Zero Trust Architecture

 

 Author - Sivakumar RR

 

 “Trust is a human emotion that we have mistakenly injected into digital systems”
-- John Kindervag, Palo Alto Blog, 2018

For compromising a system or a network, it takes the malicious actor to be correct once regardless of the endless failed attempts. But on the other side of the game, it takes defenders to be always right to protect the assets, there is no room for small mistakes or ignorance. During the evolution of the “multinational company” system, organizations were putting a lot of effort into defending their assets by isolating them into private networks by grouping them. So the idea of security became the security of the network and monitoring the “in” and “outs” of this network was considered to be the process of performing it. 

So the idea of trusting everything inside this private network became a common practice across the industries. Which was actually a great deal for malicious actors since all they have to do is find a loophole to get into the network, and once they are in, all assets are available to be compromised. Let me simplify this for you, imagine a mansion with high security gates, security guards and thick walls which help it to secure the entry and exit points, but inside there are no guards, no security checks etc. In this scenario all that someone with bad intention to do is to just break in somehow and everything else becomes a piece of cake.

The Pandemic Impact

COVID19 pandemic impacted all our lives, it became a spark for change in all aspects, including the way we communicate and how we used to work etc. Industries across the globe promoted WFH (work from home) culture which they were hesitating to do before the pandemic. So now your office network is no longer something which is only inside concrete walls, it got bigger. Depending on the employees and the demographics where they are located it got much wider as well. Now the traditional VPN powered work setup is no longer something that can scale up to these requirements or fully reliable.

Alternate Approach

Modern problems require modern solutions, where ZTA (Zero Trust Architecture) became one of the popular solutions for this problem. First thing to understand here is, it’s not a tool adaptation process, it’s a journey that every organization should approach with a broader and milestone based mindset. Most of the organizations in the industry now follow a reactive approach to security, ZTA is something that helps them to change that to security by design approach.

The Protect Surface

This is one of the primary views of ZTA where the organization identifies their assets and flags them as a protected surface. This is a long process, organizations need to scan through each component and analyze the granularity of everything in it during this. Primary components are,

Networks

Ah, here we are the bridge that connects everything in it and makes communication happen. But while wondering what all the networks can do, accepting the fact that it can be a bridge for both the good and bad is important. All “IN” and “OUT” communications should be treated untrusted and granularity of privileges to be established to secure it.

Devices

Managing or interacting with devices must maintain the same zero trust. All endpoints connecting to devices must be seen unauthorized. Nowadays organizations allow both policies like having a corporate device and BYOD (Bring your own device), which actually increases a lot of risk factors as well.

Application

Each application should be valued separately and consider separate protected surfaces would be an ideal practice since it’s not the technicality that can be compromised but also the business logic as well. All the inputs should be treated as malicious and outputs as breach, which will enforce the people who are building it to secure it from the source.

Data

Protect data in all states, even if it is in rest or transit. Follow the standards and policies based on the nature of it. Anticipating a breach and handling your data with utmost care will become a good value addition to earn the customer’s trust in your brand.

Infrastructure

Prevention is better than cure, so both prevention and detection tools are necessary as part of your infra. Identity management plays a key role in this area, which can help the team to block lateral movements and enforce the “need to know” policy.

Identity

Do not depend upon traditional perimeter controls, identity nowadays can take many forms like services, user etc and it should be controlled. Having proper control throughout the identity lifecycle will help you in the long run.

NIST Special Publication (SP) 800-207, Zero Trust Architecture

National Institute of Standards and Technology is a physical science laboratory and non-regulatory authority of the United States Department of Commerce. From late 2018, work undertaken in the US by the NIST and National Cyber Security Center of Excellence (NCCoE) cyber security researchers led to this special publication. The publication defines zero trust as a collection of concepts and ideas designed to follow better practices which can lead to a better security management.

https://www.nist.gov/publications/zero-trust-architecture

ZTA Implementation

This is a five step detailed oriented process where stakeholders from different aspects of the organization need to work together with the implementation team for better visibility.

Define Protect Surface

Unlike the popular stereotypes, in most of the cases, a hack or breach to the system is not something that leads to a malformed website or unauthorized access alert. Each organization has different types of valued assets, for an analytical company it might be the data and for a manufacturer it might be the devices. So defining the protected surface in detail is a first step of the ZTA implementation process. Identifying assets will be across all components,

Data - Protected information through regulation and law
Applications - All the applications both developed in house and acquired will be considered
Assets - All devices under management
Services - Connection to the services, protocols used in communication

Map Transaction Flows

Regardless of the applications or technologies commonly used across organizations, distinction comes at the usage. How the technology or the application is used inside the organization is defined from the business workflows, mapping those steps is our next step in ZTA. This has a significant impact on the entire process since the technologist understands the business, so it is acceptable to begin with approximations. By performing the same you will get a better idea of what is critical and what is non critical in your business scenarios. It will remain as an iterative process to bring more details and granularity in the information.

Architect Zero Trust Network

Take a reference architecture and tailor it to your business needs, the idea here is to implement a granular layer 7 protected surface where all the applications, users and end point will be managed. There is more in the execution details of this phase, there will be a need of software defined perimeters. Identity driven network access control, network micro segmentation, third party access management etc. 

Create Zero Trust Policy

Policies are defined based on the Who,What,When, Where & How. Policies should be answerable to those, who is accessing, what is accessed, when is accessed, where is the destination, why there is an attempt to access, how it is being accessed. By analyzing the answers of the questions stated before will give a better clarity on how to set your access controls properly. 

Monitor & Maintain Network

Continuing monitoring and analysis of all the communication happening inside your network is important, that will help you identify the anomalies as well as update your policies based on the pattern of communication. Collect as much data as possible, more data is always better than less. Promoting and investigating User / Entity Behavior Analytics (UBEA) will help in the long run as well.

Having all said, always look at the big picture, before jumping into conclusions or taking decisions on the best architecture or framework that is suitable for your organization, always assess on where you are standing right now. Look at the maturity level of the current setup in your organization, perform assessments on each entity and run it through the experts for better decision making. Choose what best suits your business requirements rather than following the trends.