Never trust, always verify.
Introduction: A short history of security and access control
The development of cloud computing placed many applications at a turning point.
Let’s start with an example. Back in the early- to mid-‘00s, Enterprise Rights Management software (ERM) began to struggle. ERM was developed to solve the issues of controlling enterprise content, such as in a Word document. Once the network perimeter was no more, it became more difficult to control content.
One of the issues was in the access control measures offered to manage content access. If you have no perimeter, you need to have mechanisms other than employee directories to control content access. As a consequence, ERM changed to accommodate functionality that was more cloud-appropriate — expanding its range of identity methods to control content access.
The dissolution of the network perimeter caused many changes in the way we approached cybersecurity — access control being only one of them. We could no longer rely on perimeter-hardening tools like traditional firewalls. We had to expand how we connected and, in doing so, opened the landscape to malicious others. New ways of looking at cybersecurity had to be developed. Zero-trust security was one such model — but what exactly is it?
What is meant by zero trust security?
Back in 2010, analyst John Kindervag of Forrester developed the framework for a zero-trust security architecture. The key feature of this architecture was to use a “data-centric” model — that is, knowing where your data is at any juncture, mapping the flow of the data through a network and beyond. The idea was to change how we trust transactions across a network, with the starting point of all network traffic being untrusted.
In 2018, the original zero trust architecture model was updated by Forrester. This new model is known as The Zero Trust eXtended Ecosystem. In this new version, people are intrinsically untrusted in the system; thus, the new model is built on the notion of “people-centric perimeters.”
A zero-trust world it is all about verifying access through applied trust. In the Zero Trust eXtended Ecosystem, data is the central pivot upon which people, devices, networks and workloads turn. Access to data by any of these must be verified at any point and any time.
This extended view to include people and devices makes a lot of sense in a world where we take our technology with us. In doing so, our networks are expanded to breaking point and our workloads reflect this. This way of looking at security applies the concept of defining trust as a way to verify people and devices wherever they may be.
Forrester’s five steps to zero trust
The original version of the model from Forrester set out five basic steps to achieving zero trust security. The basic premise being to think of data as being “zoned.” The control is then applied within and between those zones. These steps still hold value in the updated version:
- Identify your sensitive data: This is a fundamental step. If you know what your sensitive data is and where it flows, you can best determine the right security. Forrester suggests using their own “simplified data classification model.” This model has three basic classes: Public, Internal and Confidential. This step is where the idea of microperimeters (zones) comes in. They suggest you create “chunks” of data that represent their own microperimeter — each being connected across the extended network ecosystem.
- Map the flows of your sensitive data: This step is about looking at the flows of data across your network. This includes transactional flows that may be multi-directional. The step encourages the optimization of data flows to create micronetworks.
- Architect your zero trust microperimeters: Once you know your data and its flow, create optimal micronetworks around each. Design them so that the best-fitting security is used for that specific use case. This step also looks at using physical or virtual security controls to enforce the microperimeters.
- Continuously monitor your zero-trust ecosystem with security analytics: Using logs and data analytics look for malicious activity across the entire microperimeter ecosystem.
- Embrace security automation and orchestration: Build automation policies with the help of management. Apply security automation and orchestration (SAO) tools to achieve this goal.
Applications of a zero-trust model — BeyondCorp
One of the most famous applications of the zero-trust model is Google’s BeyondCorp initiative. Google has moved their access control hierarchy from the perimeter to individuals and devices. Google says that this approach enables a secure way to work remotely without the use of a VPN.
The BeyondCorp zero trust model was implemented as a reaction against a multi-layered security model. Alternatives to zero trust used layers of VPN, firewalls and policy constraints to control access. In the BeyondCorp model of zero trust, they apply context-based user identity as an access control measure. In this way they check:
- End user authorization (people)
- Device authorization (device)
- Access policy request (workload rule)
In addition, end-to-end encryption is used to avoid any data theft during transit.
Because the access is rules-based and tokenized, it allows for a more context-based access control. Ultimately, zero trust comes down to verified identity access management coupled ith device inventory management.
Although initiatives like BeyondCorp have demonstrated great success, the model of zero trust is still not widely adopted. Analysts IDG found that 71 percent of security professional decision makers were not aware of the zero trust security model.
Zero trust and the insider
Insider threats are one of the most difficult to detect and prevent. A Computer Associates survey found that one of the main factors behind insider threats was that too many users had excessive access privileges.
Zero trust thinking as applied to insider threats mitigation works by:
- Micro-segmentation: Build identity-based network context. This is the first step of the model and creates microperimeters that are based on identifying users. This is also known as “zoning,” where you continuously monitor and manage data between zones. Authentication and authorization are able to manage data interactions in these zones. This builds a more granular control that removes the free movement afforded by excess privileges
- Identifying the user: Key in zero trust is that you know who you are giving access to. Zero trust is built upon the premise that users are untrusted; therefore, you need to check authorization and authentication at every access request. This access is controlled through user attribute request/response tokens
- Controlling access: Least privilege access rights is a fundamental principle of zero trust security. Overly excessive access is one of the key issues causing insider threats to become insider incidents. Zero trust networks only allow access rights as and when absolutely necessary — coverall access is no longer appropriate
Criticisms of zero-trust models
Zero trust has its critics. Organizations like BeyondTrust and 451 Research have done critical analyses of the Zero Trust security model.
BeyondTrust, for example, pulls out issues around “technical debt” and legacy applications. Organizations may have older technology that is not compatible with the remit of a microperimeter. They also state that many legacy applications do not have the facility to use least privilege.
IDG Research, while being in favor of zero trust security, also admits it may be difficult to achieve. IDG look towards augmentation of zero trust with Unified Access Control (UAC). This is a method that uses policies and rules to finely control access using risk factors, like geolocation. UAC means you can have the advantages of Single-Sign-On (SSO) with added authentication and authorization benefits.
Conclusion: Trusting in zero trust
According to analysts at IDG, zero trust is one of the top most researched security technologies — showing there is growing interest concerning zero trust in the industry. This makes sense, as security professionals need an answer to a data landscape that is nebulous and hard to manage. The use of identity attributes to manage and control access to data and transactions also makes sense.
Zero trust offers a way to design security into the heart of business processes, dovetailing the human being with technology. Using a zero trust model creates a solid basis for designing services and systems that are inherently security aware. This basis of the model is to add weight to trust by verifying your users and devices. In this way, the lack of perimeter doesn’t matter as a new microperimeter is created that more closely reflects modern data movement.
The Zero Trust eXtended (ZTX) Ecosystem, Forrester
Five Steps To A Zero Trust Network, Forrester
Insider Threat 2018 Report, CA Technologies
Why Zero Trust is an Unrealistic Security Model, BeyondTrust