Zero Trust is not a new concept, but aligning access controls across users, devices, applications and resources rejuvenates its prowess.
The concept of Zero Trust Networking (ZTN) is gaining in popularity. However, many organizations still think of security as protecting the perimeter—replete with layered security technologies akin to the layers of an onion.
However, moving from a legacy position to a more progressive approach to cyber security need not be a big-bang project. Instead, some organizations are embarking on more manageable phased transitions that move over key functions with little disruption and with appropriate investment.
The fundamental idea around ZTN is not new, but the terminology has made a comeback in recent years.
A number of technologies including Virtual Private Networks (VPN), Mobile Device Management (MDM), cloud access security and Network Access Control (NAC) practice tenets of the philosophy, but where ZTN has evolved is the notion of tying all of these elements together by aligning access controls across users, devices, applications, and resources, both in the cloud and within data centers.
ZTN is a logical response to the reality of cyberattacks that tend to find and exploit the weakest layer in the onion layers of technologies protecting today’s extended and permeable perimeter.
Before getting caught in the “magic bullet” euphoria that is so common within the IT security industry, we should examine the architecture in more detail.
ZTN is based on the concept of continuous verification and authorization. It ensures that only authenticated users with compliant devices, whether corporate, personal or public, can connect to authorized applications over any network, whether on-premises or in the cloud.
This approach may sound less glamorous than adding more bricks to “an impenetrable wall”, but in practice, it is more effective for administration, cost and defence.
Looking at the constituent parts such as VPN, NAC, MFA in isolation does provide an idea of how, when working in concert, the practice of ZTN can significantly reduce the risk of a cyberattack turning into a business crippling incident.
Experts in the cyber security industry have aligned around the basic principles of ZTN:
- Know your architecture including users, devices, and services
- Create a single strong user identity
- Create a strong device identity
- Authenticate everywhere
- Know the health of your devices and services
- Focus your monitoring on devices and services
- Set policies according to the value of the service or data
- Control access to your services and data
- Do not trust the network, including the local network
- Choose services designed for zero trust
In order to align with the model of ZTN, there is a set of principles to help organizations align with ZTN tenets without throwing out existing investments:
- Continuous authentication of identity, devices, application, and security posture—before and during any authorized connection
- Centralized authorization and policy enforcement
- Separated control and data planes
- Granular segmentation based on per application, per-user, and per-device connectivity
- Significantly-reduced threat surface by mitigating numerous APTs, malware, DDoS attacks and rendering resources “dark”
To accomplish this, organizations need to review their current secure access solution stack, determine how to orchestrate controls and identify gaps to close, depending on access compliance and data protection obligations.
It is critical to centralize policy enforcement so that every user, and each of their devices, is governed by a granular policy based on role, resource and application and other attributes, such as location, to be accessed.
The process authenticates every user and device security state before the connection is made, ensuring that unauthorized users or devices are only able to see and access authorized resource. Moreover, it also re-verifies user and device security posture during a connection to determine if the security state is no longer acceptable. In such cases, the connection can be terminated, resource access can be reduced, or devices can be quarantined or remediated, depending on a policy set by the administrator.
Finally, resources should be rendered “dark”. In other words, no DNS, internal IP address, or visible port information is communicated until proper authorization takes place. So, unauthorised users cannot traverse the network “looking” for resources to infiltrate.
This reduces the attack surface significantly by mitigating or eliminating numerous threats like APTs, man-in-the-middle and malware risks. When moving towards implementing a ZTN model, it is important for organizations to include these controls.
Palatable industry perspective
ZTN is a model. As such, it will require organizations to align technologies and orchestrate controls in support of ZTN model tenets.
At first glance, this appears to be a major staff endeavour at a time where organizations are struggling to recruit, train and retain cybersecurity professionals. However, by prioritizing and breaking down the task into key elements that support a new business initiative or a major potential security exposure, ZTN can become more approachable and achievable.
Given the increase in cyberattacks and data breaches, the longer-term view is that moving to a ZTN model will lead to less day-to-day security alert firefighting through a systematically-improved secure posture and reduced attack surface: a case of short-term pain for longer term gain.
In fact, a recent survey found that 72% of organizations plan to assess or implement Zero Trust capabilities in some capacity in 2020, with larger enterprises being the keenest to take on the effort.
With the current deluge of security breaches showing no signs of letting up, with related reputational impact and compliance fines, organizations would be compelled to take decisive ZTN actions and unlock the promise of vastly enhanced usability, data protection and governance.