Putting more than 0 into Zero-Trust
A required paradigm shift in network security
As computers began communicating over networks, function took precedence over security. In the 60’s this was reasonable, as few networks existed and those that were functional were also quite isolated. Fast forward a few decades, and LANs, WANs and WLANs are everywhere. Generally, the x-ANs establish trust and security through the old-school perimeter model. The perimeter model mantra is that if you are on the inside of a network, then it is inherently assumed that you belong and are to be trusted. Essentially, networks based on the perimeter security model aim at achieving security through the use of firewalls, VPNs and DMZs as anyone on the inside of a perimeter isn’t a threat.
“It’s not that we didn’t think about security, we knew that there were untrustworthy people out there, and we thought we could exclude them.”
David D. Clark — Chief Protocol Architect of the Internet: 1981–1989
All of this worked for a while. However, since then, groups like LulzSec have become in vogue and large and confusing things called Clouds have formed around us, both figuratively and literally. At this point, the traditional perimeter model began to fall apart. As employees went from being trusted users of networks to trusted remote users of networks, the perimeter went from looking like an attractive circle to an untraceable polygon. The transformation to cloud environments further dismantled whatever secure perimeters remained as organisations migrated to clouds in geographically diverse regions. We can’t simply blame the devices used to secure networks (e.g Ubiquiti’s recent shenanigans), but instead that networks have fundamentally outgrown the perimeter security model.
As of today, the perimeter based security model is as cutting edge as Geocentrism. The idea of Zero Trust networks originated in the 90’s and began to garner widespread interest from large tech organisations in the 2000’s. It was more formally recommended by the UK National Cyber Security Centre in 2019 and the US Cybersecurity and Infrastructure Security Agency in 2021. The guidance from both public organizations states that new networks should be deployed using the principles of Zero Trust.
Zero Trust boils down to what every kid is taught about how to interact with strangers — ‘don’t trust anyone’.
So how does a network ‘trust no one’? Well, first of all, it is necessary to clearly know who all of the users, devices and services are within the network (e.g. identify all users, devices and services (UDS) within the network). A potential way to identify the UDS is to authenticate via the use of Public Key Infrastructure (PKI). PKI based authentication can ensure that a UDS has the private key which ensures that they are the entity which was originally authenticated (as long as the private key was kept…private, then whomever holds the private key has the identity of the authenticated UDS). Additionally, employing a strong set of Access Control Mechanisms that leverages the PKI can ensure that those authenticated UDS are limited in their abilities (e.g. authorisations mapped to permissible actions). Unlike the perimeter security model, in a zero-trust network an individual inside of a network is not assumed to be trusted and must continue to authenticate everywhere and for every request. Together, identification achieved through authentication and access control based authorization can help an organization move towards the zero-trust model of security.
Mobile networks stand out amongst many networks as the ones that all of us rely upon regularly. As mobile networks move towards full virtualisation and softwarisation, they need to take a good look in the mirror and ask themselves — ‘who do I trust?’
Organisations like mobile network operators, financial institutions and public entities need to make the necessary changes to move away from the perimeter model. Otherwise, all of these organisations that we trust will be no different than that one friend everyone has who proclaims “I have nothing to hide, so I don’t care about privacy or security”. In our case @Weaver-Labs, the Zero Trust approach is not up for debate. As Open Standards and Open Interfaces become a reality in mobile networks, interoperability will become the new standard. With these changes will come a more diversified supply chain and consequently, the Zero Trust approach will become even more important.
In the first half of 2021, there have been several high-profile security incidents in which a Zero-Trust Security Model might have better served the breached entities. The SolarWinds Exploit took place when bad actors were able to gain access to the client-facing build system. Once inside the perimeter of the SolarWinds network, these bad actors were able to spread malicious remote access tools onto SolarWinds customer systems through “expected” software updates. The SolarWinds Exploit shows that a bad actor can breeze throughout a network once it has broken through the network perimeter. Potentially, had SolarWinds employed the principles of Zero-Trust, then the bad actor would have faced stricter requirements in order to access the same systems which they compromised.
Zero Trust isn’t a silver bullet, but its a long overdue change in perspective. We see the biggest challenge moving forward isn’t the successful adoption of Zero-Trust design principles in new networks, but instead in refactoring the old and monolithic networks in order to embrace the required changes. Until then, be wary of organisations that still believe that the Earth/Networks are flat.
