Zero Trust Mentality
Cyber security professionals have historically followed what is known as the castle mentality. It is a viewpoint that views bad guys positioned outside of our castle, hoping to gain entry to steal our crown jewels. We have built moats, castle walls, and associated defenses to keep them out.
Over time, it has become apparent that attackers have evolved, so we need to. Traditional firewalls that block IP addresses and filter packets are not good enough to keep the bad guys outside. Zero trust presents us with a different approach to keeping our crown jewels safe.
The primary focus of cybersecurity is the management of risk. Our focus must always be on reducing potential dangers to our organization. The zero trust mentality has been developed with this in mind and provides a better way to protect our users and corporate assets.
Zero trust refers to the adoption of paradigms designed to move our defenses from the traditional castle mentality to one focused on users, assets, and resources. It assumes that no asset or user account is granted an implicit trust based solely on their physical or network locations (i.e., internal network) or asset ownership (i.e., company-issued laptop).
We call the adoption of zero trust a “mentality” because it requires us to shift our thinking. Historically, the focus has been on protecting our organization’s perimeter, which no longer exists. Zero trust provides us with guiding principles for developing workflows, system designs, and operations to improve our organization’s security posture.
The exponential growth of data breaches in recent years is forcing the adoption of zero trust on some level. We cannot hide behind the “mote” of traditional security defenses and feel safe. Successful implementation of zero trust requires every member of our organization to assume an attitude that views every network asset as hostile.
Implementation of zero trust requires multiple paradigm shifts. First, we will start to view every network asset as being untrusted. Secondly, we will automatically assume that if any user cannot prove their identity cryptographically, we must not trust them. Our chances of implementation will be much greater if we start with these assumptions.
The primary benefit of zero trust is that it enables us to continue business operations unchecked and at the same time minimize our risks from doing so. To accomplish this, the model moves our focus from the traditional perimeter to authentication, authorization, and shrinking implicit trust zones. It views every user as untrustworthy, so we will implement very granular access rules to enforce the least privileges for every action taken.
The presumption that we cannot trust any user or network asset requires us to always verify, validate, and authenticate. Users must prove they are who they say they are before being granted access to any system or resource. In practice, zero trust, therefore, will apply to two primary areas: authentication and authorization. Example questions that are asked in this model include:
- What level of confidence do we have that a subject’s identity is authenticated?
- Can we grant access to the subject based on our confidence that they are who they claim to be?
- Is the device hosting the request configured to the expected security posture?
- What other factors should be considered that may change our confidence levels (e.g., time, location, security posture)?
AT&T security guru Bill Cheswick once described traditional models as “a sort of crunchy shell around a soft, chewy center.” You may recognize that he was describing the perimeter-defense model that typically utilized network firewalls as the focal point of security. An attacker who could breach this firewall had free reign to move about in the internal network.
Seven Tenets of Zero Trust
A zero trust architecture will be designed and deployed with the following basic tenets (NIST SP 800-207):
- All data sources and computing devices are considered resources. As a result, we must protect everything from users to databases in the network equally.
- All communication is secured regardless of network location. Network location alone no longer implies trust in Zero Trust. Access requests from all assets must now meet the exact security requirements, whether internal or external assets.
- Access to individual enterprise resources is granted on a per-session basis. Trust will no longer be granted that extends beyond the current session.
- We use dynamic policies to determine access to resources. User behaviors and attributes are monitored to ensure that they align with historically observed behaviors to decide whether or not they are in line with established acceptable risk levels. The result will be the application of least privilege, limited access, and just enough access policies.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets, and none shall be inherently trusted.
The organization will rotate approved assets rotated from time to time. For illustration of this concept, I served six years in the Navy, working on F/A-18 aircraft. We would remove planes from service at scheduled intervals for engine overhauls, avionic upgrades, or other such tasks. The same type of process is followed in a Zero Trust environment to ensure that an asset deemed trustworthy previously has not been compromised.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed. Zero Trust requires us to use multi-factor authentication everywhere. It will also include implementation of continuous monitoring processes to ensure policies are being enforced.
- The enterprise collects as much information as possible about current state of assets, network infrastructure and the communications that will be used to improve security postures. Modern IT environments are dynamic and constantly changing. We can longer afford to set up static defenses that are unchanging. Success requires us to set up defenses capable of adapting to almost continual changes in the dynamic environments that are our networks.
NIST has identified these seven tenets as being required to achieve our goal of reducing enterprise risk.