Zero Trust - Part I: Introduction

This article will serve as an introduction to a series of articles around Zero Trust. I'll be covering each Zero Trust component (identities, devices, applications, data, infrastructure, and networks) in depth in the upcoming weeks and months, stay tuned! The series will be posted on my blog as well: https://jads.blog/

--

As businesses start accepting the reality of operating in a post COVID-19 world, many organizations are realizing that their legacy approach to IT is no longer up to the task.

20 years ago, the legacy security model worked like a charm, things were pretty binary in the sense that all the corporate devices including servers, workstations, network devices that were located in the office premises, were on the same network and therefore trusted, and everything else was blocked by security solutions. Security tools such as firewalls and antimalware tools were deployed to defend against the 'outside the network' threats (bad), any corporate device that was within our enterprise network was a friend that could be trust blindly (good). That concept was known as 'Perimeter Defense'.

Fast forward to 2021, this 'perimeter mindset' approach can no longer be applied. The IT landscape is dramatically changing, a big part of the workforce is working from home on personal networks, using cloud applications that are hosted on public or private clouds, therefore rendering the concept of 'perimeter defense' obsolete. And with cyberattacks (insider attacks, ransomware, etc.) reaching all time highs, it was time for a new 'security approach' that enables efficient and quick access to resources but at the same time keep those corporate assets safe from the hands of malicious attackers.

That's where Zero Trust comes in.

What is Zero Trust?

The concept of Zero Trust isn't new by any means. The concept dates back to at least 2010 when an Industry analyst at Forrester, John Kindervag, popularized the term 'Zero Trust Network' based on the realization that traditional security models operate on the outdated assumption that everything inside an organization's network should be trusted.

This was brilliant news for Cybersecurity as many leading cybersecurity agencies and companies picked that up and started developing frameworks and implementation concepts for enterprise use. This includes Google's BeyondCorp (Google's Zero Trust implementation) , Gartner's CARTA, NIST's SP800–207, ZTX by Forrester and Microsoft's Zero Trust Approach.

The above frameworks might slightly differ but they all have the following three major concepts in common:

Nothing on the corporate network is trusted until the identity has been verified.

Least Priviliged access is applied at all times and everything is centrally monitored and logged.

Always assume breach mentality by segmenting access by network, user, devices, and application awareness.

Zero Trust Concepts ─ Should I Trust You?

As previously stated, Zero Trust is all about 'Never Trust, Always Verify' therefore the actor won’t be inheriting any trust. Instead, the actor needs to establish trust to access the protected resources.

An interesting analogy that should simplify all of this is comparing Zero Trust to Airport Security: A user trying to access a cloud application in order to access sensitive information would be the equivalent of a passenger trying to access an airplane in order to reach his destination.

1. Passenger arrives to the airport and is asked to present his passport and his boarding pass in order to access the airport area: This would be the equivalent of a user being asked to authenticate and to verify whether his has the right authorization to access the application.
2. Your bags are checked and then you're allowed entry to a specific terminal: That's the equivalent of verifying your device compliance status and posture then given access into the micro segmented network.
3. The passenger gains and can freely roam in his 'terminal area', however this area is highly monitored by airport security: This is the equivalent of the user accessing the application where every action is being logged and is monitored by the SOC team.
4. The passenger has to verify his identity and boarding pass one last time at the gate before accessing the plane: This is the equivalent of the user being subject to Multi-Factor Authentication (MFA) before being given access to the resource.

Zero Trust ─ The Microsoft Way

Integrating Zero Trust into your organization isn't done using a small toggle button that you activate on your tenant and it will magically make your organization fully secure. A Zero Trust approach is a mindset and not a solution, it has to be extended over your entire digital assets and identities and it has to serve as a security 'philosophy' for any security related matter. 

As seen above, The Microsoft Zero Trust Architecture (ZTA) is divided into 6 main components/areas that work simultaneously and complement each other:

Identities

Identities are the control plane, they can represent users, service accounts (SPNs) or IoT Devices. Whenever a users tries to access a resource, the authentication attempt has to verified and it has to follow the least privilege access principles (Azure AD, Conditional Access, Identity Protection).

Devices

The types of Devices can vary from IoT devices to smartphones, Bring Your Own Devices (BYOD) to enterprise managed devices using Intune or on premises. The big variety of device types is a massive attack surface area that attackers try to leverage in order to gain access. The monitoring and the compliance status of devices plays in a big role in securing access. (Defender for Endpoint, Intune)

Applications

These may be on premises apps, SaaS applications, lift and shift workloads, etc.. Controls and technologies should be applied to discover Shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, monitor for abnormal behavior, control of user actions, and validate secure configuration options. (Azure AD, Defender for Cloud Apps)

Data

Data is obviously considered as the crown jewel of any organization. Sensitive information should always remain safe regardless if it leaves the security organizational controls of an enterprise. Data should be classified, labeled, and encrypted, and access restricted based on those attributes (Microsoft Information Protection, Microsoft Data Loss Prevention)

Infrastructure

Infrastructure (whether on-premises servers, cloud-based VMs, containers, or micro-services) represents a critical threat vector. Assess for version, configuration, and JIT access to harden defense, use telemetry to detect attacks and anomalies, and automatically block and flag risky behavior and take protective actions. (Azure Defender & Defender for Cloud, Azure Networking services)

Networks

Network controls can provide critical controls to enhance visibility and help prevent attackers from moving laterally across the network. Networks should be segmented (including deeper in-network micro segmentation) and real-time threat protection, end-to-end encryption, monitoring, and analytics should be employed. (Azure Defender & Defender for Cloud, Azure Networking services)

Zero Trust ─ The Microsoft Maturity Guide

Microsoft uses the Zero Trust Maturity Guide to assess enterprise environments based on three levels: Traditional, Advanced & Optimal.

Each of these areas along with the set of controls will be covered in depth in the next articles in the series.

In Closing..

Zero Trust isn't this magic product that solves all your security issues, instead, it's a 'philosophy' that your organization has to adapt and take into account across all aspects of the business. Most organizations will need to take a phased approach and target the specific areas where they're lacking based on Zero Trust maturity; it will be also important to consider each investment carefully and align them with current business needs.

In the next articles of this series, we will go in depth in each of the six Zero Trust areas and discuss how an enterprise can improve its security posture when it comes to identities, devices, applications, data, infrastructure, and networks. Stay tuned!

Sources:

• https://www.microsoft.com/security/blog/zero-trust/
• https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture