One Zero trust Architecture to rule them all?

Photo of a 14th century Firewall — Photo by Johannes Krupinski on Unsplash

Kings sitting behind fortified Castle walls and moats are a thing of the past. though I’m sure some our current politicians would love to be siloed in such buildings.

But much like Monarchy eventually transitioned to a more people-centric government model (read Democracy) — something similar is happening to technology. Firewalls (our old, cosy and comfortable IT castles) are not enough to keep IT environments safe. Perimeter-based security was great when Data resided on On-Premises Data-centers.

However, ever since the Cloud revolution ignited the adoption of cloud-based services and hybrid cloud, the data migrated too — then initiating this new “decentralized” model in which the data resides anywhere, and anyone with the right credentials can access it.

But how do we effectively protect data wherever it is? Some people believe the journey is through a path they’re calling “Zero-Trust”.

./why

Zero-Trust is about access: least privilege, authenticated, authorized and contextualized.

The Security benefits of it are:

  1. Network visibility, breach detection

Business benefits include:

  1. Makes compliance audits easier

./origins

There are many Zero-Trust Models around. Consulting organizations such as Gartner and Forrester each has their own approach to this new security framework — and NIST still doesnt even has a proposed model (they released a draft recently, still under analysis).

However, the foundations are the same, a security Architecture that is Data and Access Centric, instead of Perimeter-based.

Although the roots of least privilege access to networks dates back to 1990s, the conception of the Zero-Trust Architecture is seen as dating back to 2010, from a Forrester report.

Notoriously, the first implementation was done by Google, and they called it BeyondCorp.

They defined Zero-Trust as the following:

“a new model that dispenses with a privileged corporate network. Instead, access depends solely on device and user credentials, regardless of a user’s network location — be it an enterprise location, a home network, or a hotel or coffee shop. All access to enterprise resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials. We can enforce fine-grained access to different parts of enterprise resources. As a result, all Google employees can work successfully from any network, and without the need for a traditional VPN connection into the privileged network. The user experience between local and remote access to enterprise resources is effectively identical, apart from potential differences in latency.”

Later on, new concepts were released such as Gartner’s Continuous Adaptive Risk and Trust Assessment — CARTA in short (2017).

And then Forrester improved their original model and called it Zero-Trust Extended — ZTX (2018).

As of 2019, NIST released the first draft for their own Zero-Trust Architecture (ZTA), proposal.

Vendors started proposing their own versions of it around the same time.

An important note — before any of these ones, The Jericho forum was a set of proposed standards for de-perimeterized networks issued by “The Open Group” organization, back in 2007.

./what

These are the pillars for each Zero-Trust model mentioned before:

From Forrester’s Zero Trust model (2010)

Goal: Make security ubiquitous throughout the network, not just at the perimeter because attackers will penetrate threat-centric defenses.

Designed by John Kindervag.

  • Eliminate network trust

From Google’s BeyondCorp Implementation (2013)

  • Device Management

Gartner’s CARTA (2017)

  • Security Posture must constantly change

Forrester’s Zero Trust eXtended (2018)

Expand the original model to adapt modern networks, while network segmentation and visibility remain critical, people access data and workloads outside the perimeter.

Led by Chase Cunningham.

  • Data security

*bold = Key pillars of this model

NIST Zero Trust Architecture (2019 Draft)

According to NIST, these are the Zero-Trust Architecture tenets:

  • All data sources and computing services are considered resources

You gotta love their article on this- check the link for it in the “sources” section — it is very specific, and techie.

./how

This is something that I can’t answer. With so many options to achieve such architecture, though, the best one will depend on each business model.

I personally believe that a working ZT architecture model is the one that will make your network:

  • Use Secure Protocols internally

These are based on recommendations from the The Jericho Forum.

But how to deploy all this is a much more complex and longer conversation.

./conclusion

Many options, proposals and there’s a very simple conclusion for all of this:

Whatever Zero-Trust model you decide to go with, I can tell your Security Posture is heading to the right place.

Get in touch if you need ideas/help with anything discussed here. Cheers.

./sources

  1. origins — Beyondcorp: https://storage.googleapis.com/pub-tools-public-publication-data/pdf/43231.pdf

Network and Cloud Security engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store