Zero trust is a security model thatโ€™s actually quite simple in theory. At its heart is the idea is that no device or individual can be trusted without verification. No matter if you are already connected to a corporate network, have been verified previously, or even have elevated administrator status. Everyone and every device must prove who they are and that they permitted to be where they are at any time.

In reality, however, the concept of a zero trust network runs contrary to years of network design thinking. Networks have always been built with zones of trust. In the simplest versions, you have an โ€œinsideโ€ and an โ€œoutside,โ€ representing your network and the public internet (or any other external networks you might connect to). You put a firewall in between the zones and control access between them in both directions.

Everything on the inside is said to be trusted. Any computer inside your network can connect to any server, or printer, or any other device. Everything on the outside, though, is untrusted. Now, untrusted doesnโ€™t mean thereโ€™s no access between the two, but rather the access is controlled. Ideally, this control should involve some sort of authentication and authorization mechanism that determines what resources you can access and forces you to prove who you are.

Zero trust means those controls are applied to everything, all the time. Nothing is trusted automatically just by virtue of being connected to the network in a particular way.

Where does the zero trust model come from?

The idea of employing zero trust security to networks is nothing new, the term being first coined in 1994. As networks and the internet continued to grow, it became increasingly difficult to define the โ€œperimeterโ€ or edge of a network. By 2009, Google had begun its transition to a zero trust architecture, one of the first global networks to do so.

Today, zero trust architecture has become the prevalent security posture for most networks, driven largely by the rise in mobile BYOD (bring your own devices) and a shift towards cloud-based services and applications. Several national organizations, including NCSC (National Cyber Security Center UK) and NIST (National Institute of Standards and Technology in the US), are working together to create a set of zero trust model standards.

The benefits of a zero trust network

The trouble with having everything on the internet is an attacker can easily gain access to it by simply stealing (or guessing) a password. An attacker can compromise one system and then use this access to compromise other ones. For example: If everything on the internal network of a large corporation is trusted to access the accounting system, then all an attacker needs to do is compromise the accounting systemโ€”and work backwards. All it takes is a simple security vulnerability that was never patched, or maybe a default system administrator password thatโ€™s ignored because it can only be used from the internal network.

There are also many easily compromised devices on any corporate network, like printers, video conferencing cameras, smart TVs, and legacy appliances. Nobody ever patches these systems, and theyโ€™re all encrusted with security vulnerabilities. If an attacker can set up camp on one of these systems, they can operate with impunity from the trusted network.

A zero trust network focuses on protecting resources (assets, services, workflows, network accounts, etc.), rather than network segments, as the network location is no longer seen as the prime component to the security posture of the resource.

What is โ€œAAAโ€?

The key aspects to good zero trust security is the โ€œAAAโ€ model: access control, authentication, and authorization. For example, the NCSC outlines 6 such principles for zero trust models:

  1. Single strong source of user identity: Single Sign On (SSO) authentication that allows access to several related but separate applications of systems.
  2. User authentication: Identify the person behind the keyboard. Usernames, PINs, key fobs, and even fingerprint scans can all be factors.
  3. Machine authentication: Identify the machine (device) trying to access the network. Certificates, 802.1x, and Active Directory are examples.
  4. Additional context requests, such as policy compliance and device health.
  5. Authorization policies to access an application set by an administrator.
  6. Access control policies within an application set by an administrator.

The intent: isolate everything. If one device is compromised, whether itโ€™s a user workstation or an insecure camera, thereโ€™s very little an attacker can do to damage the rest of the organization. If a compromised printer is segregated onto a different network thatโ€™s isolated by a firewall, except for specifically authorized printing functions, thereโ€™s almost nothing dangerous a compromised printer can do.

Zero trust security isnโ€™t perfect

Zero trust is a good thing and a good idea, but it doesnโ€™t solve all of your security problems. You can still get malware. Your software-as-a-service provider can still be compromised by a clever attacker whoโ€™s aware of flaws in their system. And thereโ€™s also the possibility of a denial of service attack that simply makes you unable to reach your systems or your data.

The most prevalent example from the last several years is ransomware. A tiny piece of malware runs on a userโ€™s computer and automatically assumes all of that userโ€™s access rights, including the ability to modify files. If those files are on the central corporate file server, they could cause extensive damage.

With a zero trust security posture, we arenโ€™t trusting the userโ€™s computer, only the user (the resource). But unfortunately, there really isnโ€™t an easy way to tell the difference between malware running under a userโ€™s account and legitimate software running under that same userโ€™s account. Office Space meme

Imposing a more granular authentication model in which the user has to authenticate every individual action is also unworkable because theyโ€™d have to constantly re-authenticate themselves. (Yes, I really meant to do that. Click. And again. Click.) And this still wouldnโ€™t eliminate the threat completely: a piece of malware could sneak itself into the endless series of authentication requests and trick the user into supplying authentication credentials for a malicious action.

And just because youโ€™ve instituted a new zero trust model, that doesnโ€™t mean other vital processes, like config backups, device and network health monitoring, and alerts can be ignored. Every process is a component in your over ability to protect, diagnose and troubleshoot potential issues before they become critical.

How can you include zero trust in your network?

A big change over the past few years that has facilitated the general move towards zero trust networks is the widespread adoption of cloud services and applications. Today, if your email, file storage, and office automation suite are at Microsoft Office 365 or Google Workplace, then youโ€™re already partway there.

If, say, your accounting system is a cloud-based software-as-a-service model, or if your core business applications are running in cloud services that requires users to sign in using a secure web browser session, thatโ€™s already two forms of zero trust youโ€™re employing. The systems are already separated from the users by firewalls, every user already needs to authenticate everything they do, and the authorization models in these services already restrict who can access what.

What else should you consider to help enforce a zero trust network across all your resources?

Increase your cloud-based services

Many cloud-based applications have, by their nature, a form of zero trust security included in their design. The need to authenticate both the user and the device requesting access, as well as the access restrictions placed on end users by admins, gets you most of the way there.

Separate authentication across devices or networks

Forcing users to authenticate using more than one device is another strong security component to zero trust models. For example, employing a Google Authentication app via a userโ€™s mobile device, on top of a user authentication and a machine authentication on their laptop.

Separate application access and network access

Again, using separate login and authentication procedures for both access to applications and network resources helps to ensure that no one can use one compromised access point to wander around your network.

One step at a time

Achieving a zero trust design for your network is not an overnight process. Like any changes you bring to your network, it takes a lot of iterative steps: observing, evaluating, planning, testing, deploying, and optimizing.

Take Akamai. It took the company over nine years to fully implement a zero-trust model. After lots of review of the original infrastructure, they realized they had what they referred to as a โ€œSecurity Twinkieโ€ โ€” seemingly tough from the outside, but soft and mushy if you got in. Their solution exemplifies all the points weโ€™ve mentioned above:

โ€œUsers access applications and services at Akamai on a case-by-case basis via a web interface after theyโ€”and the devices used for accessโ€”have been fully authenticated and authorized. Broad network-level permissions have been replaced with a narrowly tailored zero-trust model where every application access request is verified and vetted. No applications are visible from the internet and therefore cannot be directly accessed from it. There is no VPN access eitherโ€ฆ In Akamai’s model, an attacker with access to a user’s account would only have access to the specific tools and services available to that particular user and nothing else.โ€

Leave a Reply

Your email address will not be published. Required fields are marked *