Zero Trust Model - The Present Necessity

By

When I was preparing for CISSP 3 years back, a line from the book AIO guide - Shon Harris really made an impact on me. It goes like this “ There are only two people in the world I trust - You and I and I m not so sure about you.” This statement summaries the entire zero trust model, I presume.

Given the current situation, a lot of organizations have enabled remote access for its employees. The remote access when enabled has increased the attack surface for the hackers. In this blog post, we will learn about the zero trust architecture and why it is essential to enable zero trust for everyone including the CEO of the organization. 

What is Zero Trust?

Simple terms - No trust in anyone. Everyone has to prove themselves via the identity verification whether the person is operating from the office or the comfort of his/ her home. Zero Trust is not about making a system trusted, but instead about eliminating trust.

The term ‘zero trust’ was coined by an analyst at Forrester Research Inc. in 2010 when the model for the concept was first presented. A few years later, Google announced that they had implemented zero trust security in its network, which led to a growing interest in adoption within the tech community.

Zero trust is not a product or a service, it is an approach to security. An approach to ensure that you ALWAYS verify before trusting. The verification should not be limited to users only. It has to extend to all devices, networks, servers, applications and even data. 

Before we deep dive further into this approach, let’s understand the castle and moat mentality.

The Castle & Moat - Traditional IT Security

The traditional IT security works as the castle and the moat. The untrusted are out on the moat while the trusted people are inside. Well, you can easily deduce that, in castle-and-moat security, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default. The
problem with this approach is that once an attacker gains access to the network, they have free reign over everything inside. This concept is responsible for a lot of data breaches around the world.

Add to this vulnerable model, dollops of data residing in multiple devices and places - cloud, data centre, applications etc. which is further spread across with multiple vendors across the globe. 

The zero trust model brings equality to the picture. Whether you are inside the castle or on the moat, you need to verify yourself first to gain trust. Essentially, Zero Trust is about protecting data by limiting access to it. An organization will not automatically trust anyone or anything, whether inside or outside the network perimeter. Instead, the Zero Trust approach requires verification for every person, device, account, etc. attempting to connect to the organization’s applications or systems before granting access.

Don’t scratch your head!!! Aren’t you wondering that there is a username password mechanism of identification and verification that has been deployed by your organization, along with 2FA implemented in some applications or networks?

To answer this confusion in your mind, you need to think about how you access your organization’s infrastructure. If you use a company-provided laptop and the moment you log in, you can access any server, application or cloud environment, it simply means that the organization trusts the device by which you are logging in and even you as the user who is logging from the device.

The Framework

Zero trust frameworks are used in some organizations and that too only in small pockets. If an organization uses zero trust, it has enabled only at the perimeter of the organization. Whatever exists inside the parameter is trusted and not questioned. Some organizations have enabled zero trust only for their critical data and applications and servers hosting such applications/data.

Given the current situation, every organization must move towards implementing this approach.

Is there a standard framework available? Is there an ISO standard that I can use? The unfortunate answer is NO. Even for writing this article, I could not find a single article that has not been written by the marketing department of an organization trying to sell its version as the foolproof mechanism of implementing zero trust model.

After some Googling about Zero trust, I found a research paper - https://storage.googleapis.com/pub-tools-public-publication-data/pdf/43231.pdf which is a research paper on rethinking the traditional IT security and moving towards zero trust. Google is one such organization that has moved in this direction. Its BeyondCorp program, which Google began developing more than six years ago, demonstrates a security model that: 

• Securely identifies the device
• Securely identifies the user
• Removes Trust from the network
• Implements an inventory based access control. 
 
BeyondCorp began as an internal Google initiative to enable every employee to work from untrusted networks without the use of a VPN. BeyondCorp is used by most Googlers every day, to provide user- and device-based authentication and authorization for Google's core infrastructure.

BeyondCorp is Google's implementation of the zero trust security model that builds upon eight years of building zero trust networks at Google, combined with ideas and best practices from the community. By shifting access controls from the network perimeter to individual users and devices, BeyondCorp allows employees, contractors, and other users to work more securely from virtually any location without the need for a traditional VPN.

High-level components of BeyondCorpSingle sign-on, access proxy, access control engine, user inventory, device inventory, security policy, and trust repository.

BeyondCorp principles
  1. Connecting from a particular network must not determine which services you can access.
  2. Access to services is granted based on what we know about you and your device.
  3. All-access to services must be authenticated, authorized, and encrypted.
This is Google’s vision and they have been quite successful in implementing it. 

Implementation Approach 

Post studying the research papers available in this domain, I present the following implementation approach for a zero-trust model. The approach needs to be customised for your organization. 
  1. Identify your assets 
  2. Identify your users
  3. Identify the protect surface
  4. Setup Authentication mechanisms
  5. Verify every access attempt
  6. Implement access verification at every small interval.
  7. Implement zero-trust policies on network
  8. Monitor all users, devices and networks.
It is important to note that a Zero Trust Framework doesn’t have to be disruptive to employees’ normal work processes, even though they (and their devices) are being scrutinized for access verification. Some of those processes can be in the background where users don’t see them at all.

What are your thoughts on this approach?

Comments

Post a Comment

You may also like to read...

Identification, Authentication, Authorization, and Accountability

By
Image
The 4 steps to complete access management are identification, authentication, authorization, and accountability. Many confuse or consider that identification and authentication are the same, while some forget or give the least importance to auditing. These are four distinct concepts and must be understood as such. Identification Whenever you log in to most of the websites, you submit a username. In case you create an account, you are asked to choose a username which identifies you. This username which you provide during login is “Identification”. It is simply a way of claiming your identity. From an information security point of view, identification describes a method where you claim whom you are. If you notice, you share your username with anyone. Your email id is a form of identification and you share this identification with everyone to receive emails. This means that identification is a public form of information. Authentication So now you have entered you
Continue Reading...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

By
Image
Identity and Access Management is an extremely vital part of information security. An access control model is a framework which helps to manage the identity and the access management in the organization. There are 5 main types of access control models: discretionary, rule-based, role-based, attribute-based and mandatory access control model. Every model uses different methods to control how subjects access objects. While one may focus on rules, the other focus on roles of the subject. As a security professional, we must know all about these different access control models. While one company may choose to implement one of these models depending on their culture, there is no rule book which says that you cannot implement multiple models in your organization. These models are built into the core or the kernel of the different operating systems and possibly their supporting applications. Every operating system has a security kernel that enforces a reference monitor concept, whi
Continue Reading...

How to Pass SSCP Exam in the First Attempt

By
Image
Systems Security Certified Practitioner (SSCP) exam is offered by (ISC)2 . When I prepared for this exam, there was hardly any material for preparation or blog posts to help me understand the experience of this exam. In this blog post, I will try to explain to you how to study for this exam and the experience of this exam.  Before I begin, let me congratulate on your journey to becoming an SSCP. Although this certification may not be highly recognized as the CISSP certification, still it shows your employer and the world that you are really interested to pursue your career in this field. You become a practitioner in this field. What is SSCP? You would like to read CISSP vs SSCP in case you want to have a comparison between the exams. SSCP is a 3-hour long examination having 125 questions. You are required to score a minimum of 700 out of 1000. 25 questions are not graded as they are research oriented questions. It is important to note that since these questions are
Continue Reading...

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

By
Image
Imagine a system that processes information. This information is classified in nature. When we say, its classified, it means that the information has been labeled according to the data classification scheme finalized by the organization. This scheme can be company specific, such as public, internal and confidential or military/government specific such as Confidential, Top Secret, Secret, Public. As a general user or a security professional, you would want that proper controls to be implemented and the system to be secure that processes such information. Imagine a scenario where such a malicious user tries to access this information. What clearance must this person have? Will he/she have access to all classified levels? Hey!!, stop imagining. Let’s discuss something else now. Hold on, I know, I had asked you to imagine the scenario above. But answers to all your questions would follow, so keep on reading further. We need to learn and understand a few terms before we are ready
Continue Reading...

Cloud Computing - The Logical Model

By
Image
At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality.  The four layers are : Infrastructure: The core components of a computing system: compute, network, and storage.The foundation that everything else is built on. The moving parts. Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration. Infostructure: The data and information. Content in a database, file storage, etc. Applistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services. The security at different levels is mapped to the different layers. The application security is managed at the applistructure layer while the data sec
Continue Reading...