customized to respond to different events and triggers such as device hardware type, firmware level, operating system versions, patch levels. and the detection of security incidents.
Implement Zero Trust
Implementing a Zero Trust Architecture (ZTA) on an existing corporate network is best achieved by phasing it in as part of your overall digital transformation strategy. Trying to adapt an entire ZTA to an existing corporate network big-bang style won’t end well.
An ideal opportunity is when you are planning a migration to the cloud. You can think of the cloud as a blank site and implement the ZTA layers before you move your industry to the cloud.
Understand your network, assets and data flows
Carefully map your network. This includes the current topology and all devices connected to the network. This will require an asset discovery phase. There are software tools that can help, but it usually involves walking on the floor, climbing server rooms and cabinets, and crawling under desks. Don’t forget the assets that are in the staff homes.
You should also understand the data, apps, and services that users of the devices access.
You are now in a position where you can perform risk analysis. If the risks cannot be mitigated using a ZTA, you may need to keep some of your existing security controls until you can rearrange your workflows or topology to allow the ZTA to provide sufficient protection when the subsequent phases of your digital transformation are implemented.
Building identity towards the outside
They say that with Zero Trust, identity is the new perimeter. Identity must therefore be managed and controlled securely. The principles of least permission should be followed so that a user has the permissions they need to fulfill their role and nothing more. Users should never share account credentials.
A Identity and access management (IAM) compatible with internal and external services will provide a single, central and secure source of identity verification. You may benefit from having an IAM system that can federate with external systems used by third parties that may need periodic access to your network.
Applications and devices, including Internet of Things devices, should be assigned their own identity with the minimum privileges necessary for them to function. Applications and services can use certificate-based authentication to enable connections to other software platforms, for example.
Leveraging health information
Device identity will be used with challenge and response conversations regarding the security state of the device – including patch status of applications and operating system, presence and status endpoint protection – and the identity of the user to decide what the device is allowed to do. Deeper challenges can be placed on the device, checking things like the firmware version and the device’s boot process.
The user associated with the device may also be assigned a health score. Are they connecting from an unknown IP address that suggests a geographic anomaly? Are they trying to log in at three in the morning?
The rules and policies that you create in your Zero Trust management platform will determine what the user can do.
Trust is a vulnerability
In zero trust networks, everything is considered hostile and all connections that access data or services must be authenticated. User access is controlled using multi-factor authentication or key-based passwordless systems and an identity and access management system.
Additional authentication will be required when the user wishes to access sensitive or valuable data or other assets. But that doesn’t mean the user experience has to be bad. In fact, with a physical key or a keychain based system, it can really improve.
Services and applications can authenticate through API calls or using a public key infrastructure.
Protect devices, users and services
Zero Trust means not trusting anything, not even your own network. Your devices must be protected against threats that may exist within your own network. You will still need to use endpoint protection software to protect against viruses and other malware, as well as authenticated and encrypted protocols such as Security of the transport layer (TLS) should be used to access basic network services such as Domain name service (DNS).
Basic cyber hygiene, such as monitoring the network for unauthorized devices or inexplicable behavior, must continue, and patch regimes must be maintained.
Because you’ve invested some effort in mapping your network and determining which devices, applications, and services users will need to access, your zero trust monitoring can use this information to detect any policy violation attempts you have. put in place.
Use commercial offers and standards
Use software, services, platforms, and vendors that already support Zero Trust. You should avoid trying to build your own support infrastructure due to the cost, complexity, and potential for error.
The standard cybersecurity mantra of using tools, products and services designed and developed by specialist professionals is true.
Whenever possible, use standards-based solutions. You’ll benefit from easier interoperability between devices and services, and it simplifies federation between the external systems you want to connect and interact with, such as those provided by your cloud provider.