A few years ago I wrote a blog article about the zero-trust network security model and why I thought it was something every organization should be thinking about implementing.
While I still believe that to be true—probably more true than ever, in fact—the landscape since then has changed a great deal, particularly because of the increase in cloud-based services, and zero-trust is now an extremely achievable goal.
What is zero-trust?
Networks are built with zones of trust. In the simplest version, you have “inside” and “outside,” representing your network and the public internet (or any other external networks you might connect to). You put a firewall in between the zones and control access between them in both directions.
Everything on the inside is said to be “trusted.” Any computer in your network can connect to any server, or printer, or any other device. Everything on the outside is “untrusted.”
Untrusted doesn’t mean there’s no access between the two domains. It means the access is controlled. Ideally, this control should involve some sort of authentication and authorization mechanism that determines exactly which resources you can access and forces you to prove who you are.
So the key aspects to a good zero-trust trust model are access control, authentication, and authorization.
Zero-trust means those controls are applied to everything, all the time. Nothing is trusted automatically just by virtue of being connected to the network in a particular way.
Why would you want zero-trust?
The desire for zero-trust comes from the fact you really can’t assume that any system can be trusted completely. An attacker could compromise one system and then use this access to compromise other systems.
If everything on the internal network of a large corporation is trusted to access the accounting system, then all an attacker needs to do is to compromise one system. In network architectures where the entire internal network is designated as “trusted,” an attacker may not have login credentials for a sensitive resource, but they could look for other ways to attack it. Perhaps it has a security vulnerability, or maybe it has a default system administrator password that’s ignored because it can only be used from the internal network.
There are many easily compromised systems on any such corporate network, such as printers, cameras, smart TVs, or legacy appliances of various types. Nobody ever patches these systems, and they’re all encrusted with security vulnerabilities. If an attacker can set up camp on one of these systems, they can operate with impunity from the trusted network.
But if that printer is segregated onto a different network that’s isolated by a firewall except for specifically authorized printing functions, then there’s almost nothing dangerous a compromised printer can do.
The idea is to isolate everything. So if one device is compromised, whether it’s a user workstation or an insecure camera, there’s very little an attacker can do to damage the rest of the organization.
Improving the trust model
In theory, you could apply zero-trust to anything. But the typical uses involve the most common applications like email, file storage, and core applications.
The big change over the past few years that has facilitated zero-trust is moving everything to cloud services. If your email, file storage, and office automation suite are at Microsoft Office 365 or Google Office, then you’re already most of the way there.
If your accounting system is a cloud-based software-as-a-service model, if your core business applications are running in cloud services that requires users to sign in using a secure web browser session, that’s already a form of zero-trust. The systems are already separated from the users by firewalls. Every user already needs to authenticate everything they do. And the authorization models in these services already restrict who can access what.
The question, at that point, is what can you do to improve the trust model? And the single best thing would be to move from single factor authentication to multi-factor authentication.
Multi-factor authentication requires you to have some sort of secondary way of proving your identity beyond merely having a user ID and password. The trouble with having everything on the internet is an attacker can easily gain access to it by simply stealing (or guessing) a password.
This is an extremely serious issue for anything that’s generally accessible over the public internet. Hackers carry out brute force attacks on all publicly exposed interfaces on a constant basis. Eventually they will get in. Multi-factor authentication helps to prevent this.
There are many multi-factor authentication systems available, ranging from physical tokens to smartphone apps. The best ones force you to identify yourself in real-time using a method that doesn’t go over the same network as the application itself.
For example, some multi-factor systems ask you to enter a number displayed on an app or on a physical fob. Some will send you a challenge of some kind to your smartphone and require that you respond appropriately. The idea is that, if somebody knows your password, they won’t have access to your fob or your smartphone, so they can’t supply the second authentication factor and they can’t get access.
Note that, while it’s often useful to have a smartphone app as part of the multi-factor authentication process, it’s important that the communication method with that smartphone is secure. Text messages, in particular, aren’t secure and should be avoided as an authentication method.
You might need to work with your cloud service providers to find a multi-factor authentication system that’s common to all of your systems. This will make life much easier for your users.
One final consideration to note on multi-factor authentication: Some smartphone app-based authentication models send an alert to the phone and ask the user to acknowledge that whatever access being requested is legitimate. If you use this model, make sure it includes specifically what access has been requested and from where in the alert information. This way the user can hopefully avoid being tricked into confirming access to an unknown external person who has guessed their primary password.
Zero-trust doesn’t solve everything
Zero-trust is a good thing and a good idea, but it doesn’t solve all of your security problems. You can still get malware. Your software-as-a-service provider can still be compromised by a clever attacker who’s aware of flaws in the system. And there’s also the possibility of a denial of service attack that simply makes you unable to reach your systems or your data.
The most prevalent example from the last several years is ransomware. A tiny piece of malware runs on a user’s computer and automatically assumes all of that user’s access rights, including the ability to modify files. If those files are on the central corporate file server, they could cause extensive damage.
We shouldn’t be trusting the user’s computer, we should only be trusting the user. But there really isn’t an easy way to tell the difference between malware running under a user’s account and legitimate software running under that same user’s account. Imposing a finer grained authentication model in which the user has to authenticate every individual action is unworkable because they’d have to constantly authenticate themselves. (Yes, I really meant to do that. Click. And again. Click.) And then a piece of malware could sneak itself into the endless series of authentication requests and trick the user into supplying authentication credentials for a malicious action.
So zero-trust is not able to solve all of the world’s security problems. You still need to have backups to restore the encrypted files. And you need to have ways to detect malware on the endpoint. And you need to have ways to intercept command and control traffic. And so forth.
But the good news is that many of the cloud services will also help to solve some of these other problems. If you’re using Microsoft Office 365 or Google Office, then ransomware is largely defeated by the fact that these services keep extensive backups. Once you disconnect the system corrupting your data, the service can quickly restore all of your files. And these services are also extremely responsive to patching security vulnerabilities and detecting and defeating direct attacks.