Decoding Zero Trust in your Cybersecurity Strategy

Zero Trust is a mighty prevention strategy to protect your endpoints and network. With the Zero Trust approach, you can turn detection strategies of your EDR & NDR solutions into prevention.

The demanding nature of threat intelligence gathering and its analysis is attributed to endless hunts and search for zero-day threats and known exploits of existing vulnerabilities. Adaptation of machine-based analytics such as deep packet inspection and AI/ML techniques has significantly reduced the effort in threat detection & hunt for indicators of compromise (IOCs). However, there’s no assurance of a fully satisfactory outcome. Moreover, the revelation of a threat or compromise also means there is a patient-zero in your systems & network, no matter how lightning-fast is the response of your EDR, NDR solutions. The Zero Trust model aims to lessen the above and many other uncertainties from your systems & network.

Why is Zero Trust relevant today?

Traditional perimeter-focused security models assumed that everything inside an organization’s network can be trusted. In this “castle and moat” approach, prime importance was given to build the moat using NACs, VPN, and many such technologies. However, this approach is insufficient in today’s heterogeneous environment where the data center perimeter has all but dissipated. The contemporary digital workspace consists of heterogeneous choices of applications, devices, and locations. Modern application workloads span multiple datacenters hosted on-prem, cloud, hybrid, or SaaS. Users access these applications from different devices(mobile, desktop, IoT, etc.) and places. Attention is also to be given so that only the correct set of users can access the applications and data. This calls for a new security model that can protect your data & applications across user, device, and location with continuous evaluation of trust & compliance. Zero Trust exactly provides that.

The Zero Trust model recognizes trust as a vulnerability and works on the principle of “never trust, always verify”. It eliminates the concept of trust from the network and thus preventing malicious actors from creeping into your network through seemingly trusted but actually compromised devices. The zero trust model prevents unauthorized access to data, services, or any other resource with granular access control enforcement to the extent possible.

Abstract Model for Zero Trust Architecture

Zero Trust Access

The above abstract model depicts “Zero Trust Access” which focuses on two basic areas: authentication and authorization. There are three actors in this perceived model — subject, PDP/PEC, and resource.

The subject is a user, application, service, or device that needs access to an enterprise resource.

PDP/PEP authenticates the subject’s identity & authorizes access. But, Zero Trust doesn’t rely on implied trustworthiness wherein if the subject has met a base authentication level (e.g., logging into an asset), all subsequent resource requests are also assumed to be equally valid. Thus before authorizing access, PDP/PEP evaluates the subject’s trust level for each individual access request in the current context such as

1. What is the level of confidence about the subject’s identity for this unique request?
2. Is access to the resource allowable given the level of confidence in the subject’s identity?
3. Does the device used for the request have the proper security posture?
4. Are there other factors that should be considered and that change the confidence level (e.g., time, location of the subject, subject’s security posture)?

The “implicit trust zone” represents an area where all the entities are trusted to at least the level of the last PDP/PEP gateway. Since PDP/PEP cannot apply additional policies beyond its location in the flow of traffic, the implicit trust zone must be shrunk to the extent possible, to let PDP/PEP to be specific to the trust requirement. By doing so, it becomes plausible to lessen the uncertainty in the network and systems where malicious actors find it much difficult to move laterally in a reduced well-defined implicit trust zone.

How to Build a Zero Trust Architecture?

1. All communication should be done in the most secure manner available such as authenticating all connections and encrypting all traffic.
2. Access to individual enterprise resources should be granted on a per-session basis. with the least privileges needed to complete the task. Least privilege principles are applied to restrict both visibility and accessibility.
3. Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture
4. You need to have a strong trust algorithm in ZTA’s policy engine to evaluate the trust of each individual access request in the current context which includes the identity of the requestor, privileges granted to the requestor, integrity & security posture of requesting asset, and the requested asset’s security posture.
5. Requestor identity can be user account or service identity or any other associated attributes that your organization uses. The requesting asset’s state includes device characteristics (OS version, patch level, software version, installed credentials, the integrity of enterprise-approved software components or presence of non-approved components and whether the asset has any known vulnerabilities, etc), environmental attributes (network location, time/date of request, reported active attacks, etc), and previously observed behavior which includes (but not limited to) subject/device analytics, and measured deviations from observed usage patterns.
6. You need visibility for all traffic across user, device, location, and application to provide a trust algorithm with relevant context of the access request. For that, you need to understand traffic movement in relation to valuable assets that need protection in your enterprise. Identify protect surfaces that include sensitive data, applications, assets, and services such as DNS, DHCP which can be exploited to disrupt normal IT operations.
7. Place each protect surface (which comprises a group of resources with similar security requirements) on a unique network segment.
8. Each segment can be protected by gateway devices such as intelligent switches /routers or next-generation firewalls (NGFWs) which should have the capacity to react & adapt in response to the threats and changes in the workflow.
9. Alternatively (or additionally), host-based micro-segmentation can be implemented using software agents on the endpoint assets. It leverages native firewall functionality built-in the host. Software agents can overlay a software-defined segmented network across data centers, cloud, bare metal, and hybrid environments.
10. The two main functionalities of mico-segmentation are a) grouping of resources with similar security requirements on a unique network segment and b) firewall rules creation to block or allow communication with each group or segment. With the understanding of who the users are, which applications they are using, and how they are connecting, appropriate firewall rules can be applied to ensure only known, allowed traffic or legitimate applications have access. This process is iterative. Policy rules are updated based on associated risks, with every iteration.
11. The Zero Trust policy determines who can transit the perimeter of each micro-segment at any point in time, preventing access to your protect surface by unauthorized users and preventing the exfiltration of sensitive data. Segmentation gateways ( or Software agents) monitor traffic, stop threats, and enforce granular access across north-south and east-west traffic within your on-premises data center and multi-cloud environments.

Zero Trust and Existing Technology

It is very important to know that Zero Trust is not a product but a security model. There are products that work well in Zero Trust environments and those that don’t. Zero Trust does not require you to tear apart and replace existing technology. You can very well use your existing technology to function as the logical components of Zero Trust Architecture.

1. Policy engine (PE): This component is responsible for the ultimate decision to grant access to a resource for a given subject.
2. Policy administrator (PA): This is the management part of the policy engine. Based on the PE’s decision, PA allows or blocks the communication between a subject and a resource (via commands to relevant PEPs).
3. Policy enforcement point (PEP): This system is responsible for enabling, monitoring, and eventually terminating connections between a subject and an enterprise resource. The PEP takes commands from the PA.
4. Continuous diagnostics and mitigation (CDM) system: This gathers information about the enterprise asset’s current state and applies updates to configuration and software components.
5. Industry compliance system: This ensures that the enterprise remains compliant with any regulatory regime that it may fall under (e.g., FISMA, healthcare, or financial industry information security requirements).
6. Threat intelligence feed(s): This provides information about newly discovered attacks or vulnerabilities, newly discovered flaws in software, newly identified malware, and reported attacks to other assets.
7. Network and system activity logs: This enterprise system aggregates asset logs, network traffic, resource access actions, and other events that provide real-time (or near-real-time) feedback on the security posture of enterprise information systems.
8. Data access policies: These are the attributes, rules, and policies about access to enterprise resources.
9. Enterprise public key infrastructure (PKI): This system is responsible for generating and logging certificates issued by the enterprise to resources, subjects, services, and applications.
10. ID management system: This is responsible for creating, storing, and managing enterprise user accounts and identity records.
11. Security information and event management (SIEM) system: This collects security-centric information for later analysis.

Summary

Zero Trust is a paradigm shift from traditional perimeter-based security strategies. It is highly effective in countering the challenges of today’s heterogeneous borderless digital workspaces. But, Zero Trust has its own challenges. Continuous authentication brings friction to user experience and injects temporal delays in authentication mechanisms. Also, in Zero Trust implementation, network access is initially granted to all assets but access is restricted to identities with the appropriate privileges. The downside is malicious actors could still attempt network reconnaissance and use the network to launch denial of service attacks.

References

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf