I recently attended a security conference with multiple speakers covering a wide variety of topics – one of the topics, “Zero-Trust Architecture” (ZTA), was being addressed by one of the vendors, and I decided to sit-in to listen. A few minutes into the session, two facts became blaringly apparent – the speaker, who shall remain nameless, 1) did not actually understand what Zero-Trust Architecture is and what it means to implement Zero-Trust, and 2) this was a sales pitch disguised as an educational seminar.
Unfortunately, presentations on this and other topics often are heavy on buzzwords that don’t actually contribute value or advance understanding. As the aforementioned session came to a close, the session transitioned into the Q&A portion – which subsequently happened to be the same time I lost more hope for our fellow cybersecurity aficionados after hearing some of the questions asked. Below are just a few of them:
After walking out of the session and regaining consciousness, I decided to take a little time out of my day to bring awareness to Zero-Trust Architecture and demystify what it means. First and foremost, ZTA is NOT a new technology. As illustrated by Palo Alto’s Cyberpedia article, achieving Zero Trust is often perceived as costly and complex. However, Zero Trust is built upon your existing architecture and does not require you to rip and replace existing technology. There are no Zero Trust products. There are products that work well in Zero Trust environments and those that don't.
Zero Trust is the term for an evolving set of network security paradigms that move network defenses from wide network perimeters to narrowly focusing on individual or small groups of resources. A ZTA strategy is one in which there is no implicit trust granted to systems based on their physical or network location (i.e., local area networks vs. the internet). In layman’s terms, the basic principles of zero-trust are:
- Assume the network is always hostile
- External AND internal threats are always present
- Internal networks are not sufficient to equally trusted
- Every device, user, and network flow MUST be proven
- You must log and inspect ALL traffic
These security principles are a stark contrast to what most organizations currently implement, which is perimeter-based security, which adopts the following basic security principles:
- Internal access is trusted
- External access is untrusted
The major shortcomings of perimeter-based security are that:
- Inside access is not always friendly
- Modern attacks are inside-out, rather than outside-in
- Trusted systems bring attackers in
- Internal access is more loosely regulated
Most organizations go a step further and implement logical segmentation, such as separating different organizational components within their own subnets, implementing a demilitarized zone (DMZ), Web Application Firewall (WAF) and more. However, this approach is starting to show its age as the foundation of perimeter-based security primarily follows “trust and verify,” which is fundamentally different from ZTA’s paradigm shift of “verify, and then trust.”
Another fundamental concept that pairs well with ZTA is Trust Over Time (TOT), which essentially boils down to the notion that risk to systems and assets increase over time and need to be refreshed, due to deviations from the baseline. To reduce the operational risk over time, activities such as rotating credentials and replacing certificates will limit compromise and reuse.
ZTA is essentially asking us to authenticate and encrypt all traffic – end-to-end. Everywhere and anywhere. For ZTA to be implemented properly, encryption cannot simply be perimeter-based. Encryption is required at either the device or application. Endpoints should be configured to drop anything not encrypted. This is quite a tall order and has the potential to interrupt or completely break an operational process or technical mechanism depending on the implementation and environment. Justin Henderson from the SANS Institute does a great job going into further detail in his SEC 530 webcast seminar and provides further examples of leveraging your current technology stack to implement ZTA.
In summary, achieving Zero-Trust does not require adoption of any new technologies. It’s simply a new approach to cybersecurity to “never trust, always verify,” or to eliminate any and all trust, as opposed to the more common perimeter-based security approach that assumes user identities have not been compromised, all human actors are responsible and can be trusted. The concept of trusting anything internal to our networks is fundamentally flawed as evidenced by all the data breaches in the news, with most of the breaches caused by misuse of privileged credentials.