Increases in the number and complexity in cyberattacks are forcing governments and enterprises to adapt their approach to cybersecurity, to stay ahead of potential threats. A direct outcome of this increased concern is the concept of zero trust. Zero trust is a term first defined by an analyst at Forrester, but one that has made its way to mainstream discussions and even president Biden’s Cybersecurity Executive Order. But what is zero trust, and how does it improve security?
What is Zero Trust
First, let’s talk about what we mean when we say zero trust, and some common misconceptions and challenges specific to zero trust, and more generally to cybersecurity.
In order to understand zero trust and its relevance, it’s helpful to compare it to its predecessor. The traditional approach to network security involves securing the perimeter of a network to mitigate threats from entering the system, a sort of castle and moat approach. However, with organizations’ networks getting increasingly larger and more complex, clearly defining this perimeter has become a challenge. A modern enterprise might have several internal networks, remote and mobile users, and cloud services, making it impossible to identify a clearly defined perimeter. Once a bad actor has breached the perimeter, they are able to move within the network, affecting other systems and increasing the scale of the attack. To take our ‘castle and moat’ metaphor further, this approach only holds as long as our castle wall holds. But if someone breaches the wall, they have access to the treasures contained within the castle walls.
Zero trust represents a shift from ‘trust but verify’ to ‘never trust, always verify’, where trust is not granted implicitly within a network. From a system design perspective, it assumes that every component is or can be compromised, thus designing a system that is more secure against wide-spread attacks.
As mentioned earlier, the relevance of zero trust is highlighted by last year’s Cybersecurity Executive Order, where advancing toward zero trust Architecture is called out as an essential step in modernizing our approach to cybersecurity. The publication uses the NIST definition for Zero trust architecture:
Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.
We look at zero trust, not as a specific set of tools or practices, but rather a set of principles and concepts designed to prevent unauthorized access to data and services. This is done by continually evaluating authentication and authorization, while restricting access to only grant minimum privileges needed to perform necessary tasks. As such, zero trust has typically been defined in the user space. It involves continually verifying a user’s identity and continuously assessing if they should have access to the resources they are trying to access. Users are granted access only to the resources that are needed to fulfill their business functions.
One Approach to Zero Trust in Access Management
Zero trust doesn’t refer to a single architecture, but it is helpful to conceptualize by looking at an example of access control and identity management in an enterprise system.
Take for example an environment that controls external access from the internet with a network switch. In this type of network, trust is granted implicitly, and any device is able to exchange data with every other device. If an evil actor were able to impersonate the credentials of one of these endpoints, they would have access to the rest of the network, as they are operating in an implicit trust zone. The enemy forces have breached the castle’s defenses, and are wreaking havoc in the village.
Implementing a more advanced network switch, such as a zero trust network access (ZTNA) controller to intermediate exchanges between the different devices, delivers a step towards zero trust. When using a ZTNA controller the communication channels between devices and in a network and to the outside are disabled by default. In order to gain access, the controller must verify user credentials and check that access is authorized by a policy. The ZTNA also monitors and logs all access attempts to access resources, ensuring that policies are enforced. Each resource is guarded by its own guard, ensuring that access is only granted if you have the right permissions.
The use of a ZTNA is an example of an alternative to a VPN, towards a framework that applies the principles of zero trust. These principles can be applied to other areas of IT, by monitoring and measuring the integrity and security posture of all owned and associated assets.
Misconceptions About Zero Trust
Once an organization’s leadership sees the value in zero trust and makes the decision to ‘implement zero trust’, they are faced with the question of how to implement it‘How?’. There’s a growing number of companies that are offering consulting services and SaaS solutions that promise to fill this gap and help the company achieve zero trust.
Many of these companies’ products are great, and will definitely help push the needle towards implementing zero trust. However, it is misleading to think of these products or services as equivalent to zero trust. Zero trust is not a single product or solution. An organization isn’t ‘zero trust’ because they implement micro-segmentation by means of a ZTNA, or any one solution that aligns with zero trust.
Zero trust is a set of principles that can be implemented at different levels to help prevent unauthorized access to private data and resources. We have outlined some of these principles, but in order to fully understand them we recommend diving deeper into documentation such as the NIST SP 800-207 and taking a deep dive into famous case studies like Google’s implementation of zero trust with BeyondCorp, in response to the Aurora attack. Zero trust is a framework for security that can be applied in many different ways, at different levels of the stack.
What is Missing in Zero Trust
While the concept of zero trust is born from the more technical side of cyber security, it is essential to call out the role of leadership and operations when trying to make meaningful changes to the security strategy of an organization.
Many zero trust solutions can be applied seamlessly in an organization, but in order to gain the full benefits of zero trust, there must be managerial buy-in to require employee education, training, frequent audits, and other operational practices.
Shifting Security Left
Security is often an afterthought for most organizations. Typically, people are primarily focused on delivering a product or service, and then we consider how to make sure that the product is ‘secure’. Especially after an incident has occurred.
We believe that security should be applied proactively rather than reactively, and that zero trust ties in with the idea of shifting security left in the development pipeline. The results of doing so are products that are designed from day one with zero trust principles in mind, using tools and processes that incorporate zero trust from development to delivery.
Zero Trust at the Server Level
One of the tenets of zero trust, as defined by NIST, is for no asset to be inherently trusted. This requires continuous evaluation of the security posture of assets and the continuous monitoring of the state of devices and applications.
At Sicura we built a product that aligns with the principles of zero trust, ensuring that systems remain in a compliant state. A system’s configurations can change, shifting it away from a known compliant state, and introducing potential attack vectors which can be exploited to compromise a system. By enforcing security compliance policies in a system, we can avoid misconfigurations which allow bad actors to gain lateral movement within a system.
For engineers that are constantly spinning up testing and development environments, it is vital to ensure that these environments don’t have any misconfigurations.
Sicura allows you to enforce compliance standards on your systems, implementing fine-grained security standards and best practices, such as those recommended by CIS. These Controls support a zero trust architecture, and address other recommendations called out in the Cybersecurity Executive Order.
If you want to learn more about shifting security left with Sicura and implementing zero trust at the server and middleware level, get in touch.