Zero Trust explained as a new IT security concept
TRUST NO ONE! - How "Need-to-know" Principle and "Zero Trust" Become the New Standard
Digital products and services are evolving at breakneck speed. New inventions or adaptations are added every day. Intellectual property or sensitive data must be specially protected in the process. As more and more companies switch to cloud-based solutions, the security standard of their own network architecture must also be reconsidered. This is where the “Zero Trust” concept comes into play. It is based on the “need-to-know” principle and turns our fundamental understanding of trust on its head.
Index
Trust as a binding element of society
Trust is the binding agent in a society. Without trust, no economy can function. Every transaction is based on trust that the other economic participant will keep his end of the bargain.
In this context, we have seen a transformation over the centuries, evolving from local trust to institutional trust to platforms. Local trust was characterized by personally knowing the people with whom one did business. The local greengrocer had built up a good reputation over many years, so people in the village were happy to buy their tomatoes and potatoes from him. If the greengrocer had once behaved dishonestly and, for example, sold tomatoes of lower quality or suddenly sold smaller potatoes for the same price, word would have spread quickly in the village and people would have quickly bought from the competition.
A years later, people begin to give their trust preferentially to those who had gained recognition through regulation and formal guidelines. Institutions that had been externally audited multiple times seemed trustworthy and had integrity. For this reason, banks, universities and public institutions enjoyed a high level of trust in society.
More than a decade ago, however, people’s trust moved in a different direction again as scandals within public institutions became increasingly public or the world was shaken by the banking crisis. From this point on, people began to focus more on platform monomies and the opinions of the masses were taken into account in their own decisions. More trust was placed in reviews than in any assessment by an institutional organization.
And today we are confronted with a completely new concept – “Zero Trust”. We find the term “Zero Trust” in the field of network architecture. Well, the concept is not that new, because it was already mentioned a few years ago – in 1994 – in a doctoral thesis by Stephen Pau Marsh, but did not enjoy too much attention at that time.
In 2010, the analysts at Forrester “Zero Trust” took another look at the topic. The concept moves away from the idea of a trusted network within a defined corporate perimeter. Instead, it starts directly with the data. In 2018, analysts at Forrester presented Zero Trust eXtended (ZTX), an enhanced model that IT managers can use to build their security architectures along the lines of the Zero Trust idea.
According to the Tech Trend Report by consulting firm McKinsey, the topic of “trust architecture” deserves a lot of attention in the coming years. Although the trend is relatively small compared to topics such as “applied AI” and “distributed infrastructure”, it has nevertheless made it into the list of top trends. And not without reason. As corporate security standards continue to evolve, so do the potential areas of attack. Cybercriminals are constantly finding new ways to penetrate networks and cause major damage. Often, these attacks and threats come from inside perpetrators.
So what is behind the “Zero Trust” concept and what do you need to watch out for?
Definition: Zero Trust as a security concept
The Zero Trust concept is based on two key elements to increase security:
- identify sensitive data and map its distribution
- who accesses what data, when and where, and what it is used for.
This approach is based on the idea that companies should not trust their customers, employees or even applications, either inside or outside the company’s boundaries. Anyone attempting to access corporate data must be vetted and controlled. It is a data-centric approach with continuous monitoring. Every action is monitored and stopped if necessary. In 2009, the Google company defined its own zero-trust variant with a context-based access concept. Initially, the company only used the concept internally, but in 2019 it began to implement the technology in its services for its customers as well and from then on also used the model in G-Suite products.
Market research firm Gartner also followed the zero-trust trend in 2017 and developed CARTA. The acronym stands for “Continuous Adaptive Risk and Trust Assessment” and continues the original principle. According to the concept, users, devices and apps must not only be checked each time they log in, but their trust status must be continuously checked during sessions. If a risky change is detected, the granted access to a service can be restricted or interrupted on an ad hoc basis.
The 5 core aspects of the CARTA approach.
- Deploy unique security locks using adaptive, context-aware security platforms;
- Constantly monitor, assess, and prioritize risk and trust;
- Begin risk and trust considerations in digital business initiatives during the development process;
- Provide comprehensive, complete visibility;
- Ensure rapid responses using digital analytics, automation and artificial intelligence.
Software Defined Perimeter
The Software Defined Perimeter (SDP) is said to be a way to implement Zero Trust. The technology is based on the Black Cloud concept, which was developed by the IT division of the US Department of Defense. Following this concept, access to networks and connections is established according to the need-to-know principle. The idea is simple: each user only sees exactly what he needs to see and for which he has been given clearance.
The concept consists of a combination of three parts:
- Device authentication;
- Identity-based access;
- Dynamically provisioned connectivity.
This setup ensures that the user sees nothing of the entire network. If someone wants to access an application or a resource on the network, he is authenticated for exactly that resource and goes directly there. Access management is shifted from the network perimeter to the resource or application, so users do not know where they are in the network at any time.
On a technological level, Software Defined Perimeter (SDP) builds on a number of already familiar approaches. Next generation firewalls or network access control offer various functions that enable authentication using individual parameters. For this reason, there are a number of vendors that offer such or modified solutions. Software Defined Perimter depends on numerous technologies and their coordination with each other. Therefore, there are a few points to consider during implementation.
4 aspects for SDP implementation
The following aspects should be considered by every company.
1. Strategy development
Authenticating every transaction and encrypting every network session involves a lot of effort. Therefore, SDP implementation must be strategically planned from the beginning. Otherwise, operations will be chaotic and IT risk will increase as one weak component makes the entire SDP infrastructure vulnerable to attack.
2. Authentication throughout the stack
The SDP architecture defines a number of connection types between clients, servers, clouds, etc. Each of these connections needs strong authentication from layer two to layer seven corresponding methods (such as token, biometrics or smart card), key management for encryption, certificate management and public key infrastructure.
3. Collect, analyze and process data
To manage something, it must also be possible to measure it. Therefore, it is important for SDP to collect, process and analyze all available types of data. This includes information about endpoints, users, network flows, directories, authentication systems and threat intelligence, among others. In addition, new data types may also be added, as well as data sources in the cloud that need to be included. Different data formats need to be normalized and a distributed, scalable data management architecture needs to be built to analyze all this data in real time, if possible.
4. Create policies for the application
Once an organization can technically deploy granular access controls, it must create policies for how and when they are applied. The goal here is to strike a balance between permissible risks and business process disruptions. Because this requires joint analysis and decision-making by business, IT and security leaders, the process can take a long time. In addition, a certain amount of “trial and error” may be required until the right level is found.
Implementing Zero Trust in your own company in 5 steps
The strategy by which Zero Trust can be implemented depends on a company’s infrastructure. Security provider Palo Alto Networks has defined a five-step plan that companies can refer to for better orientation.
1. Define what needs to be protected
Become clear about what sensitive data needs to be protected. This is usually much smaller than the attack surface. It is important to note that zero-trust protection goes beyond just data to other elements of the network. When defining the area to be protected, all critical data, applications, assets or services must be considered, specifically:
- Data: Payment card information, personal data and intellectual property.
- Applications: Custom software as well as standard applications
- Assets: SCADA controls, point-of-sale terminals, medical devices or production equipment
- Services: DNS, DHCP and Active Directory
2. Mapping of transaction flows
How data worth protecting is accessed on the network dictates how it should be protected. To do this, it is recommended to scan and map transaction flows in the network to determine how different aspects (data, assets, etc.) interact with other resources in the network. Visualized flowcharts can help show where controls need to be built in.
3. Building a zero-trust architecture
The first part of a network design is its architecture. In Zero Trust, this step comes third. The networks are customized. The customized Zero Trust architecture becomes visible once the area to be protected is determined and the sequences are mapped. According to security firm Palo Alto Networks, deployment of a next-generation firewall should begin as a segmentation gateway to enforce granular Layer 7 access as a microperimeter around the protection surface. This way, every packet accessing a resource within the protection surface passes through a firewall and Layer 7 policies can be enforced while controlling access.
4. Creating the Zero Trust Policies
Once the zero-trust network is built, the next step is to create groundbreaking policies. Here, Palo Alto Networks suggests addressing the W-questions ( who, where, when, what, why) of the network.For one resource to communicate with another, a specific rule must whitelist that traffic. Answering the W-questions enables Layer 7 policies for small-scale enforcement so that only known and allowed traffic or legitimate application communications take place on the network. This approach reduces both the attack surface and the number of port-based firewall rules enforced by ordinary firewalls.
5. Network monitoring and maintenance
The final step is to monitor and maintain the network on a day-to-day operational basis with respect to the “zero trust” concept. According to this, all internal and external protocols must be permanently monitored.Monitoring and logging of all traffic in the network is one of the key criteria of Zero Trust. Therefore, it is important to ensure that the system sends as much telemetry as possible. This data allows the Zero Trust concept to be improved in an iterative process by repeating and adapting the five-step plan.
Conclusion on the Zero Trust concept
Whether and to what extent you want to implement this security concept in your company is still up to you. However, it is advisable in any case to continuously check the security standards of the company network and to point out weak points. In any case, the “Zero Trust” concept has come to stay and will continue to accompany us and be expanded over the next few years.
Good Start for Businesses: Cyber Security For Entrepreneurs In 5 Points
Comments are closed.