Implementing Zero Trust: The History and the Future of Network Security’s New Model
From IC Insider Thales Trusted Cyber Technologies
By Brent Hansen, CTO, Thales Trusted Cyber Technologies
In February 2021 the NSA released guidance on “Embracing a Zero Trust Security Model” as a preferred means of defending against cybersecurity threats and securing both data and the systems that contain it.
In that document, the NSA noted, “As cybersecurity professionals defend increasingly dispersed and complex enterprise networks from sophisticated cyber threats, embracing a Zero Trust security model and the mindset necessary to deploy and operate a system engineered according to Zero Trust principles can better position them to secure sensitive data, systems, and services.”
This guidance gives additional support to NIST Special Publication 800-2017, released in August 2020, which offers an overview on Zero Trust architecture for federal IT systems.
What has prompted this government-wide emphasis on Zero Trust?
Like private industry before it, government has completely embraced digital transformation. While this move has real benefits for its constituents, what it has meant for IT leaders has been the gradual disappearance of corporate IT boundaries. Disruptive technologies and the growth of work-from-home have made traditional perimeter security solutions inadequate to users’ demands of anytime, anywhere access.
As these demands for network access have combined with an alarming increase in data breaches and security incidents, trust as a concept has become practically extinct. Zero Trust security, therefore, begins with the mindset that trust is actually a vulnerability, and that security demands continuous, strict identity verification to minimize implicit trust zones.
Let’s take a look Zero Trust, and how a strategy based on its principles can help achieve security in a post-perimeter environment. In particular, we’ll address the NIST Special Publication on Zero Trust, and consider ways to implement an effective identity-centric Zero Trust architecture.
No More “Castle-and-Moat”: Never Trust, Always Verify
“Trust but verify” was a phrase coined during the Reagan administration’s dealings with the then-Soviet Union. When it comes to federal IT security today, however, a better attitude is “Never trust, always verify.”
With today’s proliferation of technologies such as IoT, cloud delivery, and mobile adoption, the traditional IT security perimeter has disappeared. Applications are now delivered from the cloud to the cloud, and users are located everywhere (using multiple devices). It’s impossible to rely any longer on a single point of trust, making all interactions are inherently risky.
Zero Trust is a strategic initiative and way of thinking that helps prevent data breaches and protects assets by assuming no entity is trusted. To put a finer point on it, the National Institute of Standards and Technology (NIST) defines Zero Trust as “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”
Traditional perimeter security took a “castle-and-moat” approach. Once inside a network, all users were considered “trusted”– including threat actors and malicious insiders. Trust gave them the right to move laterally and freely access or exfiltrate data.
By contrast, Zero Trust recognizes trust as a vulnerability in security strategy. This security model requires strict identity verification, and moves the decision to authenticate and authorize closer to the resource. The focus is on authentication, authorization, and minimizing implicit trust zones, while maintaining availability and providing seamless authentication mechanisms. Access rules are as granular as possible, to enforce least privileges required to perform the requested action.
The foundation principles of Zero Trust ensure that:
- Corporate resources are accessed according a dynamic policy. This policy is enforced on a per-session basis. It is updated based on information collected about the current state of client identity, application/service, and the requesting asset (as well as other behavioral and environmental attributes).
- All communications to resources are authenticated, authorized, and encrypted.
- Both authentication and authorization are agnostic to the underlying network.
- The integrity and security posture of all owned and associated assets are fully monitored and measured.
A New Model: NIST’s Special Publication on Zero Trust
As previously indicated, traditional perimeter security seems inadequate to the needs of the modern mobile worker’s demand for anytime, anywhere access to digital resources. That is why the industry as a whole must shift away from such legacy solutions.
In fact, legacy security solutions actually hamper productivity, scalability and the user experience (as well as increasing operational costs). They rely on on-premises routing to enforce authentication and authorization to the cloud, which leads to greater to complexity and higher administrative overhead.
What’s more, with the proliferation of IoT, multi-cloud platforms, and containers, the authentication process now requires numerous identities to be created and managed. Organizations have become more reliant than ever on identities and credentials, which consequently have become attractive targets for cyber criminals. The result of this dynamic has been increased security incidents and data breaches through compromised credentials and identity theft.
With this expanding attack surface, government regulations such as GDPR, CCPA, PCI DSS and HIPAA are now based on the accountability principle, requiring the strong authentication and authorization of every data communication and process.
All of these developments taken together led to NIST’s standardized architectures for Zero Trust. As mentioned at the outset, the NIST SP 800-207 Zero Trust Architecture serves as a blueprint for Zero Trust. According to NIST, the architecture “gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture.”
The release of this publication will undoubtedly lead to greater adoption of the Zero Trust security model. It’s important, therefore, to understand the underlying thinking.
NIST’s three approaches to Zero Trust architecture
NIST describes three approaches to building an effective Zero Trust security architecture: Identity-centric, network-centric, and a cloud-based combination. This is what each approach means, in brief:
Identity-centric. With the identity-centric approach to Zero Trust architecture, identity of users, services, and devices is at the heart of policy creation. Enterprise resource access policies are based on identity and assigned attributes. Access to corporate resources is based primarily on the access privileges granted to a given user, service or device. For more adaptive authentication, the policy enforcement may consider other factors as well, such as which device is used, asset status, and environmental factors.
Network-centric. The network-centric approach of Zero Trust architecture is based on network micro-segmentation of corporate resources, which are protected by a gateway security component. In this approach, the enterprise should use infrastructure devices such as intelligent switches (or routers), Next Generation Firewalls (NGFW) or Software Defined Networks (SDN) to enforce policy, protecting each resource or group of related resources.
A network-centric approach segments the traditional perimeter into sub-zones. Once inside a zone, users are considered trusted. The network-centric approach is not entirely risk-free, however, precisely because it assumes an entity is trusted once inside the zone. This approach therefore requires additional security measures and strong identity governance.
Cloud-based combination. A cloud-based combined Zero Trust architecture approach leverages cloud-based Access Management and Software at the Service Edge (SASE). The cloud-based Access Management solution protects and enforces the identities of cloud applications and services, while SASE components, such as Software Defined Networks (SDNs) or Next Generation Firewalls (NGFW) protect on-premises resources and monitor network traffic.
Identities are the new perimeter
Where does this all leave perimeter security? The modern enterprise security perimeter is more than just a physical location. It also comprises access points that are dispersed in and delivered from the cloud.
Consequently, identities are now the new perimeter. The identity of any resource, user, device, or service, provides the key context for the application of access policies, and should be at the core of all access decisions.
For protection of application and data assets, identity is the cornerstone of Zero Trust security. The challenge is to employ a comprehensive Zero Trust security solution that covers identities and data end-to-end.
Effective Zero Trust security implementations start with public or private cloud-based access management. That means meeting particular Zero Trust principles:
- Access decisions are enforced dynamically at the application access point. That remains the case wherever the app resides, where users reside, which devices are the users have running, and how network routing is handled.
- Access decisions are aided by updated information from third party network security vendor technologies – for example, VPNs, WAMs, WAFs, SASE, etc.
- Access decisions adhering to a “default deny” stance are continuously reassessed, even if Single Sign On (SSO) features are enabled.
Finally, in Zero Trust (and in fact any security architecture), organizations need to ensure that users are who they claim to be. The best way to accomplish this is through multi-factor authentication (MFA). The more factors used to determine a person’s identity, the greater the trust of authenticity.
Because multi-factor authentication security requires multiple means of identification at login, it is widely recognized as the most secure method for authenticating access to data and applications.
MFA can be achieved using a combination of the following factors:
- Something You Know – password or PIN
- Something You Have – token or smart card (two-factor authentication)
- Something You Are – biometrics, such as a fingerprint (three-factor authentication)
Access control solutions: Answers to common questions
With so many different access control offerings available today, organizations must carefully evaluate which solution is most appropriate for their needs. A number of questions come into play in this evaluation:
Do I want to protect my internal network from unauthorized access? If so, consider two-factor authentication (2FA) solutions. These solutions should enable flexible and comprehensive secure network access in the office and remotely if needed.
Do my users need to connect from remote locations? If so, consider portable solutions that enable secure VPN and web access for remote users. These solutions should also enable employees to secure their laptops and data while on the road.
Do my users need to access many password-protected applications? If so, consider solutions that provide single sign-on functionality, either by storing user credentials on the token or by integrating with external single sign-on systems.
Do I want my users to digitally sign and encrypt sensitive data or transactions? If so, consider smart card-based solutions that provide secure onboard PKI key generation and cryptographic operations, as well as mobility for users.
How sensitive is my business data? The more sensitive the data, the higher the priority on the robustness and security of the solution.
Do I want to firmly protect data that sits on my users’ PCs and laptops? If so, consider token solutions that integrate with PC security products such as boot protection and disk encryption applications. These solutions should require the use of a token to boot a computer or decrypt protected data.
Have I or do I want to implement a secure physical access solution? If so, consider token solutions that enable integration with physical access systems.
It is inevitable that Zero Trust principles will come into play across federal infrastructures. The problems with trust in a digital world continue to be exploited by cyber criminals, and must be answered with a more sophisticated approach. Both the NSA and NIST are leading the way for implementation by providing guidance and a framework for Zero Trust infrastructure.
The rest is up to each individual organization. The choice of which approach to take – identity-centric, network-centric or combined – clearly depends on the given organization. The same is true for how to achieve multi-factor authentication and even how to evaluate potential solutions.
By spending time to fully absorb the philosophy that underpins Zero Trust, any organization can be assured of a more secure infrastructure that is also more scalable, more affordable, and less complicated to implement.
About Thales TCT
Thales Trusted Cyber Technologies, a business area of Thales Defense & Security, Inc., protects the most vital data from the core to the cloud to the field. We serve as a trusted, U.S. based source for cyber security solutions for the U.S. Federal Government. Our solutions enable agencies to deploy a holistic data protection ecosystem where data and cryptographic keys are secured and managed, and access and distribution are controlled.
For more information, visit www.thalestct.com
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.