Kings sitting behind fortified Castle walls and moats are a thing of the past. though I’m sure some our current politicians would love to be siloed in such buildings.
But much like Monarchy eventually transitioned to a more people-centric government model (read Democracy) — something similar is happening to technology. Firewalls (our old, cosy and comfortable IT castles) are not enough to keep IT environments safe. Perimeter-based security was great when Data resided on On-Premises Data-centers.
However, ever since the Cloud revolution ignited the adoption of cloud-based services and hybrid cloud, the data migrated too — then initiating this new “decentralized” model in which the data resides anywhere, and anyone with the right credentials can access it.
But how do we effectively protect data wherever it is? Some people believe the journey is through a path they’re calling “Zero-Trust”.
Zero-Trust is about access: least privilege, authenticated, authorized and contextualized.
The Security benefits of it are:
- Network visibility, breach detection
- Hinders malware propagation
- Helps to find issues (users/devices/applications)
- Stops Data Loss Prevention
Business benefits include:
- Makes compliance audits easier
- Can reduce management costs by consolidating inventory/systems
- Increases data awareness/insights
- Enables Business transformation, IoT-ready
There are many Zero-Trust Models around. Consulting organizations such as Gartner and Forrester each has their own approach to this new security framework — and NIST still doesnt even has a proposed model (they released a draft recently, still under analysis).
However, the foundations are the same, a security Architecture that is Data and Access Centric, instead of Perimeter-based.
Although the roots of least privilege access to networks dates back to 1990s, the conception of the Zero-Trust Architecture is seen as dating back to 2010, from a Forrester report.
Notoriously, the first implementation was done by Google, and they called it BeyondCorp.
They defined Zero-Trust as the following:
“a new model that dispenses with a privileged corporate network. Instead, access depends solely on device and user credentials, regardless of a user’s network location — be it an enterprise location, a home network, or a hotel or coffee shop. All access to enterprise resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials. We can enforce fine-grained access to different parts of enterprise resources. As a result, all Google employees can work successfully from any network, and without the need for a traditional VPN connection into the privileged network. The user experience between local and remote access to enterprise resources is effectively identical, apart from potential differences in latency.”
Later on, new concepts were released such as Gartner’s Continuous Adaptive Risk and Trust Assessment — CARTA in short (2017).
And then Forrester improved their original model and called it Zero-Trust Extended — ZTX (2018).
As of 2019, NIST released the first draft for their own Zero-Trust Architecture (ZTA), proposal.
Vendors started proposing their own versions of it around the same time.
An important note — before any of these ones, The Jericho forum was a set of proposed standards for de-perimeterized networks issued by “The Open Group” organization, back in 2007.
These are the pillars for each Zero-Trust model mentioned before:
From Forrester’s Zero Trust model (2010)
Goal: Make security ubiquitous throughout the network, not just at the perimeter because attackers will penetrate threat-centric defenses.
Designed by John Kindervag.
- Eliminate network trust
- Segment Network Access
- Gain Network visibility and analytics
From Google’s BeyondCorp Implementation (2013)
- Device Management
- User Management
- Removing Trust from the network
- Externalizing Applications and Workflows
- Inventory-based Access Control
Gartner’s CARTA (2017)
- Security Posture must constantly change
- Digital Risk and trust vary over time
- Score and rate all entities
- Shift away from 1-time binary decisions
- Extend the approach outside the enterprise
Forrester’s Zero Trust eXtended (2018)
Expand the original model to adapt modern networks, while network segmentation and visibility remain critical, people access data and workloads outside the perimeter.
Led by Chase Cunningham.
- Data security
- Workload security
- People security
- Network security
- Device security
- Automation & Orchestration
- Visibility & Analytics
*bold = Key pillars of this model
NIST Zero Trust Architecture (2019 Draft)
According to NIST, these are the Zero-Trust Architecture tenets:
- All data sources and computing services are considered resources
- All communication is secure regardless of network location
- Access to individual enterprise resources is granted on a per-connection basis
- Access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioral attributes
- The enterprise ensures all owned and associated systems are in the most secure state possible and monitors systems to ensure that they remain in the most secure state possible
- User authentication is dynamic and strictly enforced before access is allowed
You gotta love their article on this- check the link for it in the “sources” section — it is very specific, and techie.
This is something that I can’t answer. With so many options to achieve such architecture, though, the best one will depend on each business model.
I personally believe that a working ZT architecture model is the one that will make your network:
- Use Secure Protocols internally
- Provide Access based on multiple trust attributes
- Ensure data is secure by default
- Network designed for the internet (where access is always un-trusted).
- Security focused on data and access, not on perimeter
- Deny All Access until Explicitly Allowed
- All users / Devices/ Apps / Services are authenticated
- Collect Contextual Data on users, devices, Apps, etc
These are based on recommendations from the The Jericho Forum.
But how to deploy all this is a much more complex and longer conversation.
Many options, proposals and there’s a very simple conclusion for all of this:
Whatever Zero-Trust model you decide to go with, I can tell your Security Posture is heading to the right place.
Get in touch if you need ideas/help with anything discussed here. Cheers.
- origins — Beyondcorp: https://storage.googleapis.com/pub-tools-public-publication-data/pdf/43231.pdf
- whats — 0trust : Cisco live presentation BRKSEC-2721
- whats — 0trust : https://duo.com/blog/5-principles-to-achieve-zero-trust-for-the-workforce-establish-user-trust-part-1
- whats — 0trust 1: https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/
- whats — 0trust 2: https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
- whats — 0trust 3: https://www.forbes.com/sites/insights-vmwaresecurity/2019/06/12/zero-trust-the-modern-approach-to-cybersecurity/#1057166c4e9d
- whats — 0trust 4: https://www.forcepoint.com/cyber-edu/zero-trust
- whats — 0trust 5: https://www.microsoft.com/en-us/videoplayer/embed/RE2MFIC
- whats — 0trust 6: https://www.centrify.com/education/what-is-zero-trust-privilege/
- whats — 0trust 7: https://www.microsoft.com/security/blog/2018/06/14/building-zero-trust-networks-with-microsoft-365/
- whats- 0trust 8: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf
- why — forrester report: https://www.akamai.com/us/en/multimedia/documents/report/the-eight-business-and-security-benefits-of-zero-trust-report.pdf
- how — Jericho forum: https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf