Zero Trust Architecture is a simple concept which boils down to: Never trust, always verify. This phrase really doesn’t have a clear source and has been passed around the security community to the point it means many things to many people. In the context of zero trust systems, this means that just because a device is on your network or something you need to work with that you shouldn’t implicitly trust it. Every device becomes a gun: loaded until proven otherwise.
When you think about cloud computing, you have a link with some degree of trust between a device and a service. When you’re just securing a single location, this is fine, but what happens when BYOD (Bring Your Own Device) policies or work from home policies kick in? Now, you need to see the forest for the trees and for the multiple, interdependent ecosystems it actually is.
Modern businesses and enterprises, and even home networks, are becoming more and more interconnected with external data sources and solutions. It used to be just keeping the outside world at bay was enough to ensure a comfortable level of security, but security threats such as malware and ransomware have moved the security goalposts. Supply chain attacks and other next-generation threats have just exacerbated the problem and created more impetus to solve the problem now. That’s where zero trust architecture comes in.
Rethinking Security for Zero Trust
Traditional security works based on an inside versus outside or walled garden approach. Anything within the security perimeter is trustworthy, but this approach quickly breaks down in modern environments (especially post-2020). Modern computing requires some level of trust between device and Everything As A Service (XaaS).
Cloud services, like SaaS offerings, have taken over the landscape. They’re cheaper and reduce liability and/or unexpected costs. 61% of businesses migrated to the cloud in 2020 to further fan the flames (source). Zero trust isn’t just an ideal: it’s a necessity with this level of interoperability becoming a business requirement.
People are continuing to work from home and businesses have fewer controls to force an employee’s overall digital environment. You have dozens or more unique networks trying to connect in with work from home considerations. Do you trust every employee to stay secure without professional IT servicing it? You also need to make the same considerations with different cloud vendors or edge computing resources.
You can secure the endpoint all day, but modern attacks may use Man-in-the-Middle attacks, phishing, or similar. The attack surface of the average home network has grown larger than the businesses of yesteryear and attacks have gotten more complex and more profitable. Nation-state entities, and whole industries and ecosystems have popped up around breaching businesses and exploiting individuals. Trust here isn’t about the person, it’s about the device or technical side of the relationship.
Attack Surface versus Protect Surface
Security is an arms race, and there are going to be casualties. How far are you willing to go to protect every single asset versus the key pieces of infrastructure? With more and more services, data, etc. being moved to the cloud, an individual agent is less important.
You need to think in terms of: data, assets, applications, and services (DAAS). Where does your data live, and how can you reduce exfiltration or destruction by threat actors? What assets are essential to your business and how do you keep them safe? Are there applications which are mission critical, and how are you keeping them protected? What services make your business run?
This all reduces the attack surface to a protect surface. Some things are more important than others in the context of your business. The secretary’s computer doesn’t matter if the data they work with is protected, while the file server going down may take your business with it.
You want important data kept secure. You need to make sure that services and similar can’t be exploited. The wrong click can take down a business, but you need to control who or what can make those clicks. Zero trust is the marriage of business intelligence and security. It’s a security strategy rather than a one-size fits all solution. You can’t just trust everyone, you need to enforce checks and balances and make sure that the you can control the damage an individual makes willingly, or (more commonly) unwillingly makes (e.g. ransomware). Never trust, always verify at every level of communication and interfacing between silos and security perimeters.
The easiest way is to leverage more modern security solutions (i.e. a segmentation gateway or similar next-generation firewall) to establish a microperimeter (your DAAS grouping[s]) around your protect surface(s). You then need to carefully control what goes in and what comes out of said perimeter.
Layer 7 Security
Nuance is the key to functioning in the modern era of technology. Like in the real world, if you close off borders entirely, a state or area will struggle to stay competitive or even functional. Old style port filtering and similar might solve specific problems, but it can crush certain functionalities a business needs. On the flip side, it also fails to protect against certain attacks since either the gate is open or closed, there really isn’t an in between at layer 3 (though there are workarounds, to a degree).
In the OSI Model, most firewalls are layer 3 appliances, but modern, next-generation firewalls work at layer 3 as well as layer 7, the application layer. Basically, smart firewalls can look at the context of what is being done rather than just what is going where without any nuance. This capacity allows them to become the segmentation gateway for a zero trust architecture. Basically, you keep traditional security around your core network, but establish smaller microperimeters internally to protect as if the network is potentially hostile.
Zero trust architecture applies the Kipling Method to determining how to allow access. You need to know who is doing what and how they’re doing it. This can further be modified with where and even why. Think in terms of Who is accessing a given resource?, What are they using (e.g. application) to access said resource?, and finally How should they be allowed access?
The where and why become a way to establish more granular control. You might trust everything from a given IP range, but not so much outside of the country. Consider why a given system may or may not access a specific resource to further shape the process.
Implementing Zero Trust Architecture
Since Zero Trust Architecture isn’t really a specific solution, but a strategy, the steps to implementation work like most project flows. The following steps are based on a methodology outlined by Forrester:
- Identify protect surface
- Map traffic flow
- Define zero trust microperimeters
- Create a zero trust policy
- Maintain the policy
1. Identify Protect Surface
Break down what you need to actually secure in your network. What data and applications from your DAAS are sensitive? What needs to be put together and what can be split out for a network of microperimeters with limited linking? Identify each individual asset and rough, natural groupings at this stage. Focus on what needs to be protected rather than how to protect it.
2. Map Traffic Flow
How does data move around in your organization and who needs access to what, how, and why? What is internal only and what needs to be available externally? What dependencies do various services or applications have or need? Even if you don’t implement zero trust, this stage will make you better understand how things should work for your business or network. Just knowing what goes where can make traditional VLANing and subnetting much more efficient.
3. Define Zero Trust Microperimeters
This is where you begin the exercise of mapping out how the actual network looks. We established what goes where previously, now we need to order it at a network level. What assets should be stuck together in a given microperimeter and what can, or should, be separated out? In traditional networking, this would be a more advanced version of VLANing, subnetting, and otherwise segregating a network.
4. Create a Zero Trust Policy
Now that the network itself has been established, you need rules to actually make things able to talk. Use the aforementioned Kipling Method to make decisions on how to actually create rules for the policy. Assume anything accessing any microperimeter is unsafe at some level.
5. Maintain the Policy
Iterate and improve the process based on real data. If you see suspicious traffic, figure out what it is and why it’s getting through. Adapt your policy based on the real world conditions and changes your organization needs to make. This is the same boilerplate “don’t just set it and forget it” step every single implementation plan has.
A Summary of Zero Trust Architecture
Zero trust architecture is centered around: Never trust, always verify. Zero trust architecture isn’t a solution, it’s a strategy. This strategy can make your network more efficient and more secure even if not adopted wholesale.
Traditional security tries to use a gatekeeping approach which doesn’t work as clearly for modern threats or even usage. Even trusted devices may do untrustworthy things due to the modern security landscape. Traditional approaches don’t work for establishing nuance for modern applications and data access and usage (layer 3 only versus layer 3 + layer 7 filtering).
To implement zero trust architecture, you define a protect surface based on the data, assets, applications, and services (DAAS) in use. This protect surface makes up a microperimeter or can be divided up into multiple microperimeters. A segmentation gateway (e.g. next-generation firewall) manages the communication between the protect surface and everything outside.
Implement zero trust by following:
- Identify protect surface
- Map traffic flow
- Define zero trust microperimeters
- Create a zero trust policy
- Maintain the policy
Use the Kipling Method to create the actual policy. Who is accessing a resource? What are they using? How should they be allowed access? Where they’re accessing it from and why can further lock-down the process.
Image by Thomas B. from Pixabay