Information Security Utopia Starts with Zero Trust Architecture
For a long time, as commonly perceived, stable and secure relationship between people and nations is built on the important cornerstone of “trust”. However, in recent years, those in the cyber security sector have suggested the contrary that only "Zero Trust" can ensure everyone’s security.
“Zero Trust” is a hot topic, but what is it?
The Zero Trust architecture is first introduced by cyber security analyst John Kindervag in 2009 while working at Forrester Research. Its overriding principle is simply “Never Trust, Always Verify”. The Zero Trust architecture denies the traditional corporate network protected by the firewall is secure and the internal network needs to be verified and authorized. Therefore, if the corporate needs to build a Zero Trust architecture, it can be referred to NIST SP 800-207 which issued in 2020. It defines 7 criteria for Zero Trust Architecture[1].
- All data sources and computing services are considered as “resources”
Personal devices should also be considered as resources if they can access enterprise-owned resources. All “resources” must be control and protected.
- All communication is secured regardless of network location
Network location does not imply trust. Access request from enterprise’s internal network must meet the same security requirements as external ones.
- Access to individual enterprise resources is granted on a per-session basis
Authentication and authorisation to one resource will not automatically grant access to another resource.
- Access to resources is determined by dynamic policy
Requester’s asset state will affect the result of accessing resources. These rules and attributes are based on the needs of the business process and acceptable level of risk. For example, the secured device should be limited to access certain resources if the requester is located at different country.
- The enterprise ensures and monitors the state of all owned and associated assets remains in most secure state possible
All assets should be in the most secure state possible. If assets have known vulnerabilities, or are not managed by the enterprise, it may be treated differently such as denial of all connections to enterprise resources.
- All resource authentication and authorisation are dynamic and strictly enforced before access is allowed
An enterprise should continuously monitor for reauthentication and reauthorisation and re-evaluate the trust, including device, identity, network and so on, in the ongoing communication.
- The enterprise collects as much information as possible about the current state of network infrastructure and communications and uses it to improve its security posture
An enterprise should collect data about network traffic and access requests, which is then used to improve policy creation and enforcement.
What are the advantages of using the Zero Trust approach?
Zero Trust assumes everything is suspicious and is not allowed to connect except passing the security checking. Every user’s request from the internal or external corporate network must be authenticated, authorised, and encrypted in real-time.
As “zero trust” principle is “always to verify, and to be authorised with least privilege”, which helps reduce the risk and impact of insider threats and data breaches. Organisations have implemented a similar concept of zero trust in physical security such as employees being required to use the access card to prove their access right if they want to enter the room, and even fingerprint authentication to prove the identity. The access card limits the scope of employee activities. Also, organisations may add some CCTVs to monitor the safety of desired locations. This concept helps reduce insider threats and limit the impact in cyber security incident. In terms of traditional network security, it assumes all employees who connect internal network are trustworthy, which in the real world is equivalent to all employees being able to enter all rooms in the organisation without limitation. Hence, the concept of Zero Trust is to respond to the rapidly growing cyber attacks.
What is Micro-Segmentation and why it is important to Zero Trust?
As mentioned, zero trust challenges the traditional trusted corporate network, and assumes no more trusted network to access corporate data. Micro-segmentation is the backbone of zero trust architecture. Therefore, efforts have to restrict the network and minimize the attack surface and impact by micro-segmentation if we encounter cybersecurity incident.
Micro-segmentation is a method of creating zones in data centres and cloud environments to isolate workloads from one another and secure them individually. With micro-segmentation, system administrators can create policies that limit network traffic between workloads based on a Zero Trust approach. Corporates use micro-segmentation to reduce the network attack surface, improve breach containment and strengthen regulatory compliance.
In traditional network design, it is usually divided into 3 zones, Internal, External and DMZ (Demilitarised Zone) subnet that places servers which are exposed to the Internet. Employees accessing internal systems from the intranet have been considered as secure, resulting in less restriction from security policies. However, many cyber incidents actually involve hackers first taking control of employees' computers before launching lateral internal attacks.
Principle of least privilege can be used in the micro-segmentation design. The network will be divided into different subnets according to different functions. For example, employees from department “A” will be limited to access the systems of their own department while those from department “B” cannot access department “A”. Each subnet must be protected by a firewall. This micro-segmentation can limit the impact of attack and attack surface effectively.
Figure 1 - Traditional network design [2]
Figure 2 – Micro-segmentation network design[3]
How to implement Zero Trust approach?
We recommend corporates to refer to NIST’s standards for implementing Zero Trust in 3 phases:
- Turn network to micro segmentation design
- Implement Zero Trust approach to employees who need to access internal systems from outside corporate network
- Implement Zero Trust approach to internal network
For the technologies or tools to implement Zero Trust, corporates can refer to the below table:
Goals | Tools and Technology | |
Identity | Continuous Validation; Real Time analysis |
|
Device | Constant Device Security Monitor and Validation; Data Access Depends on real-time risk analytics |
|
Network | Micro-Segmentation; Threat Protection; Encrypted |
|
Application Workload | Security Tools Integration into SDLC |
|
Data | Data is encrypted and Can be Monitored |
|
Table 1 – Technologies or Tools to Implement Zero Trust [4]
Corporates need to develop different security policies according to the needs of own businesses. When considering the use of any technologies or tools, they must assess the corresponding risks and impacts clearly. Even if a Zero Trust approach is in place, it is necessary to regularly review and test for reducing the risk and impact of cyber attacks and data breaches.
Reference Links:
[1]https://csrc.nist.gov/publications/detail/sp/800-207/final
[2]https://www.techtarget.com/searchsecurity/definition/DMZ
[3]https://www.techtarget.com/searchnetworking/definition/microsegmentation
[4]https://www.cisa.gov/publication/zero-trust-maturity-model
Related Tags
Share with