By: Elviraluke Napwora
July 16, 2021
The Beginner's Guide To Zero Trust
By: Elviraluke Napwora
July 16, 2021
A BRIEF HISTORY; THE JOURNEY TO ZERO TRUST SECURITY
In the recent past, security models were envisioned as "inside means trusted" and "outside means untrusted." However, in today's multifaceted and dynamic environment, and with networks consisting of mobile technologies, remote access/VPN use, cloud environment, etc., the perimeter-based approach becomes an inherent drawback in managing security because it grants excessive implicit trust once one is connected to the network(either via VPN or directly). This situation creates a security risk.
With corporate network perimeters being harder to define and continuous data transfer between applications, remote users, IoT devices, etc., the attack surface is broadened as hackers now have multiple entry points, increasing the possibility of a security breach. Also, most modern enterprise environments consist of many interconnected network segments, cloud-based services and infrastructure, remote connections, and mobile device use. Additionally, the recent increase in IoT Connections has introduced non-conventional devices, making the corporate environment highly diverse, with distributed environments that the conventional perimeter-based security approach cannot manage.
The move towards implementing flexible security models that effectively embody and adapt to the complexities of the modern environment, embrace a remote and mobile workforce, and secure organizational resources (devices, apps, and data) and people - wherever they're located - is more essential. These are questions that the Zero Trust security model tries to address.
WHAT IS ZERO TRUST?
The phrase 'Never trust, always verify' forms the basis of Zero Trust Security and was coined by Forrester to indicate that trust is a vulnerability; therefore, security must be defined by strategy. This implies the need to strengthen organizational security by focusing on strict authentication at each access point, ensuring that no device, user, system, or workload is trusted by default, regardless of the location it is operating from. In Zero Trust, we start with a default deny stance for all transactions and users.
The Zero-Trust model focuses on evaluating trust on a per transaction basis instead of the implied trust model that assumes that everything behind a corporate firewall is safe. Network location/IP addresses are not the only determinants in the process of validating users or implying trust, but trust is explicitly derived from a mix of identity and context-based aspects. Some of these metrics include: user authentication, checking the identity and integrity of devices, location, and device health. An example of a basic Zero Trust implementation is when a user requests access to a resource. Trust would involve: verification of the user, device and other attributes (e.g., geolocation, date/time, given device security) before trust is granted. Access is based on the least privilege principle to the given resource and not the entire network, minimizing chances of lateral movement. Other measures to foster security in the Zero Trust model include encrypted communication and continuous analytics of the user metrics so that anomalies can be easily detected and handled appropriately.
Continuous re-evaluation of trust is a key aspect of ZeroTrust. When the metrics initially used in granting trust change (e.g., device and location change and user attributes), the user will need to start the process of requesting access afresh, as the initial verification will be revoked and access removed.
ZERO TRUST PRINCIPLES
Some of the key principles Zero-Trust security is based on include:
1. Verify explicitly Various parameters are involved in the process of authentication and authorization. Some of these parameters are user/device identity, location, device health, and user authentication.
2. Use least privilege access Limit user access to organizational resources to just-in-time and just-enough-access to reduce risk and increase security. Least Privilege entails providing users with the minimum permissions required to carry out a task to minimize lateral movement within the network and to limit each user's exposure to sensitive parts of the network.
3. Assume breach This principle emphasizes the need to inspect and monitor all activities occurring within the environment. Inspection could include verifying end-to-end device encryption, using analytics to get appropriate network visibility, and threat detection and intelligence capabilities, all geared towards improving the defense approach to be adopted for countering security breaches.
All networks are presumed to be untrusted, and each request has to be verified as though it originates from an open/public network.
4. Micro-segmentation This entails segmenting your network into various smaller zones, with separate access to separate parts of the network. For example, in a data center setup, micro-segmentation would entail having dozens of separate secure zones with separate access rights for users. Thus, access to one zone by a user is not guaranteed access to any other zone without separate authorization.
5. Multi-factor authentication This requires users to provide two or more pieces of evidence of who they claim to be during the authentication process. This is important, especially in the current digital world, where passwords can be cracked in minutes and give attackers leverage if other controls have not been enforced.
6. Strict device access control The model highlights the need to control user access and apply the same measure to device access. Thus, active monitoring of devices trying to access your network and the authorization granted is a key factor in reducing the meantime to detection and fast track threat intelligence activities if a security breach occurs.
BUILDING A ZERO-TRUST SECURITY MODEL
Zero Trust Architecture can be defined as an enterprise's security plan that utilizes Zero Trust concepts in modeling and implementing its security architecture. Zero Trust provides a holistic security approach, keeping key principles and technologies in mind and not relying on an out-of-the-box solution associated with a given technology. There is no single best approach in implementing the Zero Trust security architecture in an environment, but the process should be continuously adjusted to incorporate emerging security challenges and trends. Also, it is important to note that different organizations' security paths will differ, hence the need to customize security solutions to best meet each company's security needs. Prioritizing the various projects and initiatives around identity and access management solutions for an organization is thus an important first step.
Taking this into account, Forrester provides the following key recommendations in building a security model in a Zero Trust Ecosystem for your organization:
1. Data: Have a data classification strategy as part of your policy to provide a clear guide on the data security controls to be implemented at each level.
2. People: Have a system in place to monitor user access behaviors' consistently, always ensuring the principle of least privilege is applied when access is granted.
3. Workloads: This entails creating proper procedures to drive security initiatives, e.g., asset inventory registers, cloud governance processes, managing security audits, maintenance and updates schedules, and access rights management and control.
4. Devices: Look into how devices in your environment are grouped and the security protocols that need to be implemented in each device group or category to protect the criticality/sensitivity of resources accessed through those devices. You cannot afford to subject all devices in your environment to one security metric.
5. Networks: Implement network segmentation to the environment to limit the attack surface. Proper visibility of one's environment eases its management and improves any adopted security measures.
6. Visibility and Analytics: Correlating security events across the environment will provide an opportunity to identify the loopholes that exist and streamline the security process accordingly.
7. Automation and Orchestration: This goes a long way in reducing security analysts' fatigue and efficiently ensures all security incidents are properly handled. Eventually, an organization's security posture is based on having a reduced mean time to respond (MTTR) measurement, with critical incidents properly prioritized. The MITRE ATT&CK FRAMEWORK course explains more about MTTR.
CHALLENGES WITH IMPLEMENTING ZERO TRUST
Though Zero Trust is a great model to improve an organization's security posture, some of the inherent challenges it faces include:
1. The use of legacy systems and applications by organizations: Legacy systems are modeled on the perimeter-based security model and do not employ various vectors in access provision as suggested by Zero Trust. They end up as weak security links, weakening the organization's security and eventually leading to a security compromise.
2. Lack of Adoption of the Zero Trust Model by Regulations: The Zero Trust Model introduces a robust way of approaching security to streamline the organizational security process. Thus, regulations are important to encourage and provide guidance to organizations in this journey. Policy, regulations, legislation, and compliance laws would greatly boost organizations to streamline their security models, especially since models like Zero Trust exist to ensure that security is properly implemented.
3. The Wrong approach towards Security Audits and Penetration Testing Engagements: Making organizations focus their attention on only passing the given tests does not necessarily improve the overall security and seal the identified security loopholes. Even when such companies start their Zero Trust security strategy journey, the various issues that should be addressed are easily bypassed if they are not measured against proper metrics. The use of MITRE's ATT&CK Framework and Security Intelligence feeds can help organizations understand the current TTPs against the incidents they face or understand the identified security loopholes and the steps needed to reduce the risk from security attacks.
4. Proper Visibility and Control of the network is a major factor challenging the implementation of Zero Trust networks in enterprises. You cannot protect what you do not know. Most organizations have yet to comprehensively view what their environments look like in terms of asset count, service accounts, legacy applications and devices, user/device privileges within their network, etc. They are thus highly vulnerable to threats targeted towards them.
Organizations still have a long journey before they can be deemed 100 percent compliant regarding implementing the Zero Trust Security model/architecture. The journey may entail rethinking IT infrastructure, introducing new security metrics for fostering trust, utilizing artificial intelligence in security implementation, looking deeper into security analytics information, and adopting a different decision-making approach geared towards strengthening organizational security. Whatever the journey you need to take, be aware of new trends like the Zero Trust model, which aims to foster your organization's security posture and maximize it to your corporate advantage. Will Zero Trust eventually be adopted as a status quo by organizations and certifying entities? Only time will tell.