Zero Trust Security Architecture
Zero trust seems to be all the rage in the industry currently, but zero trust as a concept and a tool, needs to be integrated into the already existing security infrastructure. That thinking lead to this article.
Zero trust was coined as a term back in 1994 in a Phd. dissertation by Stephen Marsh , on an idea that ‘trust’ can be defined mathematically. In 2003 an international group called the Jericho Forum began to study the problem, they defined as ‘de perimiterisation’, and began eliminating the idea that the internal network was a safe and protected place. Something that should have happened when the first VPN connections from outside of the network was implemented.
It took some time for the real world to catch up with the theory, but in 2009 Google created the BeyondCorp security model, which is now considered an early approach to zero trust. NIST was the first of the governmental organizations that created standards around the concept of zero trust. In 2018 they created SP 800-207 Zero Trust Architecture, updated in 2020.
There seem to be as many opinions on what zero trust is, as there are people with an opinion on zero trust, so keep in mind that the below article is my opinion! Let’s set the stage for zero trust, by looking at some definitions from NIST first:
“Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defences from static, network- based perimeters to focus on users, assets, and resources”
This next one is from Wikipedia:
“The zero-trust security model (also, zero trust architecture, zero trust network architecture, ZTA, ZTNA), sometimes known as perimeter less security, describes an approach to the design and implementation of IT systems ”
Two different ways of defining zero trust that are, although overlapping in some ways, are still approaching the world of zero trust in different ways. No wonder there are many opinions and definitions of zero trust.
Vendors
Contrary to what many cybersecurity vendors are saying, buying a product does not implement Zero Trust in your infrastructure. A product can, and does, help implement Zero Trust in your infrastructure.
For us to apply zero trust in for our clients, or in our infrastructures, we need look at a level above the various products that promise us zero trust. Zero trust is a way of approaching the design of, for instance:
- Network Infrastructure
- The segmentation
- Encryption
- Protocols
- Identity System
- PAM
- IAM
- AD
Zero Trust How-to
The reality is that zero trust will be implemented in already existing infrastructures, I do not know about you, but the greenfield implementations I am part of are few and far between. So, where do we start on a zero-trust journey?
I like to begin at the foundation of any infrastructure, the network. Looking at the NIST standard mentioned earlier, the 800-207, there is a section in that document, in chapter 2, called ‘Tenants of Zero Trust’. In that section there are some highlights across the zero-trust model, below I have extracted a few of the ones related to the network:
- All communication is secured regardless of network location
- Access to individual enterprise resources is granted on a per-session basis
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture
Some of the ‘tenants’ above should be familiar to you. They are used in other security models/standards as well. Does that mean that zero trust is old wine on new bottles? No. The zero-trust security model uses already known security tools and controls and implements them in a manner much more in alignment with the threat picture we see out there.
Our infrastructures are no longer limited to on-premises, even before the cloud got as big as it is, with many companies outsourcing their applications, networks, and security to partners so they can focus on their own business. With the cloud this trend has only increased in speed. So, our infrastructures are now scattered all over the place, with different companies, in different locations and jurisdictions, making a security architecture like zero-trust an important tool for securing this infrastructure.
Caveats
Zero trust is an aggressive term. I have a client that has gone all in on zero trust thinking but has experienced significant pushback from the employees. Why? Employees that have been with a company for years will see the whole zero trust concept as a sign that they are no longer trusted in the organization.
We have a couple of choices to make here. We can go about implementing zero-trust without telling the employees, and we can get quite far before needing to enroll the employees in the efforts. The other is to rename the zero-trust project. An author on the Danish site for Computerworld came up with the term ‘maximize trust’, a term that will make it much easier to gain employee buy-in to a zero-trust project.
Finally, make no mistake here, a zero-trust project is a massive undertaking in any infrastructure, so make sure that you get buy-in from the highest level of management and that the project sponsor comes from this level of authority as well. And remember, no single vendor tool will make you zero-trust ‘compliant’.
Tom Madsen
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.