Zero Trust Model — Beyond the Perimeter
Why Zero Trust ?
The original term was introduced by the Forrester company in 2010, when it argued that the perimeter security model of that time was not being efficient and should evolve due to new emerging technologies. In fact, the ancient model to establish the perimeter of a company and put firewalls to classify and separate trusted, and untrusted networks was problematic because when that perimeter is breached, an attacker has relatively easy access to a company’s privileged intranet. This approach was based on the premise “trust and verify”.
Zero Trust, on the other hand, was created with the principle of “never trust, always verify”, where organizations should never trust any internal or external entity, no matter the origin of the traffic or request. This approach destroys the ancient concept of a well-defined perimeter, due to the appearance of current mobile, collaboration and hybrid cloud technologies, the perimeter is becoming increasingly difficult to enforce and delimit.
Core Principles of Zero Trust
The Zero Trust model relies on strong authentication and authorization for every device and person before any access or data transfer takes place on a private network, no matter if they are inside or outside that network perimeter. The most important principles to adopt a Zero Trust journey are the following:
1) Verify explicitly
Always authenticate and authorize based on all available data sources, including user identity, service/workload, location, data classification and some other variables. With this approach, no trusted zones, credentials, or devices at any time, taking in count two statements:
- Deploy risk based conditional access, ensuring the workflow is only interrupted when risk levels change, allowing continual verification, without sacrificing user experience.
- Establish a scalable dynamic policy model that considers the constant movement of workloads, data, and users.
2) Use the least privileged access
Limit user access with Just In Time and Just Enough Access (JIT/JEA), risk based adaptive policies, and data protection measures to protect both data and productivity.
Whenever credentials are used, including Service accounts, it’s critical to give the least privilege possible. So, if tasks change, so should the scope. Many attacks leverage overprivileged service accounts, as they are typically not monitored and are often overly permissive.
3) Assume breach
Minimize the overall attack surface and prevent lateral movement using segmentation accesses by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics capabilities or special tools to get visibility and threat detection.
If a breach does occur, minimizing the impact of the breach is critical. Zero Trust limits the scope of credentials or access paths for an attacker, giving time for systems and people to respond and mitigate the attack.
How Zero Trust Works — Deployments
The majority of implementations of Zero Trust are aligned with NIST 800–207 Architecture Global Standard, due the vendor neutrality, compatibility and protection against modern attacks for a cloud-first, working from anywhere model that most enterprises desire to achieve.
Execution of this framework combines powerful technologies such as identity protection, next-generation endpoint security and risk based MFA (Multi-factor Authentication). A desired Zero Trust model needs to take in account at least the following identity attributes:
- User identity and type of credential (human, programmatic)
- Credential privileges on each device
- Endpoint hardware / Firmware versions / SO version and patch levels
- Geo location / Country request
- Authentication protocol and risk
- Applications installed on endpoint
- Baseline patterns and previous incident detections
Key benefits of Implementing Zero Trust
There are blasts of benefits to begin the Zero Trust journey or adopt the model, but the most important are the following:
- Allows the organizations to adopt a perimeter-free approach, moves from network-based to identity and application-based security, balancing user experience with risk.
- It leaves no gaps by covering the widest range of attack surfaces, from users to endpoints, networks and resources.
- It provides a framework to properly manage the risk of exposing sensitive applications and infrastructure to “business partners”.
- It ensures IT visibility into risk in your access controls and can automatically identify a potential risk through abnormal behavior that would never be detected through manual forensic methods.
- Creates satisfied and productive users by ensuring the right controls are in place to address appropriate levels of risk without requiring a heavy-handed, top-of-the-line approach to control.
- Requires less administration, skills and costs than a defense focused on silos or resources
Globant View — Zero Trust approaches for Cloud top providers
Globant through its CloudOps and Cybersecurity studios seeks that in the vast majority of projects where we implement cloud-based solutions or hybrid infrastructure, Zero Trust principles are considered. This article contains a few sets of recommendations to consider for the three top cloud providers (AWS, Azure and GCP).
1) Microsoft Azure
Microsoft focus its Zero Trust model in four “trust” determination components:
- Identity provider: Establishes a user’s identity and related information.
- Device directory: Validates a device and the device integrity.
- Policy evaluation service: Determines whether the user and device conform to security policies.
- Access proxy: Determines which organizational resources can be accessed.
In order to has a better approach to deploy Zero Trust in a project you need to ensure the usage of one or more of the following tools/technologies:
A) Implement “Intune” for device management and security policy configuration — Intune push device configuration requirements to the managed devices and generates a statement of health, stored in Azure AD. When the device user requests access to a resource, the device health state is verified as part of the authentication exchange with Azure AD.
B) Use Azure AD for user and device inventory — Azure AD includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, PIM and role-based access control.
C) Use Azure AD “conditional access” for device health validation -This capability enables you to enforce controls on the access to apps in your environment based on specific conditions from a central location. It comes with six conditions: user/group, cloud application, device state, location (IP range), client application, and sign-in risk.
D) Enforce MFA for all the systems that manage “Sensitive Data” — Put optional MFA controls depending on the signals or risk tag (Medium or high) defined in conditional access policies
E) Use Azure AD Privileged Identity Management (PIM) to manage and monitor access to important resources in your organization -Organizations can give users just-in-time (JIT) privileged access to Azure resources and Azure AD. PIM helps mitigate the risk of excessive, unnecessary, or misused access rights.
F) Use Azure AD Access Reviews to periodically monitor that only the right people have continued access.
2) Google Cloud (GCP) — BeyondCorp
BeyondCorp is Google’s implementation of the zero trust model. It consists of many cooperating components to ensure that only appropriately authenticated devices and users are authorized to access the enterprise applications. You can find deeper details about this approach in the following link: https://cloud.google.com/beyondcorp. The general description graphic and components include the following:
A) Securely Identifying the device
Use the “Device Inventory Database”, a meta-inventory database used to consolidate and normalize the device information from multiple sources, and to make the information available to downstream components of BeyondCorp. With this meta-inventory in place, we have knowledge of all devices that need to access our enterprise. Use a “device certificate” to uniquely identify the user. Once installed, the certificate is used in all communications to enterprise services.
B) Securely Identifying the user
BeyondCorp also tracks and manages all users in a “User and Group Database”. Integrate this database with HR processes that manage job categorization, usernames, and group memberships for all users. As employees join the company, change roles or responsibilities, or leave the company, these databases are updated. Use the SSO (single sign-on) system to centralize the authorization process, next to validate against the “User and Group” database.
C) Removing Trust from the network
BeyondCorp defines and deploys an “Unprivileged network” that only connects to the Internet, limited infrastructure services (DNS, DHCP, and NTP), and configuration management systems. Use strictly managed ACLs (Access Control List) between this network and other parts of Google’s network. Google uses RADIUS servers to assign devices to an appropriate VLAN network, based on 802.1x authentication. Managed devices provide their certificate as part of this 802.1x handshake and are assigned to the unprivileged network, while unrecognized and unmanaged devices on the corporate network are assigned to a remediation or guest network.
D) Externalizing Applications and Workflows
Expose the required applications to external and internal clients via an “Internet-facing access proxy” that enforces encryption between the client and the application. The access proxy is configured for each application and provides performance and security features, and also delegates requests as appropriate to the back-end application after the access control checks.
E) Implementing Inventory-Based Access Control
Use the “Access Control Engine” within the access proxy that provides service-level authorization to enterprise applications on a per-request basis. The authorization decision makes assertions about the user, the groups to which the user belongs, the device certificate, and device artifacts from the Device Inventory Database.
3) Amazon Web Services (AWS)
AWS combines the Zero Trust controls with flexible measures to the use case and security requirements. Consider applying these recommendations to enhance the security posture and follow the Zero Trust Principles:
A) Use static permissions and user behavior analysis to authenticate and authorize each action, and not just at the start of a “session”.
Every AWS API call is a signed request that is individually authenticated and authorized.
B) Services to service communications should follow the best security practices regardless of any close relationship. Stop storing credentials in a “hidden” file.
Regardless of how tightly coupled services may be, they should use short-term credentials with API calls that are authenticated and authorized every time. Use services like parameter store and Secrets manager to manage credentials securely.
C) Leverage scalable endpoints and network encryption over all communications channels. Use services like KMS, bucket SSE and EBS encrypted volumes.
Regardless of the device type, from IoT to a corporate network, encryption needs to be enforced “in transit” and “at rest” to keep the data safe.
D) Eliminate unnecessary pathways between resources
Consider each system component an independent and design network controls like ACLs and Security Groups to block unnecessary communications.
E) When appropriate, leverage gateways capabilities to manage communication between components.
Using an API Gateway allows you to implement rate limiting, IAM or custom authorizers for AuthN and AuthZ. Also, you can provide logging and metrics.
F) Enforce the right amount of security at the point of user access
Leverage pixel proxies like Virtual Desktop Infrastructure for higher data risk services and identity-aware proxies for network access to less sensitive resources.
Complementary Material
Finally, some awesome material that complements this article information:
- CISA — Zero Trust Maturity Model
- Zero Trust Security: An Enterprise Guide
- Project Zero Trust: A Story about a Strategy for Aligning Security and the Business
Good luck in your Zero Trust journey…
