Creating a Zero Trust Security Infrastructure

Zero Trust is a security framework that endeavors to make networks more secure by eliminating the concept of trust from an organization’s network architecture. Zero Trust uses a Zero Trust Network Architecture (ZTNA) also known as perimeterless security or Software Defined Perimeter (SDP). This approach to the design and implementation of IT systems and security assumes users, devices and applications should not be trusted by default.

NIST defines Zero Trust (ZT) as an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Zero Tust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location or based on asset ownership. Authentication and authorization are discrete functions performed before a session to an enterprise resource is established.

Per NIST, Zero Trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero Trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.

Why Do We Need Zero Trust?

The main reason we need zero trust is because the job of securing company’s assets and employees is now much more difficult. Gone are the days where all our data, systems and employees are behind the corporate firewall. Even then 3^rd parties were threats and remote workers. Now all our assets are in public/private clouds, cloud application servers, while workers work from home as well as the office. Protecting all of that requires an SDP leveraging zero trust for all security whenever possible. Old security models simply don’t work well enough as evidenced by the number of success attacks.

The ZTNA provides better visibility, more granular control, encompasses all data, system, and user locations and provides better auditing capability.

Zero Trust is Not a Single Security Solution

Unfortunately, Zero Trust is not a single security solution. But rather, we need to infuse zero trust into all elements of security as much as possible and leverage true zero trust platforms as they emerge.

Why is Nearly Every Security Product Vendor Now Advertising Zero Trust?

Zero Trust is a hot topic. Most security vendors are claiming some form of zero trust in their security. Similar to AI/ML solutions, the scope and impact of any zero trust elements varies by security solution. The focus should be on assembling the best zero trust solutions available that accomplish your goals.

Leveraging 100% Zero Trust Solutions/Platforms

1. Zero Trust Network Architecture (ZTNA) Micro-segmentation Solutions
   • These are new solutions that attempt to provide hardened security to protect company’s data wherever it may be located.

     

   • These solutions use micro-segmentation to define granular access control at the user level.
   • Solutions only allows specific users, devices, applications to access specific IT assets by defining rules
   • ZTNA must be integrated with access control solutions to ensure authentication of user.
   • ZTNA can provide visibility of who is trying to access protected resources.
   • ZTNA solutions seem to have two focuses 1) Solutions that protect key data or assets and 2) solutions that protect entire companies and their users.
   • ZTNA enables Software Defined Perimeters (SDP)
2. Multi-factor Authentication (MFA)
   • Using 2 or more factor authenticating. Single Sign-on provides easier management and use. Used as part of virtually all access control solutions. Evolving management, use and policy creation to facilitate broader use.
3. Privileged Access Management (PAM)
   • Implementing least privileged access control for privileges accounts in companies.
   • Used in conjunction with MFA solutions.

Shoring up Zero Trust with other Security that Contains Zero Trust Elements

1. Cloud Security (Data, servers in public/private cloud)
   • ZTNA micro-segmentation solutions are a big start to protect key data or assets wherever they are
   • MFA & privilege management provides IAM
2. Data Protection
   • Use ZTNA micro-segmentation to protect data wherever it is
   • Use MFA for IAM
   • Encryption can be used to eliminate some level of trust if access is only granted for authorized authenticated users
3. Cloud Application Security (CASB)
   • Zero trust with CASB should leverage MFA access control (Roles, authentication, access rights)
   • CASB has implicit in it the ability to control access rights by user making CASB an essential element in zero trust
4. Securing Remote User Access
   • Use MFA to prove identity
   • Use VPNs to provide secure channels and to authenticate users, VPN portals can be used to define granular access to data, applications, devices
   • Leverage other solutions like ZTNA to define privilege management and granular access control
5. Firewalls
   • Firewalls can be used as a tool in providing zero trust. Firewall elements that can contribute to the zero trust goal include:
     • Network segmentation
     • Focus on “allow” versus “deny” rules to provide and tighter controls of what can connect and to what
     • Policies that focus on Users, applications and data locations and restrict access to only those that require access.
   • VPNs provide zero trust networks for network sites and for endpoints, but do not provide granular control of what users do after obtaining secure access. ZTNA is required to provide true granular control.
6. Endpoint Security
   • At the endpoint, if you can absolutely restrict which programs can run to only those that are safe, that is meaningful zero trust security.
     • Whitelisting can be used to only allow certain applications, programs, processes to run. If this can be automated (as some vendor products can), it can be an effective zero trust enhancement to your endpoint security. Using Whitelisting on servers is often used to add extra security. Auto-whitelisting can help.
   • Some technologies like: Sandboxing are zero trust (but it is not applied to all programs)
   • Most other EP technologies like AI/ML, behavioral are not really zero trust, but are very important.
7. Email Security
   • Email security is not inherently zero trust, but does employ multiple methods to prevent phishing, CEO fraud, malicious attachments, and links with some zero trust elements.
   • Secure Email is zero trust and means only the identified recipient can open your encrypted emails
   • Sandboxing of program attachments is zero trust, but is only applied when it is suspected or unknown
   • Important, but not zero trust
     • Reputation checking of domains, URLs, Source IPs, Destination IPs check against known trusted and bad
     • CEO Fraud content checkers – content analysis looking for CEO fraud indicators
     • Whitelisting instructs email security what to allow, but not what to block. Blacklisting can only block known (prior) bad senders. Meanwhile 99.9% of emails still get to your inbox or spam.
     • AI/ML executable program analysis
8. SIEM & SoCs
   • Monitoring all IT systems for access control violations is part of a SIEM.
   • Integration with IAM solutions and using GEO location awareness of users as they attempt resource access, supports zero-trust
   • So SIEMs provides oversight of the access control zero trust initiative
9. Backup and DR
   • Ransomware caused modern System/Data backup systems to change to prevent 1) backups of corrupted (encrypted) data and 2) corruption of already backed-up data (by encrypting it after the fact). Backups must be trusted and must be offline and inaccessible by rogue software after they are backed up. Happily, BDR solutions have adapted apply zero trust by eliminating corruption after the fact by taking backups offline. Validating that the users accessing the backup system are trusted is key to approaching zero trust.

Zero Trust Action Items

1. As always start with a 3^rd party risk assessment to determine your security gaps and priorities
2. Define a strategy
3. Select ZTNA platforms
4. Reinforce other security with zero trust
5. Implement, monitor and manage
6. Rinse and repeat

Contact us to discuss zero trust and how ZTNA should change your security approach.