Zero Trust
I’ve seen quite a lot around this lately and thought I would try and summarize the tons of stuff out there.
Essentially, zero trust means that you assume the enemy is already inside your perimeter and you should trust no one.
“The zero trust model assumes a breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to “never trust, always verify.” Every access request is fully authenticated, authorized, and encrypted before granting access”.
Back in the day, when Windows 3.11 was around, essentially you had PC’s chained together with a network. Then along came Novell and you now had the concept of a file server but the infrastructure was still inside a well-defined perimeter. Essentially, you had a group of trusted people behind a firewall and a larger group of untrusted people outside. It was feasible to test all access at the perimeter.
We still have instances of this e.g. ADFS WAP can apply rules out on the DMZ and apply policies like extranet protection.
However, with the proliferation of SaaS applications, the migration to the cloud, the advent of BYOD devices that can be anywhere and especially the growth of IoT, the concept of a perimeter is nebulous at best. It’s no longer a walled garden.
Where is the perimeter in this?
You have applications outside of your control (SaaS), they use “hardware” you have no access to etc.
This leads to a new reality:
Zero trust implies:
1. Verify explicitly
Authenticate and authorize based on all available data:
- user identity
- location
- device health
- service or workload
2. Use least privileged access
Limit user access with just-in-time and just-enough-access.
3. Assume breach
- segmenting access by network, user, devices, and app awareness
- verify all sessions are encrypted end to end
- use analytics to get visibility and drive threat detection
Another way of looking at this is to try and define what zero trust isn’t:
- It’s not a product — you can’t buy it
- You can’t be certified zero trust
- It’s not an absolute — it’s difficult to be 100% zero trust
- It’s not a destination — it’s rather a journey — continually iterating over your environment as you measure and improve
- A common approach (like a standard) — each organisation is different, has different priorities and will concentrate on different areas that they deem to be appropriate
To guide you on your journey, there is a zero trust maturity model:
There is a zero trust assessment tool to assist in the references below.
And just to reiterate:
If you do nothing else, please enable MFA!
Microsoft’s statistics shows it prevent 99.9 % of attacks.
References
- Zero trust
- Traditional perimeter-based network defense is obsolete — transform to a Zero Trust model
- Zero hype
- Zero trust maturity model
- Zero trust assessment tool
- Zero trust deployment guide
- Zero trust deployment centre
All good!
