Zero Trust Architecture: A Pragmatic Approach for Organizations
Written on
This article was initially published on March 20, 2022, and is now republished here for archival purposes.
“It is crucial to understand that Zero Trust architecture does not rely on any specific technology. It is a security model based on strict access controls and the principle of not trusting anyone by default; a comprehensive approach to network security that integrates various principles and technologies.”
<i>? <b>Ludmila Morozova-Buss,</b> Vice President of the Global Institute for IT Management</i>
Managing and securing modern IT infrastructures within enterprises has become increasingly complex due to the diverse mix of hardware, software, and cloud services in use, creating multiple vulnerabilities for attackers to exploit. The traditional perimeter-based security model is ineffective, as once an attacker breaches the perimeter, there is often minimal resistance to lateral movement within the network.
The concept of Zero Trust, or Zero Trust Architecture (ZTA), has gained significant traction in the cybersecurity realm over the years. However, there remains considerable confusion about what ZTA truly entails. It is misleading to label ZTA merely as an advanced version of “Least Privilege.” While least privilege is an essential aspect of ZTA, the architecture encompasses much more than this principle alone.
My aim in writing is to cater to a general audience rather than delving into dense technical jargon that typically interests only a small subset of readers. I prioritize clarity to ensure that anyone, regardless of their IT background, can grasp the concepts discussed. If you seek exhaustive technical details on ZTA, I recommend consulting NIST publications or vendor whitepapers, as that is not the focus here. Additionally, be prepared for potential internal pushback when introducing ZTA in your organization; gaining widespread support is crucial for Zero Trust's success.
Rather than viewing ZTA as an abstract concept, consider it akin to vehicle security checkpoints along a state highway. Just as vehicles (users and devices) must re-authenticate at each checkpoint to continue their journey, users and devices in a Zero Trust environment must consistently verify their credentials to perform actions within a protected IT ecosystem.
As organizations have migrated to the cloud, many will also transition to the Zero Trust model. When executed correctly, ZTA can significantly reduce unauthorized access and the risk of data breaches and ransomware attacks. Improved security measures not only bolster data privacy but also help organizations avoid costly regulatory fines and settlements over time. Therefore, investing in ZTA can yield substantial returns in terms of security and compliance.
The National Security Agency (NSA) describes Zero Trust as “a security model, a collection of system design principles, and a coordinated strategy for cybersecurity and system management that acknowledges threats both inside and outside traditional network boundaries. This model removes implicit trust in any single component and mandates continuous verification of the operational landscape through real-time information from multiple sources to determine access and other system responses.”
Zero Trust represents a modern cybersecurity philosophy that governs network access through various enforcement protocols and layered security measures. While it can largely be implemented with existing technologies, be wary of vendors who claim that only their products can deliver the desired security at exorbitant prices. A well-configured network that assumes compromise can effectively embody a budget-friendly version of Zero Trust without requiring a massive financial outlay.
Although ZTA implementation can be costly when relying on expensive vendor solutions, more affordable options are available. To grasp ZTA better, one must first understand its core components. The National Institute of Standards and Technology (NIST) defines Zero Trust as “not a singular architecture but a set of guiding principles for workflows, system design, and operations that enhance the security posture across all levels of sensitivity” (FIPS 199). No network component or resource is granted implicit trust. Let’s explore some of the fundamental elements of ZTA.
Key Components of ZTA
- Policy Engine/Administration
- Micro-segmentation
- Network Visibility and Analytics
- Identity and Access Management Systems (IdAM)
- Identity Analytics
- Enterprise Asset Management
- Web Application Firewall (WAF)
- Runtime Application Self-Protection
- Network Access Control List (NACL)
- Software-Defined Network (SDN)
- Privileged Access Management (PAM)
- Enterprise Directory Services — Active Directory, LDAP
- Public Key Infrastructure (PKI)
- Multi-Factor Authentication (MFA)
- Continuous Diagnostics and Mitigation (CDM) System
- Encryption of Data-at-Rest, Data-in-Transit
Most of these components are not new; thus, I won’t rehash them in detail. However, some concepts, such as the Policy Engine (PE) and Policy Administrator (PA), may require further explanation. The PE is central to ZTA, governing the decisions made at the Policy Enforcement Point (PEP).
Consider the Policy Engine as the operational brain, continuously evaluating users, devices, and infrastructure components (e.g., switches, routers, servers, etc.) to determine if they can be trusted based on established organizational access control policies.
As with many security technologies, such as SIEMs, the effectiveness of the Policy Engine relies heavily on the quality of its input. If the access control policies are vague and fail to consider vital attributes like IP addresses, geographic locations, or time-of-day logins, the benefits of ZTA cannot be fully realized.
These are just a few examples, but you wouldn’t expect a SIEM to yield valid results if configured to search solely for specific event IDs. Similarly, your ZTA Policy Engine cannot enforce intricate policies without a well-configured trust algorithm that accounts for various security attributes.
There are numerous ways to configure a ZTA model; thus, don’t feel constrained by others' diagrams or tool choices. It’s essential to select technologies that align with your organization’s needs, budget, and team expertise. For the Policy Engine, you might consider utilizing Microsoft Azure, Google BeyondCorp, or Calico (for containers) as they integrate well with cloud architectures.
Incorporating threat intelligence feeds into the Security Policy Engine can enhance its decision-making capabilities. Real-time threat data from various sources can help the Zero Trust network promptly identify new malware threats or attacker tactics, but only if the network is configured to respond effectively. A resilient cyber strategy involves ensuring that the network is configured to “fail secure” or “fail closed.” Adopting a Deny All, Permit By Exception rule is crucial; never allow a failure that leaves the system open or vulnerable.
In a Zero Trust model, should a security breach occur, the potential damage can be minimized, provided the network is appropriately configured with PEPs. At each PEP, the attacker must re-authenticate, and common security bypass techniques will not yield the same success as they would in a perimeter-based model. The next PEP the attacker encounters may flag their activity as suspicious, denying further access.
Implementing ZTA on a Budget
It's important to recognize that not all organizations have abundant resources. However, many may already possess some of the necessary tools and follow best practices needed for ZTA implementation. Transitioning to ZTA should be gradual rather than an abrupt overhaul. We can expect a blend of zero-trust and perimeter-based systems for years to come, as this transformation will take time. Nonetheless, as more organizations adopt ZTA, we should see a decline in successful data breaches and ransomware incidents.
You may need to adjust your ZTA implementation strategy over time, which may entail budgeting for new technologies. There is no strict deadline for ZTA compliance unless you're part of the Department of Defense or federal government, where mandates are in place. However, these directives may still be premature, as implementing Zero Trust requires significant time, funding, and skilled IT security personnel. Just like any journey, it begins with a single step, so the sooner you start, the better.
Step 0 - Create an IT Modernization Roadmap — This could be a simple Plan of Actions & Milestones (POA&M) document or a Gantt chart outlining the tasks required to achieve ZTA along with target completion dates. This document should be flexible and regularly updated.
Step 1 - Conduct an IT Asset Inventory — The first step in cybersecurity is to perform a comprehensive inventory of IT assets. You cannot protect what you are unaware of. Document all devices connected to the network, even standalone ones, capturing details such as device type, IP address, MAC address, and installed software. This process may take time depending on the size of your network.
Step 2 - Perform a Security Assessment — After inventorying your assets, conduct a security assessment to evaluate their current protection levels. Utilize vulnerability scanning tools to identify what needs patching and implement necessary firmware updates. This assessment will help you chart a course for mitigating vulnerabilities.
Step 3 - Establish a Network Usage Baseline — Monitor your IT assets and data traffic to understand what “normal” looks like on your network. This information is crucial for developing policies that the Zero Trust policy engine will enforce. Create a network data flow diagram to visualize how data moves between network components.
Step 4 - Develop an Access Control Policy — Your organization’s access policy will guide the Policy Engine in making decisions at each PEP. All previous work will contribute to shaping this policy, so ensure that every network component is represented visually in a diagram.
Step 5 - Initiate ZTA Deployment & Monitoring — Implement ZTA incrementally to avoid disruptions. Monitor how new technologies affect network operations and allow users time to adapt to new security requirements. After this step, continue to fine-tune your ZTA implementation as you introduce new users and applications.
Remember the fundamental principles of Zero Trust:
- Never trust, always verify. Any user, device, application, or data flow could be malicious.
- Assume breach; it’s better to defend accordingly.
- Consistently verify access to all resources securely.
- Adopt deny-by-default security policies to thwart successful intrusions.
This overview provides a foundation for understanding Zero Trust. While it is not exhaustive, it encourages further exploration and consultation with IT professionals to tailor solutions to your specific needs.
References
Joint Defense Information Systems Agency and National Security Agency Zero Trust Engineering Team. (2021, February). Zero Trust Reference Architecture. Department of Defense. Retrieved from https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf
National Institute of Standards and Technology. (2004, February). FIPS 199: Standards for Security Categorization of Federal Information and Information Systems. Retrieved from https://csrc.nist.gov/publications/detail/fips/199/final
National Institute of Standards and Technology. (2020, August). NIST Special Publication 800–207: Zero Trust Architecture. Retrieved from https://doi.org/10.6028/NIST.SP.800-207
National Security Agency. (2021, February). Embracing a Zero Trust Security Model. Retrieved from https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF