What is Zero Trust?
Everyone must assume that the network environment is hostile. This is the core principle of Zero Trust. Why? This text will perhaps give you an answer.
Zero Trust transfers the focus from the boundary of a network to the applications and services that are within a network and it builds more specific access controls to those specific resources. This method of wrapping security around applications and services is known as micro segmentation, and it allows for more targeted security and management of access beyond traditional network security. Zero Trust is an approach of deploying micro segmentation in a network based on users, their locations and other data to determine whether a user, a machine or application, should be trusted to access a particular part of a network. Users and entities in the network are given the least amount of access they need to accomplish a specific task. In Zero Trust all access requests are strongly authenticated, authorized within policy limitations, and scrutinized for deviations before granting access.
Micro segmentation is a security technique that enables dividing the networks in small parts who are security wise independent of one another. As a result, if breaches occur, micro segmentation limits exploration of networks by hackers, and better attack resistance is achieved. Traditionally, if a network is hacked, it is more or less open wide to explore due to the trusting principle. With Zero Trust we can declare that network location has no value, along with several traditional network constructs such as VPN. They are suddenly rendered obsolete.
What is this thing called Zero Trust? It is built on a few fundamental assertions:
- External and internal threats exist on the network at all times.
- Every device, user, network flow, is authenticated and authorized.
- The network is always assumed to be hostile.
- Network locality is not sufficient for deciding trust in a network.
- Policies must be dynamic and calculated from as many sources of data as possible.
A Zero Trust security framework dictates that only authenticated and authorized users and devices can access applications and data. Well, that basic idea is actually nothing new as it applies to traditional networks as well. However, the traditional networks are relying on trust and a different way of deploying the IT-architecture.
Zero Trust is a network security paradigm shift that are narrowly focusing on individual or small groups of resources. In a Zero Trust architecture there is no implicit trust granted to systems based on their physical or network location meaning in terms of security a local area network (LAN) is no more secure than the Internet. The reliance on security around the entity of a network is decreased, then the security of the data packets flooding in and out of a Zero Trust system becomes much more critical. Consequently, encryption of those data packets is a fundamental requirement using Zero Trust.
Zero Trust emphasis
Access to data resources is granted when the resource is required, and authentication between the user and the device is performed before the connection is established. As security in traditional VPN networks has grown hard to maintain as network devices evolve into mobility, the Zero Trust idea applies to respond to enterprise network trends that include remote users and cloud based assets that are not located within a traditional enterprise network boundary.
With Zero Trust the emphasis on protection has turned to protect:
- Identities. May represent users, devices, services, and Internet-of-Things devices (IoT).
- Devices. Can be addressed as smartphones, IoT devices (again), and cloud based servers. Require monitoring and health control.
- Data. The main focus protecting. When located in devices, applications, infrastructure, or in networks it must remain safe.
- Infrastructure. Always a critical threat sector. Could represent virtual machines in the cloud, containers, or as well on premise servers.
- Networks. Even though preferably micro segmented, built in small trust zones and end to end encrypted, they exist with a Zero Trust view (See below).
As you might have noticed, the pointed protection identities emerge into fitting in somewhat everywhere depending on use, definition, or purpose. This follows one of the basic tenets of Zero Trust that whatever data sources and computing services there are, they are to be considered resources.
The network from the Zero Trust view
- The enterprise network is not trustworthy and secure. An attacker can always be present on the enterprise network, and all communication should be authenticated.
- All devices on the network may not be owned, configurable, or controlled by the enterprise. There might be devices brought to the network by visitors or contractors, and also cloud based resources or devices (as stated above).
- No device can inherit trust. Every device must authenticate itself. For example, only user credentials are not sufficient for the device to be authenticated.
- Not all of the enterprise resources and devices on or inside the network infrastructure are owned by the enterprise. There might be remote users as well as services based in the cloud.
- Remote users of the enterprise network cannot trust the enterprise network. They should assume the local enterprise network is hostile.
- The assumption that systems and traffic within a traditional datacenter or internal network can be trusted is flawed. Zero Trust aims to solve the inherent traditional problems in placing our trust in the network. (For example VPN networks).
Incentives to implement a Zero Trust architecture
- Do not use password based access. Password authentications suffers from many weaknesses open for breaches, such as:
- Credential abuse. User credentials are often pirated. "Killing" passwords shuts down the most common technique hackers use to access networks and cloud systems.
- Weak security. Each attempt to access a resource must be secured whether it is made from a mobile device, an application (app), or any entity or device that is requesting.
- What overthrows traditional network security using the concept of Zero Trust is, as some call it, the “never trust, always verify” way of thinking. A traditional enterprise applies the concept of trusting what is within the network. That is why Zero Trust overthrows everything, it is a hundred percent on the contrary.
- There are many excellent inventions cooperating and building bricks for a secure way of authentication. Unfortunately, they rely on having trusted networks which is totally overthrown by the idea of Zero Trust. To reconsider and return to the Zero Trust micro segmentation basic idea, Multi Factor Authentication (MFA) is suitable if using the below mentioned concepts like PKI and FIDO. These technologies well apply for use of authentication on a per-unit level, in other words micro segmentation.
How to implement a Zero Trust "network"?
The concept of Zero Trust forces network designers to rethink almost everything they know about security network design. The level of trust defines a lower limit on the robustness in a network. Once trust is built into a system, it can be very hard to remove. In other words, it is wise to trust as little as possible to obtain security. Hence and consequently the micro segmentation approach implementing Zero Trust will be suitable, as mentioned initially. Because a Zero Trust network is just as it sounds. It is a network that is completely untrusted. All hosts must provide proper identification.
Zero Trust implements micro segmentation in the network to which every micro segmented part needs to authenticate to one another. Meaning, the basic idea is that an authoritative source, or trusted third party, is granted the ability to authenticate, authorize, and coordinate access in real time. In other words, there has to be somewhere in the "network" where authentication certificates are issued. But what about it? Zero Trust but trust anyway in terms of introducing a Certificate Authority (CA) that is deciding about authorization? The Zero Trust model carefully manages trust in the system. Nevertheless, Zero Trust network must apply access in some way. Then a role based and context aware access is allowed.
Using for example the SecMaker world conquering technology PKI, the authorization and delivery of private and public asymmetric keys, can be done using a CA. Logically in a Zero Trust architecture, a CA is called the Zero Trust control plane. Of course, authorization also may consider one-time-use credentials, keys, and ephemeral port numbers. In the control plane of a micro segmented architecture, the PKI pillar technology Security Assertion Markup Language (SAML) might be suitable, as it is an open standard for exchanging authentication and authorization data between parties. An important use case of SAML is Single Sign On (SSO), but whether SSO is appropriate implementing in the Zero Trust control plane needs to be looked upon.
Once authorization is granted, the interchange of data can start, which in Zero Trust terminology logically is made in the Zero Trust data plane.
The question of "How?" is to be solved, then follows what we WANT to do
We want to:
- Identify the device. The authenticated team member’s access device needs to be identified, and ultimately the device is allowed to access. Must happen in real time.
- Do geolocation identification. The team member’s location need to be identified while at work and access to certain data to be restricted based upon the geolocation of the team member. Must happen in real time.
- Do team member identification. A team member wants to authenticate and we need to truly know that it is that particular team member. This needs to happen in real time.
- Have automated access. All automated processes that access data needs to be correlated to the same data protection rules as team members and devices. Again, this needs to happen in real time.
- Do logging. We need to log all activity for auditing and monitoring purposes.
- Protect data. Last but not least, at different levels, data need to be protected.
What techniques can be used having a Zero Trust network?
- Mobile device authentication
Some people mean that multi factor authentication (MFA) technologies such as PKI, FIDO and other MFA solutions are out of date. They hail the use of a mobile device, in other words the mobile phone which is, more or less, in possession of every human being.
It is like religion, you gain power and money as the number of supporters increase. There are some people who claim that people can't think of carrying around an extra "thing" besides the mobile phone. They want to use the mobile phone as your entry point to the networks.
However, one fundamental idea of the founders of swedish SecMaker is that the contrary is the most important, a device or token separated from the mobile phone. As we have conquered the municipal, regional and governmental market by using multi factor authentication carrying smartcards with PKI. Relying on the mobile phone as authentication method is like putting all eggs in the same basket.
For those who thought PKI was dead, the fact is that that all Zero Trust "networks" is well suited to rely on PKI to prove identity throughout the "network".
Mobile device authentication versus hardware tokens
- The fans of mobile phone authentications claim:
Clearly, something must replace passwords and multi factor authentication for optimal security and user friendliness, but what?
As they try to find solutions they made IDG to do a survey, maybe only among those people who already are saviour children of the mobile phone. They found that more than 75% of those surveyed said mobile devices secured by biometric authentication methods present the best option for replacing passwords. The majority (61%) also see hardware tokens as viable password replacements.
Well, SecMaker have a future by facing that hardware tokens seems to be a blessed alternative. And what if you lose your mobile phone? Then, using your hardware token, you can still log on to your computer to block and wipe your mobile phone remotely. Hardware tokens as bearer of a multi factor authentication (MFA) solution such as PKI.
Hardware tokens are often seen to be more user friendly compared to biometric authentication on a mobile device.
A large majority of those who responded to the IDG survey agree to that the mobile phone will be very important how authentication is done and how access is given. In this light, the phone itself becomes the user’s identity required and will serve as a digital ID.
Combining the two. MFA and mobile authentication alongside.
Mobile device authentication based on MFA is since many years a successful reality in Sweden. More or less the whole population is using the PKI-based, Mobile BankID application authenticating themselves to any system which hosts GDPR-heavy personal information. For example public healthcare systems, the pharmacy and perhaps the most important of all, the banks.
Further argumentation on MFA
MFA-technologies such as PKI and FIDO, are excellently suitable for hardware tokens. SecMaker are experts implementing PKI on hardware tokens such as security keys and smart cards. Among arguments for hardware tokens we find the need for diversification of your risk. An access token is separated from the mobile phone, which is by itself, more attractive for thefts than a hardware token. The risk spreading is achieved.
Besides from theft, the mobile devices themselves often are easy to breach. And once hackers have access to the mobile device then they are potentially granted an easy access to the network to be entered. Possibly, also to whatever bank system you authenticate to.
A Zero Trust "network" is particularly valuable when it comes to mobile devices. In technical forums experts write that surprisingly neither iOS nor Android come with a host based firewall. For those, the Zero Trust model introduces the concept of single packet authentication (SPA) to reduce the attack surface on a mobile, or in fact, any host.
Risks, threats and possible network disruption
In Zero Trust, the micro segment in the control plane containing the Certificate Authority (CA) is the key component for resource access. If an attacker disrupts or denies access to the CA using for example Denial of Service (DoS) attack, it can negatively impact enterprise operations. This threat can be reduced by having the CA to reside in a cloud or being replicated in several locations, meaning in other micro segments as well. It is also possible that an attacker could intercept and block traffic to a CA or from a certain amount of the user accounts within an enterprise. In such cases, using micro segmentation, only a limited amount of enterprise users are affected.
There is also the risk that network resources may not be reachable from the CA, then the CA can not configure the access connection from the network even if access is granted to a user. Such a disturbance is however similar to any other network disruption using other network architectures.
SASE, Secure Access Service Edge is an emerging technology category of products and services. It is mindset of "new age networking" set for use in such environments typically as the cloud. It includes a number of comprehensive network security functions, among these are Zero Trust where security and also the network access are delivered based on user identity, not an IP address . How it is done, this article does not cover.