1. Prologue to pre zero trust era.
Cybersecurity has historically been modeled around the virtual perimeter of trust. Trusted Users, trusted user devices (endpoints), trusted suppliers, and trusted network infrastructure are fundamental entities that are considered trustable and safe. Though it was instrumental in earlier days, this model has long been exploited by hackers for the following three reasons:
- Flawed security model: In the castle model, most security screening is forced outside of the building. If a hacker or malware can circumvent that perimeter, there is no stopping inside. History tells that Achaean's effectively exploited this flaw in the Trojan War.
- Dated access control solutions: Most organizations use access control based using a network firewall. These solutions have zero visibility and zero control to users' applications and services (web, email, SSH, RDP). If the network is compromised, there is nothing to stop hackers from accessing unauthorized applications. If an internal or trusted 3rd party user has malicious intent, there is no visibility to their malicious action.
- Evolving enterprise workflow: With ever-growing teleworking culture and remote workforce, IT has blurred visibility and weak(if any) control to these workflows. The only tool organization uses to protect remote access is the use of a VPN. While VPN is an excellent technology to protect the privacy and secrecy of data communication, it was not designed for authentication and authorization.
These shortcomings and evolving landscape mean that hackers or malware only have to find a single flaw to breach the perimeter of trust. Once they achieve this, IT can do very little to protect them from spreading and pivoting to compromise further. There is no stopping.
2. Defining zero trust security.
Zero trust is a security paradigm that forces you to think, "what if the trusted user, system, or network is already compromised?". Once the breach is assumed, it prepares the IT team design their infrastructure and deploy security systems to survive any malicious attacks.
Following, I present three fundamental elements (or strategies) that will help achieve zero trust security model.
2.1.1. Explicit and extended authentication.
This is primarily used for access control.
Explicit verification - Zero trust mandates that verification (authentication) for access should be performed every time. Internal employees? Internal office network? Senior executives? Suppliers? No one gets a special privilege, and everything is authenticated every time.
Device Trust - Legitimacy of access should not be just based on valid credentials and two-factor authentication. Cyber hygiene of devices (mobile, laptop, pc) used to access is equally important. After all, data are stored in user devices. Zero trust system should verify (real-time verification) the cyber hygiene of user device before allowing access.
2.1.2. Risk and context aware verification
This can be applied to both access control, data protection, and infrastructure design.
Who, why, and how is access being made at a given time with a particular device. Zero trust system should take the context of access into account before granting access. Once access is granted, it should also be able to monitor all authenticated activities for malicious intents.
Zero trust system should also be able to ingest threat intelligence to identify the risk of access.
2.1.3. Security breach and impact containment.
This is primarily used for data protection and infrastructure design
Despite implementing deep security controls, let's say an attacker still manages (they will always find a way) to find a way to compromise an account, a server, or a network segment. What now? Zero trust ensures that the compromise of one entity or element does not mean the end of the world.
This can be achieved by technologies such
- Micro network segmentation(so that one compromised network does not let the attacker or malware pivot to all connected network),
- Application sandbox.
2.2. Relating zero trust model to COVID-19 screening.
2.3. Understanding market jargon's
Though zero trust is the current security market hype, the concept has been discussed as early as 2004. Jericho forum popularized the concept of de-perimeterisation and security without borders. The term "zero trust" was first coined by John Kindervag at Forrester Research in 2010 and picked the hype when Google released a research paper on BeyondCorp, Google's implementation of the zero trust model. In fact, Google was one of the first organizations to implement zero trust at a large scale and showed how it could be done practically.
Following, I'll try to describe a few other jargons you might hear related to zero trust security.
Zero trust Network Access (ZTNA) - It's an umbrella term popularized by Gartner that references zero trust based access control solutions.
Zero Trust eXtended - It's an umbrella term popularized by Forrester that references solution providers with zero trust capabilities.
BeyondCorp - Project name for zero trust access control solution developed and implemented by Google to protect all of Google's access to their internal infrastructure and services.
Zero trust Service Access - Used by Seknox (shameless plug :P). It refers to our opensource zero trust based service access platform.
Secure Access Service Edge (SASE) framework - Gartner's recommended security strategy which promotes zero trust as the core technology of the framework.
3. The zero trust advantage.
Zero trust is an essential strategy for cyber resilience. With proper zero trust adoption in organization workflow, there are many possibilities for business success, including:
3.1. Data protection
The whole premise of zero trust is to secure data. Since security is modeled around data, your business will have a data protection strategy and guardrails by default.
3.2. Protection from insider threats
Explicit and extended authentication ensures every access to servers, applications, and data are equally monitored and verified so that no insider can misuse their privilege.
3.3. Protection from compromised users and endpoints
Risk and context aware verification ensure all compromised users, endpoints, and compromised credentials are detected and stopped from a further data breach.
3.4. Protection from compromised networks
Security breach and impact containment ensures one compromised network or compromised service in the network does not pivot and compromise other adjacent networks.
3.5. Secure remote working(work from home, teleworking)
Remote working has become an essential requirement post Covid19. Zero trust, especially zero trust access control solutions, is a must-have security solution that will allow organizations to embrace remote working while keeping hackers at bay.
4. Planning for zero trust implementation.
The core principles of zero trust security can be applied in any context of security modeling.
Note: there is no such thing as a "zero trust product" but rather products or tools that help achieve zero trust!
Step 1) Know and classify data
Knowing and classifying data(business data, customer data) is the first step for implementing zero trust. When you classify data, you will be able to plan and prioritize what needs to be secured first.
Step 2) Identify and build an inventory of all organization resources(users, endpoints, software)
The next step is to create a catalog of every resource that has access to these data. Identify the stakeholders (users who have direct or indirect access to data) and how they interact (user devices and applications) with data.
Step 3) Assuming any resources and workflows identified in previous steps can or will be compromised, implement guardrails.
When you have data, know who has access to those data through which medium, plan for case in which
- Malicious insider tries to infiltrate with data,
- Compromised user or user devices tries to infiltrate with data,
- Network malware tries to infiltrate data.
When you assume breach by the above methods, implement explicit and extended authentication, risk and context aware verification, security breach and impact containment that would ensure a compromised or malicious entity does not lead to a security breach.
5. How Seknox can help in your zero trust journey.
Our zero trust service access solution (TRASA project) protects remote access to internal servers and services made by internal teams (DevOps, Marketing, Support, Finance, etc.), 3rd party vendors (MSPs, suppliers), and machine access that calls internal APIs. It satisfies explicit and extended authentication, risk and context aware verification.
Reach out to our team for more information at [email protected]