Understanding the principles of Zero Trust Security will help Security and Network Managers evolve their network design to better defend against new and emerging cyber security threats and increased remote working.
To understand and appreciate the benefits of the Zero Trust approach, we need to consider the limitations of more traditional network designs that Zero Trust Architectures were created to mitigate.
What is wrong with traditional network designs?
A traditional corporate network is often designed like a walled garden. A strong perimeter is designed to keep unauthorised people out, but once you are inside the perimeter you can pretty much go where you like. In other words, a firewall between the corporate network and the internet provides the secure perimeter but once a device is connected to the network inside the firewall (or a user connects through the firewall to establish a session with a device) they have few limits on their movement or actions.
Since not all systems are equally valuable or vulnerable, network design then developed to break up the walled garden into different areas – or segments – with different levels of protection provided to each segment.
For example: a DMZ segment contains servers running web applications that could be accessed from the internet, but the other segments of the network are not accessible from the web.
Especially valuable systems, such as database servers, may be placed in their own segment with only limited access granted to authorised users or applications. The main corporate network is its own large segment and allows desktop PC and application servers to connect to internal email and file servers, print servers and each other. In most cases, systems can communicate freely with all other devices on the same network segment as themselves due to the working assumption that all the systems on a particular network segment were equally trustworthy.
In a very real sense, the geography of a device on the network is taken as a statement of its trustworthiness. As a result, ransomware that could infect one device, can easily laterally move to all other devices in the same network segment. An attacker that gains access to one device, inherits the implicit trust granted to that device based on its network location.
Zero Trust network architectures break this model and no longer impute trust to a device simply based on where it is connected on the network. As the NIST paper of Zero Trust architectures puts it:
Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
NIST SP 800-207
The growth of remote working, especially in the last year, and Bring Your Own Device strategies has led to an evolution of network design which often splits access control into two functions:
Access Layer: the access layer sits on the network perimeter and is focused on authenticating the device that is attempting to access the network (think VPN endpoints)
Presentation Layer: the presentation layer sits behind the access layer and is focused on authenticating users to internal systems, often using a layer of abstraction (think Terminal Services, Citrix or reverse proxies) to further protect internal services and systems.
Zero Trust Architecture
A zero-trust architecture (ZTA) removes the inherent trust based on where in the network a request is coming from and instead evaluates every single request on its own merits. This makes ZTA particularly helpful for environments which are heavily cloud based with limited on-premise systems, however some of the principles of ZTA can be used to enhance the security of more traditional network designs.
ZTA works by assessing the context of each request – authenticating the device as well as the user, and considers the device health, the value of the data being access and authorisation of the user.
The core elements of a Zero Trust approach are:
A single strong source of user identity. A single enterprise user directory is needed that provides the definitive list of users, their roles and the granular access they have been granted
Strong user authentication that combines multi-factor authentication with Single Sign On based on the enterprise user directory. Users are added, suspended, removed or configured in a single place for all systems and services.
Device authentication which not only confirms the device is authorised (through certificates issued by MDM systems for example) but also that the current device health confirms it is configured according to the security baseline, is free from malware and shows no other indicator of compromise. This form of device health attestation is appearing in more MDM solutions.
A ZTA access decision can include context to further protect assets based on their value. For example:
An access request to valuable Intellectual Property documents from the Managing Director’s user account, with a valid password, could be declined because it does not come from the user’s usual laptop or because the device originating the request is located in a foreign country.
Certain resources, such as an employee manual, could be available to any logged in user but a request to access a financial report could require additional multi-factor authentication.
How to adopt Zero Trust principles in your network
Zero Trust network architectures are still a relatively new approach and best practices and technology are still developing, so it is advisable to regularly revisit your approach to check alignment with evolving best practices.
A ZTA approach will often result in a simpler network design and could result in making systems more accessible from the web so the implications of vulnerabilities or configuration errors could be very significant. Each and every system must be secure in its own right – not relying on the layers of protection previously provided by the walled garden approach of network design. Every system must be hardened against attack, require multi-factor authentication of the user, and authenticate the device originating the request as well.
Where a full zero trust network approach cannot be adopted, implement the traditional remote access architecture and as many zero trust networking recommendations as possible.
NCSC – Zero Trust Architectures
ZTA is easier to design in from the beginning, especially for new cloud centric deployments but the principles can also inform the development of more traditional and on-premise network designs as they evolve to accommodate increased remote working.
Resources on Zero Trust Security