As the word implies, in a zero-trust security model, no device or user is trusted. And, every request received by the system goes through the validation and authentication steps. This essentially means, no device or user enters the private network of the organization, and only the application hosted on the edge provides access to them.
This is in contrast to the model of the trusted device, where on successful authentication, the device is trusted and is allowed access to the private network, such as in the case of Enterprise VPNs. The downside to this model is, when the trusted device gets compromised, the entire private network may be at risk. The upside is flexibility. When you have services using different protocols such as IMAP, XMPP, RDP, SSH, SMB, NFS, and so on, how do you authenticate every request at the edge?
As more and more services are available as web applications, it has become possible to deploy an application proxy on the edge, that authenticates and grants access to internal web applications. This provides zero-trust security if the authentication method used is robust and secure. Currently, the most popular authentication method is OAuth 2.0.
While OAuth provides a layer of authentication, it is typically not sufficient. The access tokens that are stored on the device for authentication of every request can be compromised due to browser vulnerabilities, malicious extensions, and so on. There are downsides to OAuth, as well, as evident by the recent attacks, Beware of OAuth.
What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right? This is what a bug in Sign in with Apple allowed me to do.
And, it is not uncommon for a login system itself to be vulnerable, such as the critical vulnerability in Sign in with Apple. Hence, while endpoint protection will help, it is important to have additional layers of authentication.
TLS Client Certificates
With HTTP/TLS being the de facto standard for web applications, one can use the client certificate feature of TLS protocol, as an additional layer of authentication. This provides additional security in the zero trust model, without any impact on the user experience/productivity. Once a user chooses the certificate for authentication, the Web Browser will remember it and continue to use it for further connections to the website. This way every connection established uses the client certificate and the user is not interrupted.
On the server-side, there are no special paths, every connection made to the server needs to present a valid client certificate, or else it simply fails. Popular web servers such as Apache HTTP server and Engine X (nginx) can be quickly configured to achieve this. The article “A Guide to Secure Internal Websites in 15 Minutes” provides the required steps.
Other than HTTP
Most protocols that run on top of TCP can easily support TLS since it is transparent to the application and can be deployed even as a proxy on the server. However, the same cannot be said on the client-side, the applications used by the end-users directly need to support TLS. And, adding the ability to handle TLS client certificates securely is not easy. Hence, this is likely not going to change, and HTTP will likely be the predominant user of TLS and TLS client certificates.
Best of both worlds
TLS client certificates provide the best of both enterprise VPNs and authentication proxies. They implement the zero trust model, unlike the model of the trusted device of an enterprise VPN, and fill the security gaps of an authentication proxy.
However, the complexity in managing TLS client certificates has been the primary downside. At 0th Root, we have taken great strides in simplifying their management within an organization, and have significantly reduced efforts needed to secure internal websites with them. Do check out our product 0th Root Secure Network.
0th Root Secure Network — 0SNet is a solution that secures the organization’s internal web applications with TLS client certificates. It implements a zero-trust security model and is available also as images on AWS, GCP, and Azure.
👋 Join FAUN today and receive similar stories each week in your inbox! ️ Get your weekly dose of the must-read tech stories, news, and tutorials.