Zero Trust “Don’t trust any, but verify, every time all the time.”

An encounter with Zero Trust:

Throughout my professional journey, I’ve tried to inherit some part of my learnings as Cyber Security Professional in to personal life. So far things were working fine, like “don’t download freebies”, educate others on importance of “safe browsing practices”, “clickjacking”, “personal data / credentials safety”, random/complex passwords etc.

Below is an small hypothetical story, that may be realized around a security professionals life. Or may be happening now.

The event followed were narrated by my friend “X”. Personal details omitted due to privacy reasons. After finishing a turbulent week, we’re on for Friday evening and a well-deserved weekend. My friend X's and his wife and who's also an aspiring Cyber Security Professional was keen in exploring Zero Trust Concepts. We briefly discussed the high level construct on Zero Trust, and...!

The next morning (Saturday), my friend “X” went out alone for grocery and on his return, he was stopped at the main gate and his wife?asked for an identification, he was made to show it over the door camera and followed by a personal questions (pre-shared secrete) over the gate phone?and then after validation of both the factors my friend was allowed in the house. Security professional within me really liked this, how clearly someone grasped the concept of Identity verification and multi-factor authentication (Someone you are, something you have, something you know).

“X” had brought some “butter pretzel” a German delicacy along and with this the next set of scrutiny started, if the bread is from the specific “bakery” or not, the wrapper was not authentic enough so he had to look for payment details on his mobile wallet to proof the “Pretzel” were from an authentic/known bakery and fresh out of the oven. “Verify the workload”.

The next one is out of the world; Finally when entering to the bed room, Mr. “X” was blocked before the bedroom door and was asked for an ID?and marriage certificate. “X”’s wife asked in a flat tone, identification is not enough you need to be authorized as well. ?? Perimeter security (zero trust perimeter is not enough but each room inside the network should be segmented and only authorized traffic must be allowed” utilize micro segmentation.

Ladies and Gentlemen this was my short, sweet and weird encounter with Zero Trust implementation.?

With this laugh, let’s quickly brush-up and take a little dig on Zero Trust. In 2010,?John Kindervag, an analyst at Forrester Research, coined the term "zero trust," which centered around the idea that an organization shouldn't trust anything inside or outside its perimeters. However, it goes back a bit earlier then 2010 sometime in mid-90s as University project in the Scotland, followed by a living practical “BeyondCorp” by Google and then a more granular “Framework” by John as “Zero Trust”.

Forrester coined the term Zero Trust, while in my view most organization already had the technologies which help towards achieving Zero Trust concept. The extent of coverage depends upon the will, skill and applicability of technology and the organizations. While Zero Trust is seen as more a Framework, Gartner came up with SASE "Secure access service edge" which connects vision to architectural blueprints. Major components of SASE are Software-defined WAN (SD-WAN), Cloud Access Security Broker (CASB), NGFW and Firewall-as-a-Service (FWaaS), Zero Trust Network Access (ZTNA), and Secure Web Gateways (SWG). SASE in my view is more close to be called a working / deployable construct then a framework like Zero Trust, which is a conceptual level and is broad.?

In contrast to traditional approach of heavily guarding the perimeter of network by Firewall rules, access control etc, but once inside minimal to no guarding; the Zero Trust approach validates each and every request, every time the resource is accessed. Below are some building blocks:

???????Zero trust network : Only allow access after proper authorization, build small network segments protected by network ACLs.

???????Zero trust workload: Only allow access after proper authorization, particularly cloud workloads. Assign app/service identities and validate access and role before granting access to organizational resources.

???????Zero trust data: Only allow access after proper authorization, validate inputs within app request/response, i.e. use IDS/IPS, WAF etc.

???????Zero trust people: Only allow access after proper authorization, use context-based access mechanism. i.e. Identity aware proxy etc.

???????Zero trust devices: Only allow access after proper authorization, validate health & hygine of devices before allowing access to networks eg. NAC etc.?

Intent of this small writeup to give a light primer to the concept. While practical approach involves various nuances and environment specific. However, best to start at ZTNA and drill it further till workload and data and bind right context at each layer. With right selection of technologies IDM, PAM, PKI, MFA, Secret Management, WAF, NGFW, Containerization / K8s and many more a robust working Zero Trust model can be achieved.?