Part-1: Zero Trust Demystified

No Medium subscription, you may read from here.

Part-1: “Zero Trust Demystified” [This Article] (Includes Principles, What, Who, When & Where).

Part-2: “Unlocking the Necessity and Advantages of Implementing Zero Trust Architecture (ZTA)” [2] (Discusses Benefits & Why ZTA).

Part-3: “Zero-Trust Architecture Rollout Plan” [3] (Discusses ZTA rollout plan’s How-to, step-by-step).

Introduction:

In 2010, cybersecurity expert John Kindervag of Forrester Research, coined the phrase “zero trust”. Zero Trust a.k.a. Zero Trust Architecture (ZTA) (both words are interchangeable with the same meaning in this working paper) is a modern day’s security strategy / model that is based on the principle of “never trust, always verify”, which becomes the first principle of ZTA. What this means is, irrespective of a user, a device, or a component’s physical location, or even if it was previously verified, by default, under this design / principle, you will not trust the incoming request for access to your resources before an explicit access re-verification is performed and then access grant is carried out.

A Zero Trust model is applied to an organization’s digital infrastructure components, by removing implicit trust and by enforcing strict identity AuthN & AuthZ for access via the least privilege principle, which is constantly attested. This is the second principle.

The third principle is Cybersecurity breaches are assumed and prep, drills and practice for incident response are done for smooth functioning, should there be a day with a real breach.

The fourth principle is to identify breaches as early as possible and neutralize them. That way there is the least impact on the organization. To understand cyberattack lifecycle stages, you may refer to my paper on MITRE ATT&CK and understand the importance of an attack “kill chain” stages from here.

At a high level Zero Trust means that the requesting device will never be trusted even if it is on the trusted corporate network. Currently there is no defined RFC for Zero Trust.

“Zero Trust architecture focuses on Resource protection.”

This is the best one statement description of Zero Trust from Alper Kerman [1] on his blog at NIST NCCoE Project [1], associated with Zero Trust Architecture (ZTA).

The available Zero Trust references are ZTA [1], NIST SP 800–207 [2] a.k.a. Zero Trust Architecture and CISA’s “Zero Trust Maturity Model” [3]. There are some dedicated pages from IT Vendors on this topic as well. We will use 5W1H approach to analyze this topic.

What is Zero Trust?

Zero Trust moves us from traditional static network-perimeter based security to a perimeter less dynamic security. Zero Trust Architecture (ZTA) involves Zero Trust principles enforcement, and it is not a single technology or product, but rather a mindset and a strategy that can be applied to different IT domains, in this paper we will refer to them as components of your digital infrastructure like IaaS, PaaS, or other kind of Cloud, on-site, on containers, server based, serverless or on virtual servers. On top of the above listed components of your digital infrastructure are applications, APIs, and workload components. Of course, the most vital component flowing through these layered components is your “data”. The Zero Trust principles are applied to all these components including data.

The Zero Trust model is also referred to as perimeter less security (PLS). PLS is an important and not much talked about feature of ZTA. It is with ZTA how we access our banking applications, Amazon/eBay Services, and Cloud Services, from anywhere, and from any device. The owners of these services do not care about your endpoint device form-factor, its OS or its patch level or location. They have full control over the transactions that you are performing over their infrastructure. The entire eCommerce is running on the ZTA, although many times this is not explicitly stated. The Cybersecurity teams of these services have done a phenomenal job and although there are some breaches if we peruse backwards in timeline.

The architecture principles, as defined in our introduction section, could be applied to all these IT System layers / components, for it to be called a Zero Trust Architecture. The enablement of ZTA is directly proportional to the risks in your environment.

It must explicitly be noted that ZTA requires all security controls (countermeasures) that are deemed necessary for a secure static environment to continue to function to reduce the risks within a perimeter-based environment. Zero Trust Architecture is then applied on top of that to transform it into a perimeter less environment. -Asad Syed

According to NIST guideline SP 800–207 [1] on Zero Trust, it seeks to address seven tenets and those are re-listed below for your reference:

1. All data sources and computing service resources are considered.

2. All communication is secured regardless of network locations.

3. Access to enterprise resources is granted on a per-session basis, after credential verifications.

4. Access to resources is determined by dynamic, robust, and defined security policy.

5. Your Incident Response (IR) program monitors, measures, & alerts on the integrity and security posture of all your resources and connected assets.

6. All resources AuthN and AuthZ are dynamic and strictly enforced before any access is allowed.

7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

Who should make Zero Trust implementation decision?

You along with your management can decide, when, how and with what speed to rollout Zero Trust within your environment. This is not a product that could just be deployed and then you are done.

RFC 793 originally defined Transmission Control Protocol (TCP) [1]. This document (RFC 793) described the functions performed by TCP implemented by programs that are going to use TCP in networking. Over the years TCP original RFC is enhanced multiple times via RFC 9293 [1]. Later again by RFCs 879, 2873, 6093, 6429, 6528, and 6691, which eventually makes the original concept of TCP from RFC 793 much more robust, powerful, and matured.

However, when discussing or implementing Zero Trust, there is no defined RFC, at least as of this paper’s publishing. This gives us (you and I) the liberty to openly discuss this Zero Trust concept with little freedom but under the raps of logical boundaries from Cybersecurity viewpoint. Along with the Zero Trust principles as defined in the introduction section of this working paper. This is exactly what we will do here, where others can add or modify what we are laying down here.

When to enable Zero Trust?

As highlighted Zero Trust is more about re-designing your key infrastructure components. So, it is best to do it whenever you are about to establish a new partner relationship, dealing with your infrastructure’s component end-of-life, or when you are performing a major component upgrade. It is best done gradually over a defined period as it will consume resources and increase costs. With the end goal in view, the rollout must be designed accordingly. The best advice here is, once you familiarize yourself with the Zero Trust Architectural principles as listed in the introduction section of this working paper, it will be easier for you to evaluate your partner’s ZTA environment/architecture/features with that of yours. A working reference of ZTA Rollout plan can be accessed from here.

Where is Zero Trust applied?

Zero Trust architecture applies to the components of your digital infrastructure, which are:

1. ✅ On your servers/hosts/IoTs. The location of these devices is not relevant. Cloud or inhouse hosted is irrelevant.
2. ✅ On the Network. LAN or WAN is again not relevant. However, Micro-segmentation strategies are relevant and are recommended.

2.1 ⁂ → Macro-segmentation provides high-level control over network traffic between various points of your organization’s network.

2.2 ⁂ → Micro-segmentation offers granular network visibility and the ability to effectively enforce zero-trust access controls.

3. ✅ The last but most critical component is your data that is traversing on top of the above stated components. Data is usually classified based upon its sensitivity and labels are assigned to it. These labels could be from public to general/internal use to confidential or classified a.k.a. government confidential. Security controls are wrapped around data protection, based upon the criticality of the data classification levels. Data-centric security and data protection strategies are involved at this component level. It is to be noted that increased cost is associated with protecting data that is higher on the data sensitivity scale.

Why Implement Zero Trust Architecture?

Zero Trust Architecture (ZTA) is crucial for securing buy-ins from upper management and key stakeholders, as well as for acquiring necessary funds. Hence it is indispensable and mandates a resolute writeup for “Why” part of ZTA, which you can read from here.

Key benefits and use cases for Zero Trust architecture implementation include:

1. Speeds up and enables digital transformation of a complex environment.
2. Decreases the cybersecurity risks because of the reduced backend infrastructure cybersecurity exposures, thereby enhancing your company’s environment and its overall security posture.
3. Increases Maturity [1] of your Cybersecurity function.
4. Builds and enhances confidence among your customers, partners, and stakeholders alike.
5. Company’s Regulations areas and Compliance functions are enhanced, because of the backend re-architecture, future compliance/audit assessments have less findings, and your infrastructure starts to meet your company’s vertical regulation requirements more closely.
6. A side benefit of implementing Zero Trust architecture is the minimization of internal and external bad actor’s impact. There is less exposed area for mischief now because before access grants, re-verification of AuthN & AuthZ performed and in addition, other security controls re-designed to keep out untrusted actors and the Zero Trust infrastructure visibility / monitoring done in near real time.
7. May stop malicious activities because of the new Zero Trust enabled security controls and workflows in place.
8. Enforcement of Zero Trust strategy in combination with the paradigm of Defense-in-Depth (DiD), creates a real secure and robust environment, which is much more difficult to compromise. As a sidenote, DiD concept leverages multiple (layered) security measures to protect an organization’s assets. For example:

⁂ Security guards in the lobby.

⁂ Surveillance cameras recording.

⁂ Building access via key card.

⁂ Pre-approved, time-restricted, and Geo- location aware access.

⁂ 2F_AuthN for network / desktop logins, etc.

How to apply Zero Trust?

Enablement of Zero Trust architecture in your environment could be done via hundreds of diverse ways, utilizing different technologies, and applying a variety of architectural design principles that make your digital IT infrastructure components, Zero Trust enabled. The following three are the key Zero Trust principles.

⁑1⁑ Principle of continuous verification. Always verify access, all the time, for all your resources.

⁑2⁑ Limit the “blast radius” a.k.a. the impact of an internal or external attack. A little later in this section, under the Data component paragraph, we will see how the second principle of Zero Trust is applied utilizing different tactics. This is a critical Zero Trust strategy that assumes an attack will happen, at some point in the future, and we are well prepared to identify and stop it, in the earlier stages of the attack lifecycle [1].

The benefit of this is, the quicker we identify and neutralize an attack, the less damage it creates, and all the resources put into our Cyberdefense efforts are then well worth.

⁑3⁑ Automation of incident response (IR) via context data collection and response. Incorporating behavioral data and get context from the entire IT stack (identity, endpoints, applications, workloads, etc.) for the most accurate and robust response.

Not all components of your digital infrastructure need to be Zero Trust enabled.

The existing security controls (countermeasures) that are actively working on mitigating risks must continue to exist and perform their respective workloads. This is an absolute requirement, otherwise cybersecurity risks/gaps will open.

However, a few of the security controls that are related to the implementation of the Zero Trust principles, need finetuning or re-designing or an upgrade to support Zero Trust Architecture. Let us now dive into those backend infrastructure components that are associated with Zero Trust and talk about the tactics that could be used for ZTA enablement.

#1 Server / hosts / Virtual or Physical or inhouse or Cloud.

#1.1 Utilization of authentication (AuthN) via strong identity verification tactic. Also, Privileged Access Management (PAM) implementation to manage keys-to-the-kingdom. Along with proper Identity lifecycle access management processes. There are many tools available in the market to accomplish this. Below are a few specific methods/techniques through which this tactic could be achieved.

WS-Federation and SAML 2.0 from multiple vendor companies can support seamless cross platform and cross-domain identity access integrations between a wide range of cloud environments, mobile, SaaS, APIs, and on-premises applications. Identity Federation utilizing IdP and SP concepts [1] [2], and more.

#1.2 Utilization of authorization via fine grain AuthZ tactic a.k.a. granular access policies, designed upon least privilege access principle, and with built in periodic access certification. There are many tools available in the market to accomplish these AuthZ requirements of Zero Trust. Below are a few specific methods/techniques through which this tactic could be achieved.

Role-based Access Control (RBAC) [1], [2], [3], [4]

Attribute-Based Access Control (ABAC) [1], [2]. These are sometimes also referred to as PABC, where P=Policy or CABC where C=Claims.

The eXtensible Access Control Markup Language (XACML) [1], [2], [3], is an XML-based standard markup language for specifying access control policies. It defines a declarative fine-grained, attribute-based access control policy language, an architecture, and a processing model describing how to evaluate access requests according to the rules defined in the access policies.

OAuth 2.0 is an industry standard AuthZ protocol that allows websites or applications to access resources hosted by other web apps on behalf of a user without sharing the user’s credentials.

#1.3 Building Incident Response (IR) strategy [1], [2], utilizing the tactics of user behavior pattern detections. The emphasis within IR is on the earlier threat detection and neutralization.

#1.4 Making your incoming calls Geo location aware and enforcing your business specific strategy on which areas of the world have access to your business services.

#1.5 Content Delivery Network (CDN) strategy brings multiple benefits to the table including protection against DDOS attacks and resilience against cyber-attacks, enhances user experience, and can drastically improve latency time and large user environment bottlenecks.

#2 Network (LANs / WANs) involving micro-network segmentation, firewalls between zones, ingress encrypted traffic deep inspection after decryption. VLANs, IDP/IPS and a few others are not worth mentioning as those are by default in place within a standard enterprise architecture.

#3 Applications [1] / APIs [2] / Cloud Workload Protection (CWP) [3a] [3b] [3c]

Application-level security and workload protection is especially important in ZTA. Including deployment of a Web Applications Firewall (WAF). Also checking of all the 934 application code weaknesses as documented in the CWE version 4.14 [1] via a static code analysis tool (many exist in the market today).

#4 Data is the most important asset in any business environment and a resource most sorted after by hackers. Data could be in the form of structured or unstructured data form and hosted on a variety of systems either in the Cloud or local in the enterprise network or both. This is the most complex and extensive effort required for Zero Trust enablement.

Tactics like context-aware user management could be utilized along with dynamic threat modeling for fast malicious activities detection capabilities. Utilization of Extended Detection and Response (XDR) to accommodate multicloud and hybrid environment’s incident handling.

There are lot more tactics and associated data protection techniques, which are out of the scope of this paper because of time. Some of those will be relevant to Zero Trust enablement.

Summary & Conclusion:

Zero Trust is a hot topic as of today because it addresses some overly critical challenges of the present era. Modern enterprise environment poses multi-fold challenges. The first challenge is… enterprise users are distributed everywhere. Users are not accessing enterprise applications from one location these days. In the post COVID era, it is prevalent for users to work from home or engaged in a hybrid (home & office) model. Users can initiate enterprise applications access request from any location today and probably from any device (although the second point percentage wise is little less prevalent).

The second challenge comes from the enterprise applications itself, as those also got distributed these days for a different reason. The patterns below worth highlighting, to identify the complexity in designing “access control” for those distributed applications accessed by dispersed users:

⁑Pattern #1⁑ In enterprises we still have in-house applications (on-prem) behind our Active Directory.

⁑Pattern #2⁑ Some of the enterprises use in-house Applications as well as Applications from a Cloud Partner. This requires Hybrid Identity architecture. But wait there is more…

⁑Pattern #3⁑ Enterprises these days have their applications on more than one cloud. This requires Multi-Cloud Identity architecture.

Now a combination of the above three patterns creates a rough terrain for access designers, but this situation could easily be addressed by using the principles of Zero Trust and the seven pillars of ZTA [refer to the “What” section above]. This is exactly why Zero Trust is the hottest topic of the day.

With the implementation of Zero Trust in your environment, it is enabled for proactive security rather than standard reactive one. One confusion in Zero Trust discussions is… technical people try and apply the Zero Trust principle to a narrow scope/use case. Nothing is wrong with that, however when that is documented and distributed, some individual starts to believe that Zero Trust in its scope is that narrow.

The objective of this working paper was to establish the scope of Zero Trust from start to finish in the context of enterprise and consumer eCommerce environments. Hopefully if one reads it till here, this paper provides a clear picture with regards to the scope, benefits, and challenges Zero Trust addresses. The World Economic Forum in Aug 2022 did talk about Zero Trust and produced a community paper [1]. If the Zero Trust adoption trends continues with the same rate of last three /four years, then very soon we will see the following trends emerging:

⁑1⁑ Zero Trust adoption moves your Cybersecurity monitoring from a static to a dynamic environment. We have started to do this today.

⁑2⁑ In the future, all IAM vendors will offer some kind of alignment with ZTA principles for their products by marketing them as effortlessly Zero Trust enablement tools in your environment.

⁑3⁑ Zero Trust is already playing a critical role in hybrid cloud environment integrations. This trend will be on an upscale, and new “buzz words” or “tracking terms” like “Zero Trust Runtime”, “Zero trust AuthN” and/or AuthZ, etc. will soon be prevalently adopted.

⁑4⁑ Merging Zero Trust with AI is another area where we will see a lot of movement in the coming days/months/years.

It is worth concluding that Zero Trust is a dynamic security model, which is continuously evolving to address the ever-moving threats within the dynamics of our evolving business environments. Cybersecurity professionals around the world are working towards making business environments secure and Zero Trust works like a Swiss Army knife for them. We may also have a Zero Trust RFC sometimes in the future.

Should you need to refer to other part 2 or 3 of this article, you may click the links listed below:

Part-1: “Zero Trust Demystified” [This Article] (Includes Principles, What, Who, When & Where).

Part-2: “Unlocking the Necessity and Advantages of Implementing Zero Trust Architecture (ZTA)” [2] (Discusses Benefits & Why ZTA).

Part-3: “Zero-Trust Architecture Rollout Plan” [3] (Discusses ZTA rollout plan’s How-to, step-by-step).

About The Author:

Scan to email the author.

Asad Syed is a graduate of Mathematics, Applied Mathematics and Statistics. His experience spans in Security Architecture, Security Operation Management, Digital Investigations & Forensics, Crisis & Threat Simulation, GRC Management, Threat Hunting, Cybersecurity Emerging Trends & Threat Mitigation, Database Security, Identity & Access Management, and Identity Federation. His interests are in the application of newer technologies, to enhance the output performance of technologies with which he is working. He is a writer, teacher, and cybersecurity evangelist, who has worked for multiple fortune five hundred companies and currently providing cybersecurity consulting to the upstream operations of the oil and gas industry. Reach him via Asad at ASyed dot com. ■