One Zero trust Architecture to rule them all? (2021)

Andre Camillo, CISSP
5 min readOct 10, 2019
Photo of a 14th-century Firewall — Photo by Johannes Krupinski on Unsplash

Kings sitting behind fortified Castle walls and moats are a thing of the past. though I’m sure some of our current politicians would love to be siloed in such buildings.

But much like Monarchy eventually transitioned to a more people-centric government model (read Democracy) — something similar is happening to technology. Firewalls (our old, cozy, and comfortable IT castles) are not enough to keep IT environments safe. Perimeter-based security was great when Data resided on On-Premises Data-centers.

However, ever since the Cloud revolution ignited the adoption of cloud-based services and hybrid cloud, the data migrated too — then initiating this new “decentralized” model in which the data resides anywhere, and anyone with the right credentials can access it.

But how do we effectively protect data wherever it is? Some people believe the journey is through a path they’re calling “Zero-Trust”.

./why

Zero-Trust is all about access: least privilege, authenticated, authorized, and contextualized.

The Security benefits of it are:

  1. Network visibility, breach detection
  2. Hinders malware propagation
  3. Helps to find issues (users/devices/applications)
  4. Data Loss Prevents

Business benefits include:

  1. Makes compliance audits easier
  2. Can reduce management costs by consolidating inventory/systems
  3. Increases data awareness/insights
  4. Enables Business transformation, IoT-ready

./origins

There are many Zero-Trust Models around. Consulting organizations such as Gartner and Forrester each have their own approach to this new security framework — and NIST still doesn't even have a proposed model (they released a draft recently, still under analysis).

However, the foundations are the same, a security Architecture that is Data and Access Centric, instead of Perimeter-based.

Although the roots of least privileged access to networks date back to the 1990s, the conception of the Zero-Trust Architecture is seen as dating back to 2010, from a Forrester report.

Notoriously, the first implementation was done by Google, and they called it BeyondCorp.

They defined Zero-Trust as the following:

“a new model that dispenses with a privileged corporate network. Instead, access depends solely on device and user credentials, regardless of a user’s network location — be it an enterprise location, a home network, or a hotel or coffee shop. All-access to enterprise resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials. We can enforce fine-grained access to different parts of enterprise resources. As a result, all Google employees can work successfully from any network, and without the need for a traditional VPN connection into the privileged network. The user experience between local and remote access to enterprise resources is effectively identical, apart from potential differences in latency.”

Later on, new concepts were released such as Gartner’s Continuous Adaptive Risk and Trust Assessment — CARTA in short (2017).

And then Forrester improved their original model and called it Zero-Trust Extended — ZTX (2018).

As of 2019, NIST released the first draft for their own Zero-Trust Architecture (ZTA), proposal.

Vendors started proposing their own versions of it around the same time.

An important note — before any of these ones, The Jericho forum was a set of proposed standards for de-parameterized networks issued by “The Open Group” organization, back in 2007.

./what

These are the pillars for each Zero-Trust model mentioned before:

From Forrester’s Zero Trust model (2010)

Goal: Make security ubiquitous throughout the network, not just at the perimeter because attackers will penetrate threat-centric defenses.

Designed by John Kindervag.

  • Eliminate network trust
  • Segment Network Access
  • Gain Network visibility and analytics

From Google’s BeyondCorp Implementation (2013)

  • Device Management
  • User Management
  • Removing Trust from the network
  • Externalizing Applications and Workflows
  • Inventory-based Access Control

Gartner’s CARTA (2017)

  • Security Posture must constantly change
  • Digital Risk and trust vary over time
  • Score and rate all entities
  • Shift away from 1-time binary decisions
  • Extend the approach outside the enterprise

Forrester’s Zero Trust eXtended (2018)

Expand the original model to adapt modern networks, while network segmentation and visibility remain critical, people access data and workloads outside the perimeter.

Led by Chase Cunningham.

  • Data security
  • Workload security
  • People security
  • Network security
  • Device security
  • Automation & Orchestration
  • Visibility & Analytics

*bold = Key pillars of this model

NIST Zero Trust Architecture (2019 Draft)

According to NIST, these are the Zero-Trust Architecture tenets:

  • All data sources and computing services are considered resources
  • All communication is secure regardless of network location
  • Access to individual enterprise resources is granted on a per-connection basis
  • Access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioral attributes
  • The enterprise ensures all owned and associated systems are in the most secure state possible and monitors systems to ensure that they remain in the most secure state possible
  • User authentication is dynamic and strictly enforced before access is allowed

You gotta love their article on this- check the link for it in the “sources” section — it is very specific, and techie.

./how

This is something that I can’t answer. With so many options to achieve such architecture, though, the best one will depend on each business model.

I personally believe that a working ZT architecture model is the one that will make your network:

  • Use Secure Protocols internally
  • Provide Access based on multiple trust attributes
  • Ensure data is secure by default
  • Network designed for the internet (where access is always un-trusted).
  • Security focused on data and access, not on perimeter
  • Deny All Access until Explicitly Allowed
  • All users / Devices/ Apps / Services are authenticated
  • Collect Contextual Data on users, devices, Apps, etc

These are based on recommendations from the The Jericho Forum.

But how to deploy all this is a much more complex and longer conversation.

./2021

Forrester has made public their evaluation of products in this market in August 2021. While I won’t share the actual evaluation here, it’s interesting to see how the number of vendors and approaches in this space is in constant growth.

And so it shall be until it reaches a state of “feature” rather than a market in itself — then we’ll have a vendor consolidation movement in the market and the big players will remain.

./conclusion

It’s a market that is at full steam and there are still a lot of approaches to it.

Whatever Zero-Trust model you decide to go with, I can tell your Security Posture is heading to the right place.

Get in touch if you need ideas/help with anything discussed here. Cheers.

./sources

  1. origins — Beyondcorp: https://storage.googleapis.com/pub-tools-public-publication-data/pdf/43231.pdf
  2. whats — 0trust : Cisco live presentation BRKSEC-2721
  3. whats — 0trust : https://duo.com/blog/5-principles-to-achieve-zero-trust-for-the-workforce-establish-user-trust-part-1
  4. whats — 0trust 1: https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/
  5. whats — 0trust 2: https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
  6. whats — 0trust 3: https://www.forbes.com/sites/insights-vmwaresecurity/2019/06/12/zero-trust-the-modern-approach-to-cybersecurity/#1057166c4e9d
  7. whats — 0trust 4: https://www.forcepoint.com/cyber-edu/zero-trust
  8. whats — 0trust 5: https://www.microsoft.com/en-us/videoplayer/embed/RE2MFIC
  9. whats — 0trust 6: https://www.centrify.com/education/what-is-zero-trust-privilege/
  10. whats — 0trust 7: https://www.microsoft.com/security/blog/2018/06/14/building-zero-trust-networks-with-microsoft-365/
  11. whats- 0trust 8: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf
  12. why — forrester report: https://www.akamai.com/us/en/multimedia/documents/report/the-eight-business-and-security-benefits-of-zero-trust-report.pdf
  13. how — Jericho forum: https://collaboration.opengroup.org/jericho/commandments_v1.2.pdf

--

--

Andre Camillo, CISSP

Cloud and Security technologies, Career, Growth Mindset. Follow: https://linktr.ee/acamillo . Technical Specialist @Microsoft. Opinions are my own.