Back in January, I blogged about some emerging trends in networking. One of the ideas I wrote about was zero-trust network architecture. Zero-trust has been in the news again recently with Google’s announcement that it’s rebuilding its internal corporate infrastructure around a zero-trust model.
Google’s initiative is called BeyondCorp. and it’s explained more fully in this white paper if you’re interested in the details. You’ll notice the document is dated December 2014, so I’m not claiming any credit for influencing them. But I’m glad the idea is gaining some momentum.
Zero-trust is not about killing firewalls
To be clear, contrary to some of what you’ll read in the popular press around Google’s architectural direction, nobody in their right mind is eliminating firewalls. That’s silly. Firewalls are a critical first line of defense in your network security architecture.
Instead, the zero-trust idea simply says you can’t consider the network regions separated by firewalls to be trust zones. The zero-trust model assumes untrusted and even hostile entities can reside in any zone.
Zero-trust encrypts everything
Zero-trust requires implementing additional controls over your data and applications. To start, everything sensitive should be encrypted. Even on the inside of your corporate network, your web-based applications should be running over encrypted HTTPS sessions.
And all of your sensitive data should be encrypted at rest as well. Here’s where things get tricky because encrypting a database at the cell level or even the table level tends to cause performance problems. But encrypting at the level of the entire database is only useful if your perceived threat is somebody stealing a disk. However, encrypting normal files is straightforward.
Zero-trust applies granular authentication
The other important control in zero-trust architecture is granular authentication. Traditionally, network security has assumed that once a user is logged into his workstation, everything run from his workstation is associated with him.
This assumption is why malware that encrypts file shares is so effective—the malware isn’t being run by the user, but it runs with his credentials and consequently has all of the same access rights.
The zero-trust approach authenticates the applications separately from the users running them. So if an authenticated user on an authenticated workstation attempts to use an unknown application to access a piece of sensitive data, the request should be rejected.
But zero-trust isn’t bulletproof
One of my clients recently implemented a simple zero-trust model. The client was more concerned about data leakage than about malware corrupting the data, so their solution was to use an application called Vormetric to encrypt everything. A central server brokers decryption requests based on a combination of a user’s personal authentication, the system she’s accessing data from, and the application making the request.
This solution isn’t a full zero-trust architecture because it doesn’t have any way of ensuring that a legitimate application being run under an authenticated user’s identity is actually authorized by the user. Some of those legitimate applications are extremely broad, such as file sharing.
Further, there are risks that can’t be mitigated with encryption. For example, even if I can’t decrypt the data, I might still be able to delete or corrupt it so that it can’t be decrypted by a properly authorized user either.
Even a full zero-trust architecture can’t mitigate against a lot of risks. If an attacker can get a piece of malware onto a workstation that will allow them to passively read the screen, they can still steal information. And no trust model will ever be able to guard against denial of service attacks, particularly if they’re launched from inside a network.
Where network security is headed
As the Google announcement shows, the zero-trust model is gaining traction in the industry. Of course, Google has resources the rest of us can only dream of. When the company encounters gaps in current technology, it can invent solutions. But with any luck, Google’s move will translate into more useful security products down the road for the rest of us.
For example, I don’t see an easy or cost-effective way for a small or mid-sized business to implement an effective zero-trust network today. Even in the long term, zero-trust infrastructure will probably be easiest to operate in stable enterprise networks where relatively few applications are used and the allowed interactions are easily modelled.
Some types of organizations, such as software development firms, have applications and data flows that change rapidly. They’ll probably only be able to implement a sort of hybrid model in which the zero-trust zones are carefully firewalled away from the more volatile environments. (I mention this to underscore that the zero-trust architecture doesn’t replace firewalls.)
But overall, zero-trust represents a good next step in secure enterprise network architecture.