Over the past year and a half, most in our society participated in or witnessed a mass exodus from the office to home networks. And as technology plays an increasingly large role in our lives, almost everyone is an internet user in some form, and enterprise networks are becoming more complex. The traditional method of securing networks and assets via one password presents a weakness that once authenticated, users typically have access to everything.
Imagine a scenario where a malicious actor gains access to your network: what is preventing them from accessing whatever is in that network? Enter “Zero Trust,” a mindset all organizations need to adopt at a level consistent with the importance of the digital assets that need protecting.
What is Zero Trust?
Zero Trust is a security model based on the assumption that a breach is inevitable or has even already occurred in any given network. Zero Trust verifies and validates every single user attempting access to resources on a network, limits access only to specific resources to which each user has valid access, and looks for anomalous or malicious activity in real time. At the highest level, a Zero Trust network performs 3 key functions:
- Logs and inspects all corporate network traffic
- Limits and controls access to the network
- Verifies and secures network resources
One Password for a Network is No Longer Protection
Just about everyone is an online user, connected to a network, through a smartphone, laptop or other device that may be for personal or business use or both. A network can be a home or public Wi-Fi, a business network, or a public cloud service. Typically, the credentials required to access the network are a username and password. In some cases, additional information is required such as providing a texted one-time code, (called multi-factor authentication), or even requiring answering a secret question. The purpose is to validate that you are who you say you are, and to block unauthorized and malicious cyber-attackers. This is an “implicit trust” model, which provides a low-level of security.
However, today’s enterprise networks have become increasingly complex and dispersed – especially with the more recent trend of so many people working from home and needing to access their organization’s networks. The weakness in most of today’s identity validation is that once authenticated, you typically have access to everything in the network you have just entered. For example, in your home network, once your device connects and provides correct login credentials, you are then “trusted” to access anything on that network, e.g., the internet or another computer, or any other device, such as your printer. In the example of your printer, it responds to your print requests because it trusts traffic from you, not because it knows who you are, but because it assumes anyone on its network is to be trusted.
But what if an attacker finds a way onto that network? Malicious traffic would be trusted just as much as your print requests. Once in, there are rarely any more checks for specific access permissions to each device, application or data residing in that network. At that point, there’s not much preventing the attacker from free reign over whatever is within that network.
Zero Trust Means Don’t Trust, Always Verify
The Zero Trust methodology shifts the attention away from the network, instead putting the focus on controlling access to specific devices, data, and applications regardless of what network they are on, including public clouds. This is an “explicit trust” model, which provides a higher level of security.
In other words, whereas the traditional approach automatically trusts users that gain access to a network and allows them access to whatever is connected to that network, Zero Trust changes the focus to identity validation for each resource on the network. In addition, no user is trusted, including all internal employees as well as partners and supply-chain entities. For example, if an internal engineer moves code or data to Dropbox, that should at least create an alert possibly signifying suspicious human behavior.
"But what if an attacker finds a way onto that network? Malicious traffic would be trusted just as much as your print requests. Once in, there are rarely any more checks for specific access permissions to each device, application or data residing in that network. At that point, there's not much preventing the attacker from free reign over whatever is within that network."
The good aspect of Zero Trust is that a malicious hack of a network doesn’t give a bad actor access to anything. If the bad actor does penetrate a resource in that network, it doesn’t automatically give access to the other resources on the network which reduces what the bad actor gets and slows down a broad-scale attack.
The cost in user experience in a Zero Trust environment is that additional identity validation is likely when switching from one application or data base or device to another. Some of this extra validation can be hidden from the user by adding profiling information about valid users to a resource’s identity verification. An example would be a sensitive payroll system may look at the geographic location of a user and if not his/her registered home or office location, access would be denied to that system.
The Zero Trust mindset embodies aggressive and continuous system monitoring, management, and defense. It assumes that all requests to each resource may be malicious, and even that all devices and applications may be compromised. It further assumes that all access approvals incur risk, and that rapid damage assessment and recovery operations may need immediate attention.
Zero Trust Operational Model Includes Dynamic Authorities and Profiling
A Zero Trust solution requires operational capabilities that:
Never trust, always verify – Treat every user, device, application/workload, and data flow as untrusted.
Authenticate and explicitly authorize each to the least privilege required using dynamic security policies.
Assume breach – Consciously operate and defend resources with the assumption that an adversary already has presence within the environment. Deny by default and heavily scrutinize all users, devices, data flows, and requests for access. Log, inspect, and continuously monitor all configuration changes, resource accesses, and network traffic for suspicious activity.
Verify explicitly – Access to all resources should be conducted in a consistent and secure manner using multiple attributes (dynamic and static) to derive confidence levels for contextual access decisions to resources. Having the technology to recognize normal versus anomalous behavior allows organizations to step up authentication controls and policies rather than assume connection via just username and password means the connection is fully safe and trusted.
Zero Trust goes beyond humans accessing resources, it also extends to devices accessing other resources in a network. For example, authentication of a device might include such things as:
- normal connections for the device (behavior patterns)
- endpoint hardware type and function
- geographic location
- firmware versions
- operating system versions and patch levels
- applications installed
In other words, devices can be profiled just as users can be profiled for a deeper level of authentication well beyond username and password.
For human access, additional validating profiling information, can be:
- specific privileges and authorizations
- usual connection patterns
- devices being used
- geographic location
- biological characteristics (eye scans, fingerprints, etc.)
Zero Trust may extend into requiring encryption of data, securing email, and verifying the quality of cyber-hygiene of users before they connect to certain applications.
This added layer of security is critical as companies increase the number of devices within their network and expand their infrastructure to include public cloud-based applications and servers – not to mention users employing their own personal devices at home and at work. These trends make it more difficult to establish, monitor and maintain secure perimeters. Furthermore, a geographic borderless security strategy is vital for organizations with a global workforce who offer employees the ability to work remotely.
Finally, by segmenting the network more finely by individual resource, each with its own authorization requirements, Zero Trust security helps an organization contain breaches and minimize potential damage when one occurs.
What are Some of the Newer Principles of the Zero Trust Model?
- Document the Topography of the Network
Creating and constantly updating a network map of all systems in the network, where they touch external networks and the internet and what third-party software lives in the network. - Re-examine all default access controls.
- Utilize a variety of preventative techniques.
In a Zero Trust model, there is no such thing as a trusted user or device or third-party software product. The model assumes would-be attackers are present both inside and outside the network. As such, every request to access a resource must be authenticated, authorized and encrypted.
This added layer of security is critical as companies increase the number of devices within their network and expand their infrastructure to include public cloud-based applications and servers – not to mention users employing their own personal devices at home and at work.
Identity Protection and Device Discovery Knowing the totality of what legitimate devices exist and which credentials are on each is a first step in Zero Trust. Knowing how these devices and credentials behave and connect allows organizations to employ effective identity challenges and step-up authentication for anomalies.
Multi factor authentication (MFA) is one of the most common ways to confirm the user’s identity and increase security. MFA relies on two or more pieces of evidence, including security questions, email/text confirmation or logic-based exercises to assess the user’s credibility. The number of authentication factors required is directly proportional to network security — meaning that incorporating more authentication points will help strengthen the organization’s overall security- but often at a cost to user convenience.
Least Privilege Access which means that the organization grants the lowest level of access possible to each user or device, based on need to know. In the event of a breach, this helps limit lateral movement across the network and minimizes the attack surface. While often it is easier to allow top-tier administrators to have access to all key systems, that policy should be reviewed and only “need to know” authorities granted. This also includes promptly removing access privileges when employees leave, customers terminate or third parties change their role.
Micro-segmentation —the practice of breaking up security perimeters into small zones to maintain separate access for separate parts of the network. For example, a network with files living in a single data center that utilizes micro-segmentation may contain dozens of separate, secure zones. A person or program with access to one of those zones is not able to access any of the other zones without separate authorization.
An example in a credit card application is to keep the card transactions in a different data base from the account billing and identity information so that an attacker gets incomplete information from an initial attack.
Real-time monitoring and controls to identify and halt malicious activity quickly.
While a Zero Trust model is largely preventative in nature, it also incorporates real-time monitoring capabilities to shorten the gap between when an intruder compromises the first resource and when they can move laterally to other resources on the network.
Clearly, the extent of deploying Zero Trust is dependent on the digital assets being protected, the degree of critical dependance on their availability and quality of their functioning and content. Hence each digital asset should be evaluated from the perspective of the probability of being penetrated and the impact on the dependent people and organizations.
The National Cybersecurity Center advocates every organization public and private make these assessments and to employ Zero Trust as appropriate.
Rick Crandall
Chairman, Cyber Committee
National Cybersecurity Center
Get in Touch with the National Cybersecurity Center
About the National Cybersecurity Center
The National Cybersecurity Center (NCC) is a non-profit organization established for cyber innovation and awareness. Established in 2016 from the vision of United States Senator from Colorado John Hickenlooper, in coordination with several people from the University of Colorado Colorado Springs (UCCS) and the community, the NCC serves both public and private organizations and individuals through training, education and research. Discover NCC at cyber-center.org.