By: Samia Oukemeni
July 27, 2021
Zero Trust Networks
By: Samia Oukemeni
July 27, 2021
As the demand for the cloud environment and remote work is rising, enterprise security becomes more challenging than ever. Zero-Trust concepts bring a new solution to move network defenses from static on-premises security to dynamic, identity-based access control to resources and bring down traditional security walls.
Network Security in the Age of COVID-19
The events of 2020 and the COVID-19 have changed life as we know it overnight. In March 2020, almost all companies and organizations rapidly switched towards remote access and teleworking to respect social distancing and slow down the spread of coronavirus. The boundaries of a secure network have changed as employees access corporate applications, databases, and documents using home WiFi or cellular networks, which provides a wider "attack surface" for adversaries to cause harm.
Beyond Traditional Networks
The classic standard networking topology is based on border security. The network perimeter is split into two zones: Internal or trusted zones and external or untrusted zones (as shown in figure 1).
In this approach, everything inside the zone is trusted and vetted while the outside is untrusted. The communication inside the trusted site is open, and the traffic is not encrypted and unauthenticated. To communicate with the outside zone, the topology deploys the network appliances at the front door (firewall, IDS, IPS, SIEM, etc.) to filter the traffic coming in and out.
This classic topology asserts a kind of trust inside the network perimeter; any traffic inside the wall is implicitly trusted. However, the assumption that the threat is coming mainly from outside is outdated. Statics have shown that threats coming from inside the network perimeter have a significant danger to the organization. Careless or malicious employees can easily access privileged accounts or sensitive information within the organization's network perimeter. In a 2020 survey, 61% of the surveyed organizations have suffered from insider attacks within the last 12 months, and it takes at least a week to detect an insider attack. Thirty-two percent of security professionals have declared that the cost per insider attack can range between $100K and $2M. At the same time, the loss of data and disruption to business operations are the significant impact of insider attacks.
What is a Zero-Trust Network (ZTN)?
As IT ecosystems increase, with the shift to remote work and migration to cloud and BYOD, the focus on zero-trust architecture has increased recently. The concept of Zero-Trust Networks (ZTN) is not new. However, with all the current events, the need for ZTN is more pressing than ever.
The term "Zero-Trust" was first used in 1994 by Dr. Stephen Paul Marsh in his doctoral thesis on Computational Security at the University of Stirling. In 2004, the term reappeared in Jericho Forum; it advertised the idea of using de-parameterization (limiting implicit trust based on a network location). In 2010, John Kindervag, a former analyst at Forrester Research, coined and popularized "Zero-Trust." Recently, that concept has attracted more interest in the research and industrial world (as shown in figure 2).
The idea behind the Zero-Trust concept is to eliminate the automatic trust from within the organization. In other words, there is no implicit trust granted based on the logical location (inside or outside the network perimeter). Employees, processes, or any device should perform an identity authentication and authorization before entering the network to access resources. The mechanism of Zero-Trust also embraces the concept of 'least privilege access.'This means that users and processes only get access to the resources they requested, which prevents any lateral movement in the network.
What Are The Benefits of ZTN?
Subverting the traditional perimeter-based network and adopting ZTN comes with multiple benefits:
- It reduces the attack surface, especially insider threats.
- It scales down business risks and data breaches.
- It provides clear visibility and control over network architecture and access.
- It provides access control in cloud environments.
- It gives the ability to create perimeters around certain types of sensitive data.
How To Deploy a Successful ZTN?
The National Institute of Standards and Technology (NIST) and National Cyber Security Center of Excellence (NCCoE) cybersecurity researchers had published in 2018 (last version in 2020) NIST Special Publication (SP) 800-207, Zero Trust Architecture. The Special Publication considered seven assumptions to design and deploy a Zero-Trust architecture:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are active and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
What Are The Challenges of Deploying ZTNs?
As much as the Zero-Trust concept is attractive and comes as an answer to solve security demands of remote access, it comes with challenges:
- Zero-Trust architecture can lead to security fatigue, where having many security policies can negatively impact users' productivity.
- As organizations evolve, people come and go or change roles and locations. Dynamic access control requires a great deal of commitment and quick updates to adapt to network changes and business risks.
- Migrating to a Zero-Trust concept requires a significant investment in resources, time, and technical skills.
- The confusion created by vendors that use the term Zero-Trust to market everything in security.
Zero-Trust is a continuous journey rather than a singular destination. Adopting a Zero-Trust architecture is an answer to the new normal when balanced with existing security policies, identity management, access control, and continuous and rapid monitoring.
Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture (No. NIST Special Publication (SP) 800-207). National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf