‘Defense in Layers’ - Zero Trust Applied to Your Cybersecurity Posture

Part 3 of the series ‘Defense In Layers’. Part 1: ‘Defense In Layers’ The Framework & Part 2: ‘Defense in Layers’ - The Exercise.

Cybersecurity teams are being called upon to provide roadmaps to ‘Zero Trust.’? Cybersecurity leaders will not be successful if they just buy a product and implement it across the organization. ‘Zero Trust’ principles need to be applied across all cybersecurity domains.? Applying ‘Zero Trust’ takes reflection, time, and continuous monitoring.

I can’t tell you every security capability and how to prioritize security initiatives for your organization.? What I can do is provide my three ‘Top of Mind’ security capabilities and risk posture measures.

When I reflect on the ‘Zero Trust’ model, as defined in the NSA document “Embracing a Zero Trust Security Model,” I see connections to each of the six cybersecurity postures.? By applying the three principles of ‘zero trust’ to the six postures of cybersecurity, we can take the first steps toward a Zero Trust cybersecurity posture.

"Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgment that threats exist both inside and outside traditional network boundaries.” - NSA

Three ‘Zero Trust’ Principles

I recognize that there are varying opinions of ‘Zero Trust’ principles.? I have chosen to use the NSA’s ‘Zero Trust’ principles for this model.

1. Never Trust, Always Verify - The luxury of being able to ‘trust, but verify’ is gone.? When we architect modern secure solutions, each event must now be assumed to be malicious until proven authenticated.
2. Assume Breach - Assuming that we are already breached is imperative to designing secure systems.? Having a ‘defense in layers’ mentality is not enough.? Cybersecurity professionals need to focus on building each security capability as if the rest of their security posture is on fire.
3. Verify Explicitly - It’s not enough to rely on a single authentication factor or assigned privilege. When verifying a person, device, application, access request, or other entity, we need to go beyond the simple and verify the context to have confidence that we can verify the request.

Zero Trust applied to Application Security Posture

1. ‘Shift Everywhere’ - Secure & monitor your entire application deployment pipeline.? It starts by ‘Shifting Left’ to enable developers to detect and remediate vulnerabilities in their IDE.? However, for a ’Zero Trust’ application security model, you must ‘Shift Everywhere' by continuously monitoring your entire application deployment pipeline from source code repository to runtime for vulnerabilities, secrets, and misconfigurations.? ?
2. Application Threat Modeling - In the ‘Zero Trust’ world, we assume all applications have exploitable vulnerabilities.? Teaching our developers, architects, and business owners how to build a secure application is a continuous challenge for application security teams.? In addition to providing developers with a catalog of secure infrastructure components to build their solutions, developers need to be educated on writing secure code to provision and access these assets.? From these solution designs, developers also need to be able to identify security threats to their design and implement appropriate security controls.
3. Code Sign - Once an application is scanned, built, and approved to be deployed, it’s an opportune time to sign your application.? Signing your application before it’s deployed into your cloud runtime environments helps prove that it is valid, hasn’t been altered since built, and was appropriately secured.? On deployment, your runtime environments can validate the identity and security of your applications since they are signed.? Revoking a signature can quickly happen at your authentication authority and allow runtimes to identify unsecured applications running in your environments.

Three ways to measure risk in your application security posture

• Number of applications in your application portfolio without a threat model updated in the last 90 days.
• Applications with an exploitable vulnerability older than 30 days.
• Each application's ratio of revokes to releases.? Ideally, we want to see teams release fixes before the signature gets revoked, leading to a higher number of releases.

Zero Trust applied to Cloud Security Posture

1. Use Infrastructure as Code (IaC) - Because we cannot trust ourselves to build infrastructure configured securely every time, we need to have a process to build all infrastructure.? By building and configuring all infrastructure with code, we can ensure infrastructure is created compliant with security standards.
2. Cloud Workload Protection (CWP) - Even though we protect our perimeter, we should assume threat actors will eventually break through.? In case they do, monitoring our workloads for vulnerabilities and proper configuration provides an additional layer of defense.? ?
3. Monitor your cloud assets for misconfigurations (CSPM) - Even though we may have built our infrastructure with IaC, there is always the possibility of configuration drift.? Cloud security posture management tools help prevent configuration drift by verifying that your cloud assets are configured according to your policies and standards.? In addition to monitoring for configuration drift, CSPMs provide detailed risk metrics in your cloud assets.

Three ways to measure your cloud security posture

• The percentage of cloud assets in compliance with your cloud security policies
• The percentage of workloads with a vulnerability is out of compliance with your cloud security policy.
• The number of applications per week deployed with out-of-policy IaC.? This skirts the line of being a vanity metric, however valuable while transitioning to the cloud.

Zero Trust applied to Network Security Posture

1. Software-defined network (SDN) - is the architectural practice of centralizing network management by inserting a network layer that is programmatically configured between the application and data layers.? This gives the network team the capability to change configurations and policies centrally.
2. Network as code (NaC) - Network as code is the practice of using code to implement network policy.? By codifying our network, we can use automation to easily segment our network, reducing our blast radius in case of a breach.
3. Network Segmentation / Micro-segmentation - Network segmentation is a network architecture principle that promotes the segregation of networks into much smaller subnetworks containing the least number of entries necessary to operate.? Network policy is implemented at a much more granular level, and access is authenticated and authorized between cross-network segment access.
4. Software-defined perimeter (SDP) - A software-defined perimeter implements authentication at the network layer and enforces all network, application, & data requests to be “Always verified.”? The intention of SDPs is to replace VPNs that authenticate network access at the session start.

Ways to measure your network security posture

• Number of network devices configured by code.? Ideally, this should grow over time.
• Number of network devices out of compliance with your network security standards.

Zero Trust applied to Data Security Posture

1. Encrypt at rest & in-flight - At the end of the day, one of the most critical reasons cybersecurity exists is to protect data.? Assuming a breach, data must be encrypted at all times.? Data storage assets must be monitored to ensure they enforce encryption at rest.? Web endpoints must also be monitored to ensure all requests are encrypted in-flight.
2. Classify data on creation - Knowing the confidentiality of data is a prerequisite to determining if a user can assess it.? Backfilling this information is a fool's errand; enforcing data classification on creation allows us to verify explicitly.
3. Access review - Access reviews are the periodic review of access granted to identities.? Role-based access is only effective if it’s always verified.? Monitoring for over-provisioned access ensures that identities only have the permissions they need, not what users think they need.

Three ways to measure your data security posture

• Percent of data classified accurately
• Percent of data stored in compliance with your security standards
• Number of access reviews not completed.? Even though it’s policy to automatically revoke user access that was not reviewed, it often creates the risk of confusion and distrust of the system.? Access reviews are essential for managers.

Zero Trust applied to Identity Security Posture

1. Access Management - Maybe this is too simplistic, but the continuous authentication of users to verify their access.
2. MFA - Knowing your user in a zero-trust environment requires that you authenticate more than one factor of something they know, something they have, and something they are.
3. Privileged Access Management - Giving users access by default is not acceptable in the zero-trust world.? We need to verify and elevate a user's privilege only at the time of need.
4. Least Privilege - In the ZT world, assume that the credentials could be used for nefarious means.? When we verify that a user needs an elevated privilege, we only grant them exactly what they need for the minimal time required.

Three ways to measure your identity security posture

• Total number of privileged accounts.? This number indicates how large of risk currently exists due to privileged accounts.

Zero Trust applied to Device Security Posture

1. LAR - Requiring users to authenticate to elevate access ensures that local elevated privileges are verified before being used. I know developers love admin access to their devices.? As we move to the ‘Zero Trust’ world, developers still need to be able to have instantaneous privileged access, but each time they need it, automated privilege escalation based on the user's role and location occur, reducing the risk of those credentials being lost.
2. Limit data on the device - Devices on the permitter are always a risk of being breached.? To ensure data is secured correctly and always authenticated before access, never store protected data on a device.
3. Biometrics on a separate chip - When storing protected data on a device, such as biometric data, the information should be physically separated from the standard device storage and always require authentication.

Three ways to measure your device security posture

• Number of users with administrative access to a device.
• Number of devices with local data

Summary

‘Zero Trust’ security is an aspirational goal. ? Security tools and processes are changing so fast that I doubt anyone ever achieves ‘Zero Trust.’

Molding our people to have a ‘Zero Trust’ mindset gives them the vision to measure cybersecurity posture.? Using the three ‘Zero Trust’ principles to evaluate our six cybersecurity postures, teams have a framework to build cybersecurity roadmaps for the enterprise.

References

Embracing a Zero Trust Security Model. (2021, February). National Security Agency. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF

Malhotra, S. (2021b, April 19). Why We Need To Apply Zero Trust To Applications. Forbes. Retrieved October 12, 2022, from https://www.forbes.com/sites/forbestechcouncil/2021/04/19/why-we-need-to-apply-zero-trust-to-applications/?sh=4001fbd76112

What Is Network Segmentation? (n.d.). Palo Alto Networks. Retrieved October 12, 2022, from https://www.paloaltonetworks.com/cyberpedia/what-is-network-segmentation

What is the Difference Between SDP and Zero Trust? | CSA. (2021, November 13). Retrieved October 13, 2022, from https://cloudsecurityalliance.org/blog/2021/11/13/what-is-the-difference-between-software-defined-perimeter-and-zero-trust/

Burke, J. (2021, November 1). Software-defined perimeter + Zero Trust: A good place to start. Network World. Retrieved October 13, 2022, from https://www.networkworld.com/article/3639030/software-defined-perimeter-is-a-good-place-to-start-a-rollout-of-zero-trust-network-access.html

Software-Defined Networking (SDN) Definition. (2020, June 4). Open Networking Foundation. Retrieved October 13, 2022, from https://opennetworking.org/sdn-definition/

Rosencrance, L., English, J., & Burke, J. (2022, May 11). software-defined networking (SDN). SearchNetworking. Retrieved October 13, 2022, from https://www.techtarget.com/searchnetworking/definition/software-defined-networking-SDN

Identity Defined Security Alliance. (2022, September 28). Identity Defined Security Framework. Retrieved October 13, 2022, from https://www.idsalliance.org/white-paper/identity-defined-security-framework/