For several decades, the perimeter-based network security model has been the center of information security. This framework assumes users inside the corporate network perimeter are “trusted” and anyone on the outside is “untrusted.”
However, innovations over the past decade including the wide adoption of cloud-based services, mobile device use, remote work, and the Internet of Things have dissolved the conventional networking boundaries we once knew.
Additionally, high-profile data breaches are the result of hackers gaining access inside corporate firewalls, or attackers stealing personally identifiable information. Our once tried-and-true castle-and-moat approach to security isn’t working anymore.
Today’s enterprise IT departments need to pivot to a perimeter-less model called Zero Trust, to help reduce the ever-growing risk of cyberattacks.
What is Zero Trust?
Let’s cover this first, because many security vendors, news articles, and Reddit users all have varying definitions of what is and what is not zero trust.
Starting with the source we trust most, The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), defines zero trust as:
“A set of cybersecurity principles used to create a strategy that focuses on moving network defenses from wide, static network perimeters to focusing more narrowly on subjects, enterprise assets (i.e., devices, infrastructure components, applications, virtual and cloud components), and individual or small groups of resources.
A Zero Trust Architecture (ZTA) uses zero trust principles to plan and protect enterprise infrastructure and workflows. By design, a ZTA environment embraces the notion of no implicit trust toward assets and subjects, regardless of their physical or network locations (i.e., local area networks versus the internet). Hence, a ZTA never grants access to resources until a subject, asset, or workload are verified by reliable authentication and authorization.”
Technologies such as data access policies, endpoint security, identity and access management, security analytics, and policy engine(s), and admin(s) all make up the key functional and core components of a ZTA.
TL;DR: “The main idea of zero trust security is to not allow access by default but to explicitly enable it as needed across the different network, computing, and authentication layers,” says VLCM’s VP of Cybersecurity Philip Kemp, “It’s a priority for those who have high-security aspirations.”
How to Implement Zero Trust Architecture
Because the need to evolve our security strategies has happened rather quickly - namely within the past five years (or even past YEAR with the quick pivot to remote work environments) - the term ‘zero trust’ has garnered fast attention that has often resulted in confusion about its implementation.
As a result of this confusion, the NCCoE, as mentioned above, is in the process of creating “how-to” guides and example scenarios to implement zero trust scenarios for several common business cases.
To do this, they’ve recruited industry organizations to conduct several example end-to-end ZTA scenarios using commercially available technology that aligns to NIST Cybersecurity Framework.
The following scenarios are what the NCCoE has recommended enterprises start with when forming their ZTA policies:
Scenario 1: Employee Access to Corporate Resources
An employee is looking for easy and secure access to corporate resources, from any work location.
This scenario will demonstrate a specific user experience where an employee attempts to access corporate services such as the corporate intranet, a time-and-attendance system, and other human resources systems by using either an enterprise-managed device or a personally owned device.
The ZTA solution implemented in this project will enforce the associated access request, dynamically and in near real-time. The employee will be able to perform the following:
- Access on-premise corporate resources while connected from the corporate intranet.
- Access corporate resources in the cloud while connected directly from the corporate intranet.
- Access on-premise corporate resources while connected from a branch office.
- Access corporate resources in the cloud while connecting from a branch office.
- Access on-premise corporate resources from the public internet while teleworking.
- Access corporate resources in the cloud from the public internet while teleworking.
Scenario 2: Employee Access to Internet Resources
An employee is trying to access the public internet to accomplish some tasks.
This scenario will show a specific user experience where an employee attempts to access an enterprise sanctioned, web-based service on the internet by using an enterprise-managed device. Although the web-based service is not owned and managed by the enterprise, the associated access request for that resource will still be enforced, dynamically and in real-time, by a ZTA solution implemented in this project. The solution will manage the employee’s access, regardless of location. That is, the employee can access the internet while connected inside the corporate intranet, a branch office, or the public internet by using an enterprise-managed device.
If an employee is allowed by corporate policy to access non-enterprise-managed resources and services in the public internet by using enterprise-managed devices, the ZTA solution will allow the enterprise to determine the extent of this access.
Examples of access restrictions in the above paragraph could include:
- Access to social media sites is not sanctioned.
- Access to an internet search engine is permitted, and the associated access request for this resource does not need to be granted in real-time through the corporate network when an employee is working at a branch office or while teleworking (e.g., coffee shop or airport).
- Mission-critical services on the public internet (e.g., GitHub) can be accessed directly by the employee.
Scenario 3: Contractor Access to Corporate and Internet Resources
A contractor is trying to access certain corporate resources and the internet.
This scenario will show a specific user experience where a contractor attempts to access certain corporate resources and the internet to perform the planned service for the organization. The corporate resources can be on-premise or in the cloud, and the contractor will be able to access corporate resources while on-premise or from the public internet, using an enterprise-managed device given to the contractor, a contractor-owned and managed device, or a BYOD scenario. The ZTA solution implemented in this project will enforce, dynamically and in near real-time, the associated access requests for resources by the contractor.
Scenario 4: Inter-server Communication Within the Enterprise
Corporate services often have different servers communicating with each other.
For example, a web server communicates with an application server. The application server communicates with a database to retrieve data back to the webserver. This scenario will demonstrate examples of inter-server interactions within the enterprise, which will include servers that are on-premise, in the cloud, or between servers that are on-premise and in the cloud. The ZTA solution implemented in this project will enforce, dynamically and in near real-time, the associated network communications among designated servers that interact with one another.
Scenario 5: Cross-Enterprise Collaboration with Business Partners
Two enterprises (Enterprise A and Enterprise B) may collaborate on a project where resources are shared. In this scenario, the ZTA solution implemented in this project will enable users from one enterprise to securely access specific resources from the other enterprise, and vice versa. For example, Enterprise A users will be able to access a specific application from Enterprise B, while Enterprise B users will be able to access a specific database from Enterprise A.
Scenario 6: Develop Trust Score/Confidence Level with Corporate Resources
Enterprises have monitoring systems, security information and event management (SIEM) systems, and other resources that can provide data to support security analytics to a policy engine to create a more granular trust score/confidence level for access to corporate resources and promote strict access based on the confidence level. In this scenario, a ZTA solution will integrate these monitoring and SIEM systems with the policy engine to produce a more precise calculation of trust scores/confidence levels in near real-time.
Note: The scenarios above may be created and demonstrated in different phases throughout the project.
You can find the drafted project in its entirety at nccoe.nist.gov.
Four Challenges To Pay Attention To
User experience can easily be killed under a ZTA. You should approach zero trust with the goal of enhancing security in a way that is transparent to the end-user.
Zero trust is reliant on having clear identity architecture
Before you begin creating your ZTA, you must have the strategy, technology, and governance for creating, storing, and managing enterprise user (i.e. subject) accounts and identity records and their access to enterprise resources.
Zero trust is not a single product from a vendor
Achieving a zero trust policy is a long-term process implemented through a phased approach. Ensure you have the ability/resources in place to develop your ZTA. Know that vendor products supporting a ZTA may still be in their infancy. As we enter into this “new normal” of security policies, there may be some growing pains for both vendors and IT departments.
There may be interoperability considerations of ZTA products/solutions with legacy technologies. Examples include:
- standard versus proprietary interfaces
- ability to interact with enterprise and cloud services
As stated by the NCCoE, “to protect a modern digital enterprise, organizations need a comprehensive strategy to secure “anytime, anywhere” access to their corporate resources (e.g. applications, legacy systems, data, and devices) regardless of where they are located.“
In short, zero trust is here to stay and will be a high priority for organizations with high-security aspirations. If reducing cyber risks is a goal of yours, zero trust is critical to success. To overcome challenges, or to get started with a plan, VLCM has the cybersecurity talent to help you be more cyber secure.