Zero Trust
Zero Trust, its guiding principles, and how it can be implemented through a Zero Trust Architecture. It also lists various technologies that can assist in deploying Zero Trust and discusses maturity
Understanding Zero Trust
Zero Trust is a model that assumes no user, device, or application can be trusted. Traditional security methods relied on protecting an organization's perimeter and trusting internal activity. However, with the ever-evolving landscape of cyber threats, relying solely on these methods is no longer effective.
The Zero Trust model is based on the principle of "never trust, always verify." This means that every user, device, and application must be verified before being granted access to a network or resource. Verification is achieved through multiple layers of security measures, such as multifactor authentication, network segmentation, and continuous monitoring.
One of the biggest threats to traditional security methods is phishing or loader malware, which can be executed within the network, allowing attackers to gain entry and abuse the trust granted to internal users. By implementing a Zero Trust architecture, organizations can minimize the risk of these attacks by assuming that any user, device, or application could potentially be compromised.
Zero Trust is a proactive approach to security that focuses on protecting an organization's critical assets by assuming that no one and nothing can be trusted. By implementing this model, organizations can better protect themselves against the ever-evolving landscape of cyber threats and ensure the confidentiality, integrity, and availability of their information.
Principles of Zero Trust Architecture
Zero Trust is not a single architecture, but rather a set of guiding principles for workflow, system design, and operations that can be used to improve an organization's security posture. Transitioning to a Zero Trust Architecture is a journey that involves evaluating risk in an organization's mission, rather than simply replacing technology wholesale. However, many organizations already have elements of a Zero Trust Architecture in their enterprise infrastructure today.
To protect their data assets and business functions, organizations should incrementally implement Zero Trust principles, process changes, and technology solutions by use case. While continuing to invest in IT modernization initiatives and improving organizational business processes, most enterprise infrastructures will operate in a hybrid Zero Trust/perimeter-based mode.
The NIST Special Publication 800-27 (Zero Trust Architecture) defines seven basic tenets for designing and deploying a Zero Trust Architecture:
1. Consider all data sources and computing services as resources
A network may consist of various types of devices, including small footprint devices that send data to aggregators/storage, software as a service (SaaS), and systems sending instructions to actuators. An enterprise may also classify personally owned devices as resources if they can access enterprise-owned resources.
2. Secure all communication regardless of network location
Network location alone does not imply trust. Access requests from assets located on enterprise-owned network infrastructure (e.g., inside a legacy network perimeter) must meet the same security requirements as access requests and communication from any other non-enterprise-owned network. Trust should not be automatically granted based on the device being on enterprise network infrastructure. All communication should be done in the most secure manner available, protect confidentiality and integrity, and provide source authentication.
3. Grant access to individual enterprise resources on a per-session basis
Evaluate trust in the requester before granting access. Access should also be granted with the least privileges needed to complete the task. Authentication and authorization to one resource will not automatically grant access to a different resource.
4. Determine access to resources by dynamic policy, including the observable state of client identity, application/service, and the requesting asset, and may include other behavioral and environmental attributes
Protect resources by defining what resources an organization has, who its members are (or ability to authenticate users from a federated community), and what access to resources those members need. For zero trust, client identity can include the user account (or service identity) and any associated attributes assigned by the enterprise to that account or artifacts to authenticate automated tasks. Requesting asset state can include device characteristics such as software versions installed, network location, time/date of request, previously observed behavior, and installed credentials. Behavioral attributes include, but are not limited to, automated subject analytics, device analytics, and measured deviations from observed usage patterns. Policy is the set of access rules based on attributes that an organization assigns to a subject, data asset, or application. Environmental attributes may include such factors as requestor network location, time, reported active attacks, etc. These rules and attributes are based on the needs of the business process and acceptable level of risk. Resource access and action permission policies can vary based on the sensitivity of the resource/data. Least privilege principles are applied to restrict both visibility and accessibility.
5. Monitor and measure the integrity and security posture of all owned and associated assets
No asset is inherently trusted. Evaluate the security posture of the asset when evaluating a resource request. Establish a continuous diagnostics and mitigation (CDM) or similar system to monitor the state of devices and applications and apply patches/fixes as needed. Treat assets that are discovered to be subverted, have known vulnerabilities, and/or are not managed by the enterprise differently (including denial of all connections to enterprise resources) than devices owned by or associated with the enterprise that are deemed to be in their most secure state. This may also apply to associated devices (e.g., personally owned devices) that may be allowed to access some resources but not others. This requires a robust monitoring and reporting system in place to provide actionable data about the current state of enterprise resources.
6. Enforce dynamic resource authentication and authorization before access is allowed
This is a constant cycle of obtaining access, scanning and assessing threats, adapting, and continually reevaluating trust in ongoing communication. Have Identity, Credential, and Access Management (ICAM) and asset management systems in place. Use multifactor authentication (MFA) for access to some or all enterprise resources. Continual monitoring with possible reauthentication and reauthorization occurs throughout user transactions, as defined and enforced by policy (e.g., time-based, new resource requested, resource modification, anomalous subject activity detected) that strives to achieve a balance of security, availability, usability, and cost-efficiency.
7. Collect as much information as possible about the current state of assets, network infrastructure and communications and use it to improve security posture
Collect data about asset security posture, network traffic and access requests, process that data, and use any insight gained to improve policy creation and enforcement. This data can provide context for access requests from subjects.
Zero Trust Network Assumptions
When an organization decides to implement a Zero Trust Architecture, it should understand that doing so involves several assumptions regarding network connectivity. These assumptions are applicable to both enterprise-owned network infrastructure and enterprise-owned resources operating on non-enterprise-owned network infrastructure (such as public Wi-Fi or cloud providers), and must be considered during network planning and deployment. By keeping these assumptions in mind, an enterprise can develop a network that adheres to the principles outlined above.
Firstly, it is important to recognize that Zero Trust is not a product, but a security framework that includes a set of guiding principles. A Zero Trust Architecture takes a comprehensive approach to securing digital assets and resources. To achieve this, it operates on the assumption that all users, devices, applications, and network traffic are untrusted. As such, identity must be verified before granting access to resources.
Another key assumption is that an enterprise must have full visibility into all network traffic. This requires the ability to monitor and analyze all data flows, regardless of their source or destination. To achieve this, organizations must deploy a range of monitoring tools that provide real-time visibility into all network activity.
Lastly, it is important to recognize that Zero Trust is not a one-time project, but a continuous process that requires ongoing attention and effort. Organizations must be prepared to evolve their Zero Trust Architecture over time in response to changing security threats and business needs. By doing so, enterprises can ensure that their digital assets and resources remain secure and protected against emerging threats.
| Assumptions | Description |
|---|---|
Assume Breach | Zero Trust assumes that any device, user, or network activity could be malicious. Therefore, it is imperative to implement various security measures, such as multi-factor authentication, continuous monitoring, and logging. These measures can help detect and prevent malicious activities. |
Secure All Traffic | All network traffic must be authenticated and encrypted to ensure confidentiality and security. This can be achieved by implementing secure protocols, such as HTTPS, TLS, and VPN. Additionally, it is essential to monitor network traffic to detect any anomalies or suspicious behavior. |
Enforce Least Privilege | Users and devices should only have access to the minimum data and resources necessary to perform their tasks. Trust is not binary; rather, it is variable. Therefore, it is crucial to implement policies and controls that limit access to sensitive data and resources. These policies can include role-based access control, data classification, and user behavior analytics. |
Secure All Assets | All assets, including data, devices, and applications, must be protected, monitored, hardened, and rotated to prevent unauthorized access or compromise. It is crucial to implement security controls, such as firewalls, intrusion detection systems, and endpoint protection. Additionally, regular vulnerability assessments and penetration testing can help to identify and address any security weaknesses. |
Zero Trust Architecture Assisting Technologies
As the adoption of Zero Trust Architecture continues to grow, many vendors have recognized the need for additional tools and technologies to assist organizations in effectively deploying and managing these frameworks. These supplemental technologies aim to provide added layers of security, improve visibility and control, and streamline the Zero Trust implementation process.
Some examples of these technologies include secure web gateways (SWG), remote browser isolation (RBI) solutions, cloud access security brokers (CASB), firewall-as-a-service (FWaaS), secure access service edge (SASE), and Zero Trust Network Access (ZTNA) solutions. These technologies can be used in conjunction with Zero Trust principles to help organizations better protect their data, devices, and applications from cyber threats.
By implementing these supplemental technologies, organizations can enhance their Zero Trust security posture and improve their ability to fend off attacks. However, it's important to note that these tools are not a one-size-fits-all solution and must be carefully evaluated and selected based on an organization's specific needs and requirements.
| Component | Description | Example Vendors/Products |
|---|---|---|
Secure Web Gateway (SWG) | A secure web gateway is a cloud-based security solution that enables secure access to the internet and protects users from web-based threats. | Cisco Umbrella, Zscaler, Symantec Web Security Service, Menlo Security |
Remote Browser Isolation (RBI) | RBI is a cloud-based security solution that isolates web browsing activity and executes it in a secure environment. It protects against web-based threats and prevents malware from entering the network. | Menlo Security, Symantec Web Isolation, Authentic8 Silo |
Cloud Access Security Broker (CASB) | A cloud access security broker is a cloud-based security solution that provides visibility and control over cloud-based applications. It helps organizations secure their data in the cloud and enforce policies to ensure compliance. | Microsoft Cloud App Security, Bitglass, Netskope |
Firewall-as-a-Service (FWaaS) | Firewall-as-a-service is a cloud-based security solution that provides firewall protection to a network. It enables organizations to secure their network and control access to their resources. | Check Point CloudGuard, Fortinet Secure SD-WAN, Palo Alto Networks Prisma Access |
Secure Access Service Edge (SASE) | SASE is a network design that combines WAN and cloud-based security services to provide safe access to enterprise apps and services. It works on any device, from anywhere, at any time. | Cisco SecureX, VMware Secure Access, Akamai Enterprise Application Access |
Zero Trust Network Access (ZTNA) | ZTNA solutions are designed to provide secure remote access to applications and resources by verifying the identity and context of the user, device, and application. | Okta, Zscaler Private Access, Akamai Enterprise Application Access, Trend Micro ZTNA |
Zero Trust Maturity
CISA's Zero Trust Maturity Model (ZTMM) is a comprehensive framework that offers a step-by-step approach for achieving continued modernization efforts related to zero trust within a rapidly evolving environment and technology landscape. This model is one of many paths that organizations can take in designing and implementing their transition plan to zero trust architectures.
The ZTMM model represents a gradient of implementation across five distinct pillars, in which minor advancements can be made over time toward optimization. The pillars, depicted in the above image, include Identity, Devices, Networks, Applications and Workloads, and Data. Each pillar includes general details regarding the following cross-cutting capabilities: Visibility and Analytics, Automation and Orchestration, and Governance.
The ZTMM model breaks the maturity journey into four stages: Traditional, Initial, Advanced, and Optimal.
Traditional: Manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; least privilege established only at provisioning; siloed pillars of policy enforcement; manual response and mitigation deployment; and limited correlation of dependencies, logs, and telemetry.
Initial: Starting automation of attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems; some responsive changes to least privilege after provisioning; and aggregated visibility for internal systems.
Advanced: Wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; centralized visibility and identity control; policy enforcement integrated across pillars; response to predefined mitigations; changes to least privilege based on risk and posture assessments; and building toward enterprise-wide awareness (including externally hosted resources).
Optimal: Fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.
Resources
Last updated
