Zero Trust

What is it?

John Kindervag of Forrester (but currently – July 2019 – at Palo Alto Networks) came up with the concept of Zero Trust in 2010. Surprisingly however, it has taken almost a decade for it to become a hot topic. These days just about every security vendor offers us a zero-trust product or a solution set. Promising risk mitigation, business agility, innovation, ease of cloud migration, and every other business buzz word (maybe not A.I.), it is hard not to be sold on vendors’ Go to Market stories on zero trust. But what is this utopian dream, and can you just buy one?

Zero trust came about because traditional perimeter-based security did not address internal threats. Nor did it address outsider threats compromising an inside resource and moving laterally throughout the network. This lack of control and visibility over internal resource and their lateral movement, as well as the blurring lines of a perimeter thanks to all the cloud migrations, are the concerns which zero trust aims to address. Technically speaking, Zero Trust has three fundamental principles;

  1. Trust nothing – this includes devices, users, applications, things and locations
  2. Encrypt, authenticate, and authorise everything
  3. Inspect, log and monitor everything

In a zero trust environment, nothing is trusted. You may be an employee seated in the head office, but you first need to be authenticated, then assigned the least required privileges to perform your job, and all your activity must be logged and monitored. This ensures only authenticated and authorised users or applications are given the required access, and even then, if this required access results in strange or compromising behaviour (such as port scans or a reconnaissance type activity), that this is also logged, monitored, alerted and acted upon.

How do I deploy it?

So how does one go about deploying zero trust in their environment? I suggest a constantly evolving three-phased three-pronged approach. It sounds complicated, but I promise you it is not. It is just an iterative deployment model that maps closely to the principals of zero-trust and is designed to ease your business into this brave new world. Of course, like everything else in Security, this is to be constantly improved upon. It is not a set-and-forget model.

The prework

Before you dive head first into any new security strategy, architecture or solution, you first need to understand what it is that you are trying to protect (and why of course; i.e. business impact analysis). I suggest you start by defining your protect surface. What does that mean? It means identify what assets (data, applications, services) you wish to protect and classify them according to their importance to your business. You then need to understand how those assets interact with the rest of your environment. In other words you need to do an Application Dependency Mapping (ADM) and understand exactly what or who talks to what services in your environment. There are a number of vendors that have solution sets assisting with this. Depending on the complexity, size and security of your environment, you may be able to use a simple packet sniffer to achieve this or – at the other end of the scale – deploy something like Cisco Tetration or other high end applications and devices – even a NGFW – to get your ADM.

Phase 1 – the ground work

I suggest three separate activities in this phase;

  1. Deploy a Network Access Control (NAC) solution. If you have a corporate wireless network in place already, chances are you are more than halfway there. Look at integrating your wireless authentication solution to your corporate AD and deploying it across your wired network. Cisco ISE, Aruba ClearPass and Forescout Counteract are just three of the products you can consider. Keep in mind however, that a NAC solution does little for users or devices that connect across the internet. You can look at other solutions such as zscaler private access. A more current solution however, is an Identity and Access Management (IAM) tool with single sign-on (SSO) that is integrated/federated with your cloud providers.
  2. Start a small micro-segmentation project in your data centre, or in the cloud. I must note however, that if you have already migrated some workloads to the cloud and have not architect-ed your cloud environment right, this could be a little more challenging. The key here is to identify and classify your most critical asset and then establish a trust boundary around them to prevent exfiltration of sensitive data (keeping in mind the impact of deploying new technology/processes in such a critical environment). Perhaps have a look at Gartner’s Magic Quadrant for Enterprise Network Firewalls and study the vendors in the Leaders and Challengers quadrants.
  3. Deploy – if you have not already – a logging and monitoring capability. This is a vital step that is often forgotten by smaller businesses. It is however critical to have this capability deployed and ensuring you have chosen the right vendor in step 2 above, certainly helps. I would suggest a quick look at the Gartner Magic Quadrant for Security Information and Event Management and studying the vendors in the Leaders and Challengers quadrants.

Phase 2 – Strengthening the architecture further

Following successful implementation of phase 1, consider this second set of projects;

  1. Expand on your NAC solution. If you have not already, integrate your NAC with other key systems in your environment including Active Directory, DDI (DNS, DHCP and IP Address Management), and your logging tools. This is also a great time to start experimenting and then deploying a Posture Assessment (also known as Profiling) capability. This will ensure not only the devices and the users are authenticated, but they are also checked for compliance with your security policies, before they are authorised to access your network.
  2. Deploy a User and Entity Behaviour Analytics (UEBA) tool. It is now time to get an even clear-er picture of how your users, devices and applications talk to each other. Only consider UEBA tools which have advanced Machine Learning capability and those which integrate nicely with your SIEM application. You could also consider deploying similar tools on your servers. Preferably those tools should also give you the option to enforce a particular policy dynamically.
  3. Expand on your SIEM solution. Ideally, your SIEM solution should now include the following capabilities; advanced alerting, automation, big data analytics and threat intelligence.

Phase 3 – become the envy of your competitors

Security is never about competing with your competitors and always about defeating advanced adversaries, but it sure feels good to know you are doing something better than the rest 😉 Having said that, I personally will only do business with an organisation that I know will keep my data safe. So what do we need to do during this fina… *caugh* next phase?

  1. Deploy 2FA and a least-privileged access strategy. Consider deploying two factor authentication to counter credential based attacks. It is also time to lock down those NGFW and NAC rules to ensure users, devices and apps only access other users, devices and apps that they absolutely need to.
  2. Encrypt all your data at rest and in motion, and add more context. This step could prove a little challenging if you perform encryption in your application. Care should be taken to ensure your logging, monitoring and EUBA tools can still inspect traffic. You should also look at other sources of data which can provide more context to your EUBA and SIEM tools to identify threats, address vulnerabilities, and uncover incidents.
  3. Embrace Security Automation And Orchestration (SAOR). By now you should have realised that managing all these complex and dynamically changing policies is not an easy task. You also need to be able to detect and respond faster to threats. This is yet another critical step that is often forgotten – or put into the too hard basket – by many organisations.

As mentioned before, Zero-Trust is not a set-and-forget solution to all your security problems. You need to constantly improve on it, monitor it and manage all its complexities.

Other considerations and final notes

You do not need to be a security expert to realise that there are many moving parts and integration points in an architecture based on zero trust. It is this ‘integration’ piece that requires a lot of thought and care. Ideally, you would like to reduce complexity and choose a vendor that can provide an ecosystem (pre-integrated) of solutions. Going with a single vendor however, can increase your other risks, including commercial ones such as vendor lock-in.

My other quick note is regarding the response capability. Prevention is obviously key, however, being able to detect and then respond to an attack is also an important aspect of the model. This includes all the changes required to your existing change management processes, especially once you deploy a SAOR capability.

I am interested to find out your thoughts on this and welcome all your comments.