Introduction to the Zero Trust Security Architecture — a Concept, Not A Product

The concept of "Zero Trust" has been around for years. Unfortunately, this concept becomes a cybersecurity catchphrase with cyberattacks like spear-phishing, ransomware, and business email compromise (BEC) at all-time highs. Even the notoriously slow government cybersecurity planning is on this matter. going all-in However, a crucial obstacle to widely adopting this security model is There is a lot of confusion about the definition out there. For example, a customer told me that he thought he knew what Zero Trust was, but now that everyone is talking about it and describing everything as Zero Trust, he understands less. mass uncertainty about what exactly "Zero Trust" means. As is the case with IT, in general, Zero Trust "is not just technology"; (again, it is about People, Process, Technology — PPT). CIOs, CISOs, and other corporate executives are frequently implementing Zero Trust because: it's about process and mindset as well the technologies that support its move into the mainstream the pressure to guard enterprise operations and data rise significantly, and attacks become more advanced and sophisticated. This time, I am writing to lay the fundamental concepts and introduce anyone who wants to bring Zero Trust into practice. Background The concepts supporting zero trust are not new. , an industry analyst at Forrester Research Inc, popularized the term but was coined in April 1994 by for his doctoral thesis on computational security at the University of Stirling. John Kindervag "Zero Trust Network" in 2010 Stephen Paul Marsh The difficulties of determining the perimeter to an organization's IT infrastructure were highlighted , discussing the trend of what was later coined "De-Perimiterisation." In 2009, Google implemented a Zero Trust architecture referred to as . by the Jericho Forum in 2003 BeyondCorp The Zero Trust is also known as a Zero Trust Network or Zero Trust Architecture. Related frameworks include Google's , Gartner's , NIST , and by Forrester. BeyondCorp CARTA SP800–207 ZTX The "Old" Trust Model Image by from | Hadrianus1959 wikimedia.org Creative Commons Attribution-Share Alike 4.0 International Under the legacy of the existing trust model, all the devices, including computers, servers, and network devices physically located in an office building — were on the same network and inherently trusted. For example: Your work desktop computer could connect to the printer on the same floor as your desk. You can find team documents on a shared file server. Security tools such as firewalls and antimalware were deployed to treat anything outside the perimeter (of the organization) as bad; everything inside the network is our friend (trusted). We also called this model "perimeter defense." As you may know, though, t have thoroughly disputed those assumptions. Organizations can't physically control every device their employees use anymore. And even if they could, the device is not just a device, but a tunnel from internal to anywhere, including the public cloud apps. he rise of mobile devices, cloud applications, and the remote workforce Once an attacker gets through those perimeter defenses, remotely or physically infiltrating an organization, Security should never be as stupid as "outside bad, inside good." the old security model would instantly grant them a lot of trust and freedom. Zero Trust Concepts Explained Image by from | Politikaner Wikimedia.org Creative Commons Attribution-Share Alike 3.0 Unported If you talk to "zero-trust" experts, the whole thing sounds like a religious experience. As all security professionals know, . cybersecurity is about mindset, not the technology itself Zero Trust is a security mindset centered on the idea that their perimeters and, alternatively, must verify anything and everything trying to connect before granting access. organizations should not automatically trust anything inside or outside Instead of trusting particular objects or connections from specific places, Zero Trust requires that people (i.e., device's user or data owner) Typically that means logging into a corporate account with biometrics or a hardware security key. In addition to simple usernames and passwords make it more difficult for attackers to impersonate users. prove they should be granted that access. And even once someone gets through, it's on a (conditional access). So, if you don't work with source codes as part of your job, your corporate account shouldn't bind into the R&D domain. need-to-know or need-to-access basis Analog: Zero Trust in Real Life — Airport Image by the author (although we didn't travel due to COVID-19.) When we need to travel to another country, we need to: The best analog of "trust zero" in our daily lives is airport security Buy air ticket — User Access Request Check-in — Identification, Contextual Information Collection Immigration border — Authentication Before onboard — Authorization, Conditional Access On the plane When you arrive at the airport, and as far as the "system" is concerned, you are unauthenticated, unauthorized, and thus untrusted for more than access to the public areas. Then this validates your identity and purpose. Next, you check your baggage in, which has its security checks (this could be analogous to having your laptop/desktop validated). you perform an initial Identification when you check-in; This elevation of trust permits access to the boarding lounge, which could be considered a trusted zone, and However, for certain transactions, you are required to show your boarding pass again. while you are in this zone, you can access certain "services" without further authentication. Afterward, when you board the plane, . At any point when you are within the trusted zones, you can be directed to re-authenticate. Some zones are not accessible to an average traveler (e.g., VIP lounges, staff areas, air-side areas, etc.). Much like a corporate environment, these would equate to management zones, database zones, etc. you are rechecked as you enter a zone requiring specific authorization Final Words — Concepts Provides Flexibility And Potentially Longevity People working in IT often try to map everything to clear definitions — as in the digital world (zero and one). The problem is people's first impression of Zero Trust treating it as a single piece of software you can install or a checkbox you can cross. The abstract nature of Zero Trust has its benefits. Designing from concepts and principles rather than particular products gives flexibility and potentially longevity; those specific software tools/ products don't. For me, it is a mindset, a set of concepts, or, more extreme, a philosophy. Other than agreeing on what the phrase means, the biggest obstacle to zero trust's proliferation is that most infrastructure currently in use was designed under the old "moat-and-castle" security model. There's no simple way to retrofit those types of operations for Zero Trust since the two approaches are so fundamentally different. You still have to implement things like device and software inventory, network segmentation, access controls. As an industry, , especially with all the attacks and real threats that organizations are facing. we need to have more integrity in communicating I am not saying the Zero Trust is a security panacea (There is none, obviously). And most importantly, not to mention that for most organizations. It's still easy enough to target the pieces of a victim's infrastructure that haven't yet been promoted with zero-trust concepts in mind. even the most secure environment nowadays is not 100% Zero Trust, Cybersecurity hasn't kept pace with this digital transformation/modernized environment. But we, at least, . First, you want to think about ubiquitous security. Second, you want to be predictive, so you need to be thinking about it differently. have to transform how you manage security Successful implementation of ZTA should involve the CISO, the CIO, and others in the executive tier to prioritize what moves to this model and which pieces of their environment can wait. Thank you for reading. May InfoSec be with you🖖. Also Published At: https://medium.com/technology-hits/zero-trust-is-a-concept-not-a-product-introduction-to-zero-trust-security-architecture-zta-3830d782ef5f