Zero Trust Architecture Mindset

What is Zero Trust?

In 2009-2010, Google?implemented the first well-known deployment of a “zero trust” security model, BeyondCorp.

The project was Google’s response to China’s state-sponsored cyber attacks known as Operation Aurora in the latter half of 2009. Aurora was a sophisticated attack with a painfully simple strategy:

• Exploit a zero-day Internet Explorer vulnerability to take control of computers owned by Google employees.
• Use these machines VPN connection to breach Google’s corporate?network perimeter?(at the time, few restrictions were imposed on employees inside).
• Once inside this boundary, the compromised machines began exploring the protected corporate intranet they were a part of, searching for other vulnerable systems - specifically the contents of source code repositories.

?The key premise behind Zero Trust is that?devices should not be trusted by default – even if connected to a permissioned network such as a corporate LAN and even if they were previously verified.?

Google’s BeyondCorp paper synthesized the objectives into the following rules.

Access to services :

1.Must not be determined by the network from which you connect?

2.Is granted based on contextual factors from the user and their device

3.Must be authenticated, authorized, and encrypted

Corporate Networks

?What is a corporate network?

• “Corporate networks” refer to computer networks that are used by institutions, and are not reachable via the public Internet.
• They typically operate within RFC1918 address space. To reach the network, devices need to be inside a physical location (behind a router), or via a mobile VPN, SD-WAN or MPLS connection.
• Examples of corporate networks include schools/universities, e-commerce fulfillment centers and point-of-sale machines used across multiple branches of a retail chain

?Corporate networks evolve chaotically over time

Corporate networks are challenging to plan, and prone to becoming unsupervised or not well-monitored - particularly for larger, older companies whose existence pre-dates the Internet.

Nevertheless, corporate network security can generally be divided into below two parts:

Networking:

How machines, employees etc. communicate with each other, and with the Internet.

Security:

How those machines, employees etc. gain communication privileges within the corporate network (e.g. authorization), and how network operators determine a machine’s identity and health (e.g. authentication).

Separating networking from authorization, authentication, and access management

?The difference between?networking?and?security?is important to understand when visualizing a customer’s network topology.

?For example, customers often create networking configurations to create “boundaries” between different segments of their network, thus making direct communication between group machines impossible.

?Some customers state that?network segmentation?is a way to “secure" resources.?While this strategy may provide some threat protection, it does not provide?authorization or authentication.

?Failing to recognize the nuances of this distinction leaves companies vulnerable to the type of damaging attacks that led Google to overhaul their network in 2009.

Managing Identity: The Basics

?Companies use directory services and identity providers to manage user identity and resource access

• Most companies, whether they have begun to de-perimeterise or not, grant access to internal tools and systems using an identity provider (IdP) and a directory service.
• Directory services are databases that allow administrators to create logical groupings of employees based on employee attributes (e.g. department, office location, role).
• The most popular directory service is Active Directory - developed by Microsoft.
• IdPs provide organizations with SSO ("single sign on") authentication. Typically, this is implemented via the SAML 2.0 and/or OpenID protocols. Customers generally prefer SAML.?
• Most IdPs offer an integrated directory service - for example Azure AD. However, organizations with legacy systems will sometimes have a?directory service that is separate from their IdP.?

?IdPs work with endpoint security providers to provide authentication

IdPs provide a service known as single sign-on (SSO). This is where a single password is used to generate an authorization token that grants access to all internal resources the user is entitled to.

To bolster security in case an SSO account is stolen, IAM systems often have an endpoint security provider who focuses on preventing end-user devices from being compromised.

Endpoint security vendors ensure that user devices are actively adhering to device security policies – like checking if antivirus software installed and hard drives are encrypted. Examples of providers include CrowdStrike & Tanium

Together, IdPs and endpoint security providers work to establish the identity of a user or machine - a process known known as authentication.

Guiding principles of Zero Trust:

Verify explicitly :Always authenticate and authorize based on all available data points.

Use least privilege access: Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.

Assume breach: Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

This is the core of?Zero Trust. Instead of believing everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to "never trust, always verify"

A Zero Trust approach should extend throughout the entire digital estate and serve as an integrated security philosophy and end-to-end strategy. This is done by implementing Zero Trust controls and technologies across six foundational elements. Each of these is a source of signal, a control plane for enforcement, and a critical resource to be defended.

Zero trust architecture is a new mindset dealing with our today and future threats and attacks. Zero trust is a long journey most of the companies will embark very soon to defend and survive the new cloud and mobile model. This will allow companies to safely build and leverage this transformation to maximize the benefits for is business.?

Resources for accelerating your Zero Trust journey

https://www.microsoft.com/en-us/security/blog/2021/05/24/resources-for-accelerating-your-zero-trust-journey/ >?