Since the early days of cybersecurity, effective security has relied upon preventative measures aimed at keeping threats out of your networks by building a well-defined and defendable network boundary between you and the Internet – essentially a castle and moat philosophy.
However, networks aren’t what they once were. They are now infinitely more complex and must account for modern trends like Bring Your Own Device (BYOD), Work @ Home, and Digital Transformation that blur the lines between internal “trusted” entities and external “untrusted” entities and do not align well with the traditional assumptions of a strictly defined network perimeter. And while perimeter defenses like firewalls, Web proxies, and De-Militarized Zones (DMZs) are still necessary and useful for blocking external threats, they are less useful when it comes to defending against threats that may already have access to inside the network, or defending applications and devices operating outside of the perimeter.
What is Zero Trust?
Zero trust is an architectural concept that operates under the premise that everyone and everything are untrusted until proven otherwise. Further, zero trust shifts the security paradigm from perimeter-based security to an end-to-end security model, where access decisions are made on a connection-by-connection (or hop-by-hop) basis based on multiple factors. Operating in this way, zero trust takes a “better safe than sorry” approach that enables organizations to make risk aware access control decisions using risk factors such as:
- Who or what is requesting access and the level of confidence in the subject’s identity for this unique request?
- Is access to the resource (application, data, service, etc.) allowable given the user’s access permissions and the “value” or “sensitivity” of the resource being accessed?
- Does the device being used for the request have the proper security posture to adequately protect any data shared through the exchange?
- Are there other factors that should be considered and that change the confidence level (e.g., time, location of user, risk associated with the user’s network, user’s security posture)?
Any attempt that does not meet specific criteria is assumed to be unauthorized, and access is blocked to whatever resource they are trying to access. In this way, zero trust is defined by the access policies for individual connections and resources rather than network segments.
It’s important to pause here and reiterate that zero trust is not a replacement for perimeter security. It is instead a strategy to shift perimeter security from a single demarcation point between the “inside” and “outside” of your enterprise to a perimeter associated within each connection – and ideally to a point within that connection that is close to the resource being defended. This ensures that all connections to your resources (whether within your data center, in “the cloud”, on one of your managed endpoints, or from an unknown “external” entity) can detect and respond to threats occurring within these individual connections – and this brings up another important distinction and value added feature of zero trust architectures.
If one of your resources does get compromised, zero trust “micro-segmentation” makes is harder for an attacker to leverage trust relationships between devices and move laterally to other systems. If they steal credentials on the compromised resource and use those credentials to try and access another resource, they will be limited in what they are able to do by the access policy associated with the stolen credentials for any resources they try and access. Sure they can still use the compromised resource as a foothold to mount an attack against another one of your resources (say through an unpatched vulnerability or even a zero-day exploit), but we’ve certainly raised their work factor.
Based on this discussion, I view the key capabilities associated with a zero trust architecture as:
- Risk aware Identity and Access Management (IAM)
- Automated categorization of data and resources based on the “value” and “sensitivity” of the individual resources
- Dynamic threat monitoring that can continually assess the risk associated with each connection and respond to threats on a transactional, connection-by-connection basis
Now that we’ve discussed the theory of zero trust architectures (and assuming you are still with me), let’s talk about some of the practical realities of implementing zero trust. First of all, it is a new security paradigm and you need to embrace it as such and appropriately set your expectations for what it will take to move in this direction – investment, commitment, and time.
The good news is that you don’t need to implement zero trust across the entirety of your enterprise in order to make a difference. Many organizations start by deploying zero trust in alignment with their Digital Transformation initiatives and cut zero trust capabilities in as they shift workloads into the cloud. Others start with their most critical and sensitive systems in order to increase protection for the systems that underpin your mission critical business operations. Another place to start is with third party software services you are using as many of these have already incorporated policy based access control and data protection capabilities that can start you down the path towards zero trust. So the bottom line here is start small, start with some pilots, and iterate toward broader enterprise deployment.
Risk Aware Identity and Access Management
As mentioned above, zero trust attempts to limit access to only authorized and approved entities based on who or what is requesting access, the context around their access, the “value” or “sensitivity” of the resource being accessed, and the ability of end systems to adequately protect any data shared through the transaction.
In order to operate securely while still ensuring the access and functionality that is needed for day to day operations, zero trust architectures must have some ability to understand the risk associated with various connections and data transfers and then regulate access accordingly. For risk aware access to function, you need to understand (categorize) the “value” and “sensitivity” of your resources and this can be quite challenging. Key to this is determining what level of categorization and access control makes sense for your environment – for instance can I get by with grouping high risk systems together and controlling access at this level or do I need much finer grained categorization and access controls at the service, application, or individual data object level.
This all requires that you put some thought into data governance to ensure you fully understand the categories or data present in your enterprise and ensure that security controls and compliance requirements are met for each category of data throughout its lifecycle (we could spend an entire blog on data governance so will only touch on it briefly here). Depending on the size of your enterprise this may require some automated solutions to allow you to actively govern, categorize, manage, and verify compliance of your data resources.
Bringing this all together, we will use the simple example of an employee accessing your corporate network. In this case you have a pretty good idea who is accessing your infrastructure and what they require access to in order to perform their job (the realm of traditional IAM). Under zero trust, you will include additional risk factors into the access decision such as how they are accessing the network (e.g., a work at home user via a corporately managed laptop, from their personally owned smartphone on a public wifi network, etc.), what they are requesting access to (e.g., publicly accessible information, confidential internal documents, compliance regulated information), and whether their request is normal behavior for the user (e.g., sensitive data accessed at 2AM from a foreign network address sounds a bit “phishy”). Depending on these risk factors, you may decide that they should only have access to a limited set of data and services and require that they use two factor authentication each time they connect.
For corporately managed devices, you have the added ability to interrogate the device to ensure, for example, that the end system is properly configured per your enterprise standard, security software is enabled and running, and the device and applications are up to date on their security patches. In other words, can I trust this device to properly protect the data shared with the device.
All of this ultimately gets encoded in access policies associated with resources that can answer the basic “who, what, when, where, and why” kinds of questions associated risk aware access.
Dynamic Threat Monitoring
Security decisions that rely on logs, events and alerts have their limitations. For zero trust to work effectively, detection and response must be transaction in nature, application aware, and able to dynamically affect the access decision. This requires a constant cycle of scanning and assessing threats, adapting, and continually re-evaluating trust in ongoing communication.
Key here is visibility – meaning that your monitoring capabilities are in the right place at the right time to monitor zero trust transactions and detect any threats lurking in the communications. To do this, sensors must be in the path of all avenues in and out of your enterprise (including the cloud) and be able to decode the entire communication stack up to the data layer to detect advanced threats lurking within zero trust connections – and for this, Fidelis offers some really innovative solutions in this space.
Our Fidelis ElevateTM eXtended Detection and Response (XDR) provides extended detection and response that integrates network, endpoint, and deception defenses to give you holistic visibility and control of your environment. Now you know what to protect and the most probable paths of data exfiltration, command and control, surveillance and more. With powerful machine-learning analytics running against rich network and endpoint metadata, you can detect, hunt, and respond to advanced threats – in real-time and retrospectively – at every step of an attack, keeping your business operations and data safe.
If you would like a demonstration of all our capabilities, don’t hesitate to reach out to our sales team to schedule a demonstration.