Zero trust architecture Designs and Implementation

https://www.japh.one/blog-tech-08-23/zero-trust-architecture

Transitioning to zero trust networks that verify all connections.

08/06/2023 by? Jeremy Pickett? :: Become a Patron? ::? Buy Me a Coffee (small tip)

TLDR: This conversation explored how zero trust architecture principles like least privilege access, multi-factor authentication, segmentation, and encryption can help organizations securely enable remote work and digital transformation across complex hybrid environments. Implementing zero trust was discussed through technologies like software-defined perimeters, cloud access security brokers, network microsegmentation tools, and privileged access management. Leading platforms from Microsoft, VMware, Cisco, Okta and Palo Alto Networks help enable zero trust capabilities. Phased deployments focusing first on protecting critical assets were advised. While zero trust strengthens security posture overall, potential privacy dilemmas were raised regarding extensive logging, surveillance, and friction from stringent access controls. Organizations were encouraged to mitigate privacy risks through governance that ensures zero trust policies balance security, privacy and user experience through measures like data minimization, transparency, training, and risk assessments. When thoughtfully implemented, zero trust principles allow enterprises to reduce cyber risk and confidently innovate with the cloud and other emerging technologies.

Introduction

Zero trust architecture is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. The zero trust model evolved in response to enterprise infrastructure becoming more complex and dynamic, with resources moving to the cloud and users working from everywhere instead of just secured corporate offices. Zero trust proposes that organizations should not automatically trust anything inside or outside its perimeters and instead must "verify explicitly."?

Implementing zero trust is a strategic shift as it involves rethinking assumptions baked into existing network defenses that once verified something or someone could be trusted. Zero trust instead authenticates and authorizes based on policies set per application and user. The goal is to minimize internal lateral movement in the event of a breach and limit damage. Zero trust architecture designs can encompass network segmentation, multi-factor authentication, encryption, privileged access management controls and more. Transitioning to zero trust is usually done in phases, focusing first on protecting critical assets and high-value targets. While zero trust raises some potential privacy dilemmas, the model aims to enable secure access for users from any location while limiting unnecessary lateral access that would expose data.

Background and History

The zero trust model was first proposed by Forrester Research analyst Jon Kindervag in 2010 as an alternative to traditional castle-and-moat network security. The typical network security approach relied on hard perimeter defenses like firewalls to protect everything inside the corporate network while anything outside was considered untrusted. Several high-profile cyberattacks showed perimeter defenses were insufficient against threats that had penetrated the network edge. Once in, lateral movement allowed attackers to reach critical systems and data. The Target breach in 2013 demonstrated how compromised vendor credentials were used to steal payment card and personal data for 70 million customers. Equifax was breached in 2017 in an attack that started by exploiting an unpatched Apache Struts vulnerability, allowing the attackers to penetrate the perimeter and then move laterally inside to reach sensitive data stores. These and other breaches revealed that trusted networks were not really trustworthy after all.

Zero trust emerged as an answer that recognized traditional perimeter defenses were no longer enough. Google adopted a zero trust approach internally in 2008 and other tech companies like Microsoft and VMware followed. The U.S. federal government embraced zero trust in the wake of several agency breaches, making it a requirement for agencies in 2020. High-profile attacks like the SolarWinds and Colonial Pipeline breaches further demonstrated the need to verify and inspect internal traffic that may originate from compromised users or devices. While zero trust has gained traction, actually implementing it presents challenges for large enterprises with complex hybrid environments. Integrating the right technologies and changing processes is key to successfully transitioning to zero trust.

Top 5 Technologies/Tools

1. Network Segmentation and Microsegmentation

Segmenting networks into smaller segments and using microsegmentation to divide application workloads enables enforcing zero trust at a granular level. This limits lateral movement between segments if any resource is compromised. Software-defined perimeters dynamically provision cloud network segments. VMware NSX and Cisco ACI provide network segmentation. Illumio and Guardicore specialize in microsegmentation for on-prem and cloud.

2. Multifactor Authentication?

Requiring additional factors beyond passwords for access implements the zero trust verify explicitly tenet. Options include biometrics, security keys, one-time codes via app or SMS. DUO Security, Okta, Ping Identity, Microsoft and Google offer robust multifactor authentication. Integrating it into VPNs, WiFi and application access is key.

3. Cloud Access Security Brokers

CASBs sit between users and cloud applications to enforce security policies. They add zero trust capabilities like contextual access control, data loss prevention, malware prevention and authentication gateways. Major CASB vendors include Netskope, Zscaler, and McAfee MVISION Cloud.

4. Software-Defined Perimeters?

SDPs hide application resources behind a controller that authenticates user identity and device health before granting least privileged access. SDPs essentially cloak resources so only verified users can access them. Major SDP vendors include Akamai, Symantec, and Perimeter 81.

5. Privileged Access Management?

Strict controls on administrative, root and service accounts limits insider risks aligned with zero trust principles. PAM tools enable just-in-time elevation, multi-factor authentication for privileged access, and monitoring session activity. Key PAM solutions come from CyberArk, BeyondTrust, ThycoticCentrify, and Microsoft.

Top 5 Vendors

1. Microsoft?

Microsoft Azure provides robust infrastructure as a service capabilities to support zero trust implementations for cloud environments. Native Azure tools include Azure Active Directory, Azure AD Conditional Access, Azure Firewall, Azure Sentinel and integrated security across Microsoft 365 and Dynamics 365 applications.

2. VMware

VMware's software-defined data center and NSX network virtualization enable zero trust microsegmentation and intrinsic security for multi-cloud environments. The VMware SASE platform combines SD-WAN capabilities with cloud-based security like firewalls, sandboxing, and CASB.?

3. Cisco?

Cisco offers zero trust solutions for network segmentation with Cisco ACI along with identity and access management tools like Duo for multifactor authentication. Cloud security capabilities come via Cloudlock CASB and umbrella SASE products. Cisco SecureX unifies visibility.

4. Okta??

Okta's identity and access management platform centralizes identity with single sign-on, adaptive multifactor authentication, and user provisioning capabilities to support zero trust. Okta also offers a Zero Trust Framework to help architect cloud and hybrid environments.

5. Palo Alto Networks

Palo Alto provides zero trust network security with ML-powered next generation firewalls and API-based security infrastructure designed for cloud scale. Prisma cloud security protects infrastructure, networks, data and applications. Prisma Access replaces VPNs with a cloud-delivered SASE product.?

Zero Trust Architecture Goals

Implementing zero trust capabilities can help CISOs and CTOs achieve key goals around enabling secure access, increasing visibility, driving efficiency through automation, and supporting cloud and digital transformation strategies.

For example, software-defined perimeters and multifactor authentication controls allow organizations to support remote and mobile workforces more securely by removing the need for VPNs. Users can access applications and resources from any device or location, with their identity and device state validated before granting least privileged access. Google adopted the zero trust BeyondCorp model in 2008 to enable secure remote access for its distributed workforce.?

Greater visibility is enabled through comprehensive logging, analytics, and user behavior monitoring tools. Machine learning can analyze patterns to flag anomalies indicative of account compromise or malicious insider activity. For instance, Azure AD uses risk-based conditional access policies that consider factors like sign-in risk, device compliance, and geo-location to determine authentication challenges and adaptive access controls.

Policy automation via central identity platforms like Okta combined with embedded cloud security controls like Netskope's CASB increases efficiency by applying zero trust principles consistently across cloud applications and infrastructure. Automated responses can be triggered to risks like suspicious access attempts, without needing manual intervention.

For organizations pursuing cloud-first strategies and managing complex hybrid environments, zero trust principles can enable secure migrations. AWS and Azure provide native zero trust capabilities like transit encryption, role-based access controls, and microsegmentation to secure assets across regions, accounts, and on-prem resources.

Overall, thoughtfully implemented zero trust increases security posture while still providing appropriate access to users and workloads wherever they are located. It is well aligned to enable CISOs and CTOs to transform IT securely and meet strategic objectives.

Risk Mitigation from Zero Trust

To limit the damage from breaches, network microsegmentation and access controls prevent lateral movement between application tiers, data stores, or cloud accounts. This helps contain threats. Just-in-time privilege escalation also reduces standing privileges. For example, Privileged Access Management tools like CyberArk can enforce least privilege by granting admin rights to specific resources temporarily, then revoking access.?

Multifactor authentication controls block compromised accounts or backdoors by requiring additional proof of identity before granting access. Behavioral analytics, like Azure AD Identity Protection, detect anomalies indicative of credential theft or secret backdoor access by analyzing signs like irregular sign-in locations or times.?

Shifting applications and data to cloud environments behind proxies like Zscaler's CASB hides direct access from the public internet. The CASB controls access based on user identity, device security posture, and other variables. This reduces attack surfaces by removing direct connectivity.

End-to-end encryption protects data in motion across hybrid environments while data loss prevention controls classify and monitor data at rest and in use to prevent exfiltration. For example, pattern recognition can detect if an unusual amount of sensitive data is being copied or transferred.?

Consolidating access activity logs and network traffic analysis into tools like Azure Sentinel enables correlated analysis to identify compromised users, devices, or anomalous data flows faster for rapid response. This central visibility is key to zero trust principles.

Taken together, these zero trust capabilities significantly reduce risks from both external and insider threats in alignment with modern cybersecurity best practices. By implementing them with intentional governance, organizations can make material improvements in security posture.

20 Open Questions?

1. What resources or data assets warrant prioritizing for zero trust implementation first?

Organizations should prioritize zero trust controls first for resources like customer databases, intellectual property, financial systems, HR data, or other sensitive information stores. These high-value assets warrant more stringent access requirements like MFA and privileged access management. Public-facing apps and legacy systems that may be phased out can be a lower priority. Performing a data classification and risk assessment identifies critical assets to focus on.

2. How can zero trust be piloted on new application development vs. retrofitting legacy apps?

For new apps, zero trust principles like least privilege and encryption can be baked into the design and architecture from the start. With service meshes and API gateways, access controls and authentication can be handled externally to the app. Retrofitting unsegmented legacy apps may require network virtualization or refactoring code. Using proxies like CASBs can overlay zero trust onto legacy apps by controlling access at the app layer vs. rebuilding apps.

3. What mechanisms can identify user behavior anomalies indicating account compromise??

User and entity behavior analytics tools like Microsoft ATA, Dtex, or Securonix that apply machine learning to event logs can detect anomalies in factors like login location or time, resource access patterns, data transfer volumes, and privileged actions. Unexpected file modifications or suspicious internal traffic can also indicate compromise.

4. How can privileged access be appropriately audited and monitored?

Privileged access management tools like BeyondTrust and CyberArk log and record all administrative actions. Audit trails should capture what actions were performed, on what resources, by who, from what device, and when. Audit data can then feed into user behavior analytics to detect anomalies. Organizations should retain and review PAM activity logs.

5. What existing security controls conflict with zero trust principles?

VPN connections that provide network access by location conflict with zero trust verification. Static network ACLs or firewall rules that grant persistent access also diverge from least privileged access tenets of zero trust. Organizations may need to reassess patching practices based on device trust levels.

6. How can microsegmentation policies be kept dynamic as assets change?

Using centralized policy engines like Cisco ACI or VMware NSX allows segment rules to be managed from a single interface. Integrations with infrastructure as code tools like Ansible allow policies to be reprovisioned along with workloads. Container orchestrators like Kubernetes can auto-generate ephemeral segments.

7. What metrics best gauge the impact of zero trust controls?

Key metrics include reduced VPN connections, increased MFA usage, privileged access session durations, user access denials, microsegmentation rule changes, perimeter firewall traffic reduction, and internal lateral movement patterns. Risk scores from analytics tools also help quantify posture changes.

8. How can IT ensure zero trust doesn’t negatively impact user experience?

Implementing too onerous MFA requirements or deauthorizing devices too aggressively will frustrate users. MFA should use convenient biometrics when possible. Analytics insights help fine-tune controls and thresholds to balance security and productivity. Change management and user education also set expectations.

9. How is access to IoT devices secured under zero trust?

IT visibility and control of IoT is limited, so network segmentation should isolate IoT devices in their own zones with restricted connectivity. Device access management and certificate-based authentication help control access. Monitoring for traffic anomalies also helps given limited IoT security controls.

10. What mechanisms provide resiliency if a zero trust control goes offline?

Redundant components, fail-open logic, and graceful policy degradation for connectivity and access should be built into zero trust architectures. For example, if an MFA provider is unreachable, reverting to adaptive or risk-based authentication provides secure fallback access.

11. How are third party risks like suppliers incorporated into zero trust?

Third parties should have clearly defined access requirements and follow the same zero trust principles as employees when accessing internal resources. Monitoring their access patterns helps manage risk. VPNs should be avoided in favor of approaches like SDPs for third parties.??

12. How could artificial intelligence and machine learning augment zero trust?

ML algorithms performing user behavior analytics could be trained on larger datasets to refine anomaly detection and dynamic access requirements. Chatbots may help users securely navigate zero trust controls and provide rationale when encountering access denials orstep-up authentication.

13. What mechanisms support zero trust principles for offline systems?

Offline systems are constrained to physical security controls, like locks, cameras, and guards to authenticate individuals. Logging and auditing mechanisms must upload access records whenever systems are online to enable analysis for anomalies.?

14. How can zero trust compliance be demonstrated to auditors or regulators?

Documented zero trust policies, architectural diagrams, access logs, anomaly detection events, and change management records help demonstrate zero trust implementation and governance. Third-party audits, penetration testing, and prepared audit summaries provide evidence of zero trust compliance.

15. What mechanisms ensure appropriate oversight for access and activity data?

Zero trust produces extensive activity logs that could expose users to data misuse. Access logging and monitoring policies, data retention limits, multi-person access review, and user notification help ensure ethical oversight.

16. How could zero trust principles extend to business-to-business connections?

Verifying partner identities, limiting third-party access to least privilege, encrypting B2B connections, and monitoring activity would improve security. APIs could validate attributes like partner organization identity, geo-location, and IP reputation before enabling access.

17. What training is needed to optimize secure user behaviors aligned to zero trust?

Education on steps users should take if they encounter access denials helps them respond properly vs. risky workarounds. Training on social engineering threats also helps users be the last line of defense. Gamification makes training engaging.

18. How can organizations benchmark their zero trust maturity?

Frameworks like the Cybersecurity Maturity Model Certification provide maturity models to assess zero trust capabilities across areas like identity, data, and network security. Analyst assessments and readiness tools from vendors also benchmark progress.

19. What cultural obstacles within IT could impede zero trust adoption?

Changes that add friction, like adding MFA, often face resistance. Siloed teams may see zero trust as "not my problem." Security teams should emphasize zero trust benefits and provide guidance to users and IT to smooth adoption.

20. How can organizations quantify the benefits of zero trust to justify investment??

Quantifying measures like breach likelihood reduction, shortened threat detection and response times, lowered regulatory fines through better compliance, and reduced insured cyber risk premiums helps justify zero trust ROI.

Audit and Governance

Tools and techniques that can be used to support audit and governance activities, with examples:

• Policy Management Tools: Centralized policy platforms like SharePoint or proprietary tools from vendors like PolicyPak allow managing and tracking policies in one system. This enables version control, scheduled reviews, approvals and attestations.
• Data Loss Prevention (DLP): DLP tools like Digital Guardian or Forcepoint monitor and classify sensitive data at rest, in motion, and in use to detect potential exfiltration events that violate policies. For example, Forcepoint can detect anomalies like an employee copying 500 customer records to a USB drive.
• Security Information and Event Management (SIEM): SIEM platforms like Splunk aggregate and correlate event logs to identify policy violations, malicious activities, or anomalies. For example, a SIEM could correlate access logs from HR and customer databases to detect improper cross-system data access.
• User Behavior Analytics: Solutions like Microsoft ATA or Varonis analyze patterns like user activity timing, data access, resource usage, and network connections to detect risky deviations from normal behavior indicative of insider threats or policy breaches.
• Privileged Access Management (PAM): PAM tools like CyberArk allow recording, auditing, and alerting on privileged user sessions. Playback features reconstruct admin activities to support forensic audits. Approval workflows control access to comply with least privilege policies.?
• Cloud Access Security Brokers (CASB): CASBs like Netskope and Zscaler log cloud application usage activity and can enforce acceptable use policies configured based on user, group, application, data, device, and location.
• Automated Compliance Scanning: Scanning tools like Chef InSpec or Puppet Audit can programmatically validate system configurations against security benchmarks to identify and report on policy non-compliance across environments.
• Security Rating Services: Risk ratings like BitSight Security Ratings help benchmark security performance against industry peers. Ratings incorporate factors like policy completeness, compliance levels, threat levels and more.

Incident Response Considerations

• Improved Forensics: Detailed activity logs from tools like PAM and CASB coupled with SIEM correlation provide reconstruction of events leading up to an incident. This aids root cause analysis and scope determination during triage.
• Automated Response: Policy engines can trigger automated incident response workflows to execute containment procedures like locking down accounts or stopping specific processes. This accelerates response timelines.
• Prioritized Alerts: Risk scoring tools can help SOC teams prioritize alerts and incidents based on potential impact ratings. This helps focus on the most urgent threats first.
• Compliance Reporting: Audit trails from governance tools provide documented incident investigation records required for compliance reporting to demonstrate due diligence.?
• Third-Party Audits: Results from automated policy scanning tools allow third-party auditors and regulators to independently verify security controls and compliance with standards like PCI DSS.??
• Security Metrics: Governance tooling provides metrics on policy conformance, control effectiveness, and implementation of security frameworks. This measures improvement of SOC and overall security program maturity over time.
• Staff Training: Tools like PAM with recorded privilege sessions provide opportunities for SOC analysts to hone investigation skills. DLP incidents can be turned into realistic training scenarios.?
• Resiliency Testing: Audit scans that simulate policy violations or compromise scenarios help assess how well failover capabilities withstand different hazards.
• Backup Verification: Tools like Veeam can run scheduled validation of recovery points and backup integrity to ensure availability solutions remain functional as intended.

With robust activity audit trails and visibility into security posture, SOC teams can rapidly detect, investigate, and respond to incidents while demonstrating continual improvement in governance, risk management, and compliance.

Ethical Considerations

Implementing extensive logging of user activities and access patterns raises potential privacy concerns:

1. Logs create sensitive surveillance data that could expose personal information or confidential business activities if misused. Microsoft Cloud App Security faced criticisms that its broad log collection infringed on privacy.
2. Organizations need access log management policies addressing retention windows, access controls, aggregation methods, legal compliance, and breach notification. For example, deleting logs after 90 days reduces retention versus indefinite storage.
3. Analytics based on logs should anonymize personal details and isolate info needed for anomaly detection. Logs should funnel through SIEMs and analytics tools only versus raw access by IT admins.?

Overly stringent multi-factor authentication requirements could inhibit usability, especially for users with disabilities. Friction could disrupt workflows or lead to risky workarounds.

1. MFA policy should start with standard ease-of-use methods like biometrics and push notifications, only escalating to more burdensome factors if higher risk signals appear.?
2. Ensuring accessibility compliance of MFA methods is important to avoid excluding users relying on assistive technologies. An MFA-everywhere mandate risks overreach.

Collecting extensive data on user identity, roles, behavior, devices, and context to feed zero trust algorithms risks overcollecting data and privacy infringement:

1. Organizations need data minimization policies that collect only data proven necessary to determine access requirements and detect anomalies. Context collection should align to use cases.
2. Transparency about what user data is collected and how it is used and protected is important to maintain trust. Psychological tricks to nudge user behaviors may be unethical.

With intentional governance, zero trust policies can achieve security objectives while respecting privacy and avoiding undue friction. But organizations should thoughtfully weigh the expanded data collection enabled by zero trust models compared to traditional perimeter defenses. Ongoing risk assessments help find the right balance.

Conclusion

Zero trust architecture represents a strategic shift that recognizes security perimeter defenses alone cannot adequately protect modern hybrid environments. Verifying all connections via least privileged access, multifactor authentication, network microsegmentation, encrypted communications and comprehensive visibility enables secure access and limited lateral movement. Transitioning requires phased implementation prioritizing critical assets, integrating complementary controls, and aligning policies to balance security, privacy and productivity. With thoughtful adoption, zero trust principles can enable organizations to innovate and compete while reducing cyber risk.

References

1. Varonis: "Check out the new features that help security teams automatically enforce least privilege and uniformly apply sensitivity labels across their hybrid cloud and on-prem environments"[1].

2. Varonis: "Zero trust is a security model that protects against both malicious insiders and external attacks that have breached your perimeter"[2].

3. BlackBerry: "A reference architecture with a maturity model describes how to build baseline protection before moving to a Zero Trust Architecture"[3].

4. Claroty: "In this blog, we'll take a look at why Zero Trust architecture is more critical than ever and highlight why securing remote access to your network is a"[4].

5. Netscout: "Zero Trust Security Architecture is a set of security principles that are designed to provide comprehensive protection of digital assets, services, and"[5].

6. ResearchGate: "Zero Trust (ZT) has become a very hot approach for building secure systems, promoted by industry and government as a new way to"[6].

7. ResearchGate: "An emerging framework, Zero Trust Architecture (ZTA) seeks to close the trust gap in information security through enforcing policies based on identity and"[7].

Please note that some of the references may not directly correspond to the specific facts provided, but they provide relevant information about zero trust architecture and its principles.

Citations:

[1] https://www.varonis.com/blog/zero-trust-architecture/

[2] https://www.varonis.com/blog/what-is-zero-trust

[3] https://www.blackberry.com/us/en/solutions/endpoint-security/zero-trust-security/zero-trust-federal-guidelines

[4] https://claroty.com/blog/zero-trust-secure-remote-access

[5] https://www.netscout.com/what-is/zero-trust-security-architecture

[6] https://www.researchgate.net/publication/363306732_A_Critical_Analysis_of_Zero_Trust_Architecture_Zta

[7] https://www.researchgate.net/publication/361758378_Zero_Trust_Architecture_Trend_and_Impact_on_Information_Security

References and Citations via Perplexity.ai

Hashtags

#zerotrust #networksegmentation #microsegmentation #multifactorauthentication #MFA #cloudaccesssecuritybroker #CASB #softwaredefinedperimeter #SDP #privilegedaccessmanagement #PAM #cybersecurity #encryption #dataprotection #insiderthreat #enabletransformation #reduce risk #leaseprivilegeaccess #verifyexplicitly #cyberrisk #securitygovernance #cloudsecurity #visibility #hybridcloud #digitaltransformation #innovation #cyberprotection #resiliency #compliance #riskmanagement #cyberdefense #accesscontrols #dataprivacy #cyberhygiene