What is Zero Trust?

What is Zero Trust?

How is this new model changing cybersecurity?

I am going to discuss the topic of zero trust and how it is reshaping the cybersecurity field.

This “trend” is not that new, but gained popularity in the last couple of years. It represents a paradigm shift and we will discuss why and how that will impact the field.

This topic is important, because cybersecurity is expensive and each year it gets more expensive. In this article, I will explain a bold claim:

Zero Trust has the Potential to Finally Bend the Cost Curve of Cybersecurity?—?Dr Allen Harper

Most people are unaware of the zero trust “trend” and will thereby not take advantage of it. My goal is to equip you with the information you need, to think about developing your own zero trust strategy, for your organization.

Here is what you will get out of this article:

  • Background of Zero Trust
  • Pillars of Zero Trust
  • Zero Trust Maturity Model
  • Zero Trust Strategies and Architectures
  • Cost Implications

Background of Zero?Trust

I believe that zero trust is the fifth generation of cybersecurity.

  • 1995 Perimeter Security?—?castle and moat approach with firewalls [1]
  • 2002 Defense in Depth?—?concentric circles of protection around the data, outward to the firewalls [2]
  • 2010 Continuous Monitoring?—?24×7 monitoring of the defensive architecture, quick response, containment, eradication [3]
  • 2014 Active Cyber Defense?—?proactive cybersecurity, threat hunting, fusion of cyber threat intelligence into the SOC and operations. [4]
  • 2021 Zero Trust Presidential Executive Order Mandating Zero Trust for U.S. Federal Agencies [5]

Why does cybersecurity need to keep evolving and why, until now, have we not been able to keep the adversary out? The problem has to do with zero days, which are previously unknown vulnerabilities, that allow attackers to reach into networks, with impunity. The second factor is that the majority of our cybersecurity solutions are signature based, and by definition zero days can’t be detected by a signature based solution. These two factors give the attacker the advantage, where they spend less and we keep spending more, but that may be about to change.

The zero trust concept is not new, it has been discussed in one form or another, since:

  • 2003 Jericho Forum [6]
  • 2009 Google BeyondCorp [7]
  • 2010 Seminal Forrester Paper [8]
  • 2019 NIST 800–207 Final (2020) [9]
  • 2021 Presidential Executive Order Mandating Zero Trust [5]
  • 2022 U.S. DHS CISA Guidance on Zero Trust and Cloud [10]

So, you can see, the concept is not new, but what has changed is the focus and priority. You see “in 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches.”[11].

This breach was the proverbial straw that broke the camels back. From this point onward, the U.S. Government has pursuing a Zero Trust Strategy, and the rest of the world is following.

Pillars of Zero?Trust

The U.S. Department of Homeland Security (DHS), Computer and Infrastructure Security Agency (CISA) released a Zero Trust Maturity Model [12]. It has the following pillars and foundational capabilities.


source: DHS CISA Zero Trust Maturity Model, 2.0 [12]

The core pillars of Zero Trust are shown:

  • Identity?—?the core pillar of zero trust, provides context of “who” is interacting
  • Devices?—?provides context of?—?“what” device they are coming from
  • Networks?—?provides context of “where” the user is located
  • Applications?—?provides context of “what” applications are the users using
  • Data?—?provides context of “what” data is being accessed

The cross cutting foundation of each pillar is:

  • Visibility and Analytics
  • Automation and Orchestration
  • Governance

The idea with zero trust is to restrict access to sensitive data, to an authorized user, on an authorized device, in an authorized segment of the network, using authorized applications, to access a particular set of data…and most importantly, to block all else. Further, leveraging the foundational elements of zero trust, if anything changes during this connection, the risk may be reassessed and revalidated at each pillar. We will come back to the impact of this later.

Zero Trust?Pillars

Now, lets take a look at each pillar in depth.

Identity

Identity is the key pillar of zero trust: without it, none of the other pillars will work. The premise of identity is to obtain an attribute or set of attributes that uniquely identify a user, or entity, to include non-person entities (ie. service accounts).

The identity pillar includes:

  • Authentication?—?ability to identify and validate credentials, using multi-factor authentication (MFA)
  • Identity Stores?—?ability to securely store credential information across the enterprise and partner environments.
  • Risk Assessments?—?ability to dynamically identify risk of an identity based on several factors
  • Access Management?—?ability to limit access to resources, based on identity and roles and attributes
  • Visibility and Analytics Capability?—?ability to collect user and entity behavior, across the enterprise and maintain situational awareness of risk posed by those identities
  • Automation and Orchestration Capability?—?ability to automate the identity provisioning, authentication, and de-provisioning processes.
  • Governance Capability- ability to perform enterprise wide enforcement of policies, concerning identity.

Device

The device pillar, concerns every device a user may use, from personal, to corporate, to mobile, to virtual. This also includes other types of devices, from printers, to IoT, to networking equipment, etc. The key is to recognize that the user will move from device to device, often, within minutes, and the risk management system should be able to account for those changes and make real time decisions for policy enforcement.

The device pillar involves:

  • Policy Enforcement?—?ability to enforce policy decisions, at a device level, in an automated manner, continuously.
  • Asset & Supply Chain Risk Management?—?ability to identify and track all devices in the organization, in a dynamic manner.
  • Resource Access?—?ability to make policy decisions, based on device attributes and real time risk analytics.
  • Device Threat Protection?—?ability to deploy and maintain device threat protections, in an automated manner.
  • Visibility and Analytics Capability?—?ability to maintain visibility of all device activities, across the enterprise.
  • Automation and Orchestration Capability?—?ability to automate the policy enforcement process, dynamically and continually, based on risk management.
  • Governance Capability?—?ability to maintain control of device security, throughout the asset lifecycle.

Network

The Network pillar involves the communication channels used by users and devices, including cloud, internal, wireless, and Internet. A key aspect of zero trust is the shift from a focus on the perimeter, to an understanding that there is often no perimeter, in a modern, cloud, and mobile user environment. Other way to think about this, is the perimeter extends to where ever the user is.

The Network pillar includes:

  • Network Segmentation?—?ability segment traffic, to the least access required for a given network segment. Ideally, micro segmentation is used where tunnels are established between devices, over the network and all other traffic is blocked.
  • Network Traffic Management?—?ability to shape network traffic, based on application requirements and dynamically extend and restrict, based on risks.
  • Traffic Encryption?—?ability to manage keys, and dynamically encrypt sensitive traffic, enterprise wide.
  • Network Resilience?—?ability to maintain availability, even in the face of a determined attack.
  • Visibility and Analytics Capability?—?ability to maintain visibility of all network traffic, across the enterprise, providing situational awareness.
  • Automation and Orchestration Capability?—?ability to dynamically shape traffic, as required, to dynamically initiate and expire links and segmentation, using Infrastructure as Code (IaC).
  • Governance Capability?—?ability to manage risk, through policies concerning network traffic.

Applications and Workloads

Applications and workloads are the interface between users and data. This includes both computer programs, and services that execute on-premise, in cloud, and mobile environments.

This pillar covers all aspects of the application lifecycle and DevSecOps processes and includes:

  • Application Access?—?ability to continually authorize application access, in a dynamic and risk based approach.
  • Application Threat Protections?—?ability for the application to protect itself and the data it accesses, in a real time and dynamic manner.
  • Accessible Applications?—?ability to make applications available in open public environments, while restricting access to authorized users only, blocking others.
  • Secure Application Development and Deployment Workflow?—?ability to maximize use of immutable workloads (using containers) and removes administrative access to production environments, requiring redeployment to make changes.
  • Application Security Testing?—?ability to perform security testing, throughout the software development lifecycle process.
  • Visibility and Analytics Capability?—?ability to maintain visibility of all applications used throughout the enterprise, using consistent logging and dynamic analytic capability.
  • Automation and Orchestration Capability?—?ability to perform testing in an automated manner and deploy using IaC for CI/CD.
  • Governance Capability?—?ability to maintain risk management, through control of applications, enterprise wide.

Data

The last pillar of Zero Trust is for Data, which includes all structured and unstructured files and fragments, no matter the location, and associated metadata.

The idea is to inventory, protect, and securely remove data, when appropriate. This includes:

  • Data Inventory Management?—?ability to continuously inventory and also provide data loss management capability.
  • Data Categorization?—?ability to categorize and label data, based on data types, sensitivity level, and risks.
  • Data Availability?—?ability to maintain data availability, in the face of a persistent attack, including recovering past data, as required.
  • Data Access?—?ability to provide dynamic access controls around data and provide just-in-time and just-enough access, based on risk and policies.
  • Data Encryption?—?ability to protect data, both in transit and while at rest, including secure key management and cryptographic agility.
  • Visibility and Analytics Capability?—?ability to provide visibility of all data assets throughout the data life-cycle, including analytics and continuous security monitoring.
  • Automation and Orchestration Capability?—?ability to automate the data life-cycle process, across the enterprise.
  • Governance Capability?—?ability to maintain risk management, in terms of data, across the enterprise.

Zero Trust Maturity?Model

The DHS CISA Zero Trust Maturity Model provides a maturity model, that has 4 levels:

  • Traditional manual processes, static security policies, silos of policy enforcement.
  • Initial?—?starting to automate processes, starting to have cross pillar policy enforcement.
  • Advanced?—?whenever possible, automated cross pillar policy enforcement.
  • Optimal?—?fully automated, dynamic least privilege access, cross pillar enforcement with continuous monitoring and centralized visibility.

Each tenant (pillar) of zero trust may be assessed against this maturity model


source: DHS CISA Zero Trust Maturity Model, 2.0 [12]

The idea is to determine the capability maturity of the organization, then work iteratively to improve it, over time.

Zero Trust?Strategy

Benefits of adopting a zero trust strategy and architecture include:

  • Assumption of breach
  • Block by default
  • Grant micro trust, then continually verify
  • Reduced future cost (more on that in next section)

This is done by clearly defining a set of controls at each pillar and foundational element and then designing a set of policies to enforce at each policy enforcement point (PEP). In this manner, we shift from the paradigm of traditional cybersecurity, which is built on the premise of defining “known bad” and leveraging those “signatures” throughout multiple layers of the security architecture. The problem with “signature based” approach, of which 95% of todays security architecture is built on, is that attackers continue to evolve and by definition, a zero day threat, has no signature.

Instead, zero trust, flips the model, by focusing on known good, and rejecting all else. We have always known that this “white” list approach is better than the “black” list approach, but until now, it has not been feasible to pull off. To be clear, we are not fully there, with all of the technology pieces in place, but we are well into being able to realize a full stack zero trust architecture in the next couple of years. Most government agencies and many companies are heading that way, you may want to “skate where the puck is heading” and get there yourself.

Practical steps of implementing a zero trust strategy include:

  • Leadership buy-in, which is going to be key to foster the cultural shift that will be required to implement zero trust.
  • Updated Inventory of all IT and Data Assets, across the organization
  • Gap assessment, using a framework like the DHS CISA Maturity Model, to determine your current level of maturity, in terms of zero trust.
  • Establish a set of small projects, to incrementally improve your zero trust posture and security architecture, to achieve a higher level of maturity.
  • Regularly assess (at leas annually), measuring progress and remaining gaps, to achieve a higher level of maturity, across all pillars and foundational elements.

Cost Implications

As previously mentioned, the cost to implement and maintain cybersecurity is significant and seemingly exponentially increasing, year after year. The reason for this is the zero day and signature based problem, we have discussed.

By implementing zero trust, which is fundamentally, not signature based, but instead defines known good, at a micro service and segmentation basis, there is the potential to dramatically reduce the cost of cybersecurity services.

Now, depending on the ability to reuse existing technology in place, there may be an investment required up front, to transform the security architecture to one of zero trust; however, after that initial investment, there should be a measurable reduction in cost going forward.

By implementing zero trust completely at a high level of capability maturity, we may finally stop expending more resources, than the attacker and may increase their cost curve while decreasing our cost curve.

TL;DR

In this article, we have discussed zero trust:

  • History and background
  • Elements of zero trust
  • Zero Trust Maturity Model
  • Practical approach to implementing
  • Cost implications

If you enjoyed the content in this article, subscribe to my Newsletter , for more content like it. Also, join my free mentoring group, at www.allenharper.com .

If you enjoyed this, ?? recycle it, for others.

P.S. Let me know what other topics you want me to explain.

Citations

[1] https://ostec.blog/en/perimeter/firewall/

[2] https://irp.fas.org/doddir/dod/d8500_1.pdf

[3] https://csrc.nist.gov/csrc/media/projects/risk-management/documents/faq-continuous-monitoring.pdf

[4] https://www.degruyter.com/document/doi/10.1515/jhsem-2014-0021/html?lang=en

[5] https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

[6] https://en.wikipedia.org/wiki/Jericho_Forum

[7] https://beyondcorp.com/

[8] https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf

[9] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

[10] https://www.cisa.gov/sites/default/files/publications/Cloud%2520Security%2520Technical%2520Reference%2520Architecture.pdf

[11] https://en.wikipedia.org/wiki/2020_United_States_federal_government_data_breach

[12] https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf

要查看或添加评论,请登录