Key Takeaways
- Zero Trust focuses on mitigating Advanced Persistent Threats (ATPs) which can be invoked very well from the inside networks of organisations and not only from the outside world.
- As a user, any system under your control should meet the latest security requirements, often instructed by endpoint protection agents installed by the organisation.
- As an architect, you should create necessary Identity and Access Management (IAM) policies and optimise these rules to evaluate the status of endpoints and Network Access Devices (NADs) and make necessary decisions in automating orchestration workflows to deal with current and future ATPs.
- As an organisation, introducing allowlisting instead of denylisting of malicious sites and applications is a better way of preventing these ATPs. Also, organisations as a whole should be participating in security awareness events such as creating honeypots, hackathons and running mock phishing programs to analyse employee interaction rate to make better security decisions.
- As a security enthusiast, you can learn more about the ever-changing security landscape by checking security updates in systems and applications, the differences in release notes and new technologies in this area.
Introduction
Zero Trust Security redefines how organisations view and deal with security threats dynamically. As ransomware and phishing attacks increase, it is evident that attack vectors can be found on the inside in abundance as opposed to what industries thought about the inside zone of network perimeters being attack proof. Advanced Persistent Threats (ATPs) are on the rise and the security of organisations need to be reshaped to match the attackers’ approach towards perimeters. And Zero Trust is about deperimitizing networks and dealing with ATPs inside and outside the networks with equal scrutiny.
Defining Zero Trust Security
Zero Trust Security can be thought of as a new security architecture approach where the main goals are: verifying endpoints before any network communications take place through an infrastructure, giving least privilege to endpoints at all times and finally continuously evaluating the endpoints throughout the communication assuming that they are always suspicious.
It has evolved over the years with the network changes we have seen throughout the explosion of the IT industry such as moving from on-premise to cloud infrastructure. And with audit experts like Forrester and Gartner redefining adoptions of Zero Trust with models like ZTX (Zero Trust Extended) framework and CARTA (Continuous Adaptive Risk and Trust Assessment), today security companies have their own versions and use cases of Zero Trust.
However, the core values and architecture at high level remains the same. This is as per NIST Model of 800-27 which has the policy engine as the processing unit of ZTA implementation which generally is an IAM (Identity Access and Management) server where network architects create rules that adhere to Zero Trust principles. This can create rules such as endpoints and network devices being compliant to industry standards such as ISO/IEC, applications having latest updates and software patches to reduce vulnerability risks, etc. They can then work with these constraints to restrict access to and from endpoints which do not meet with these requirements so that any attack vectors can be isolated to such endpoints and prevent them from infecting other systems.
In the same architecture, the Policy Enforcement Point (PEP) is the interface that acts as a barrier between any requester and a resource. So, whatever rules are applied though Policy Engine get executed by PEP. This can be a firewall or even a login page for different users belonging to different segments.
How I started with Zero Trust
It is important to understand that many networks already use Zero Trust principles in a way, even though they might seem trivial. For example, when my workplace started incorporating Multi-Factor Authentication (MFA) for the employees in all teams, it was a sudden change for non-security teams. However, most employees were already using an endpoint malware detection application to profile company assets for malicious activities.
I personally have been working on implementing Zero Trust principles via VPN for more than 3.5 years now. Working with firewalls, IPS integrations, IAM servers, and how they all help VPN has been the main focus in my role.
In my work experience, for example, almost all HTTP public websites are blocked using HTTP blockers on company assets, as HTTP possesses threats like DDoS attacks and denial-of-service using vulnerabilities like cross-site scripting, security misconfigurations and many others. Such sites also have phishing links, malvertised content which result in getting the host machines infected with malware. So, endpoint protection and threat detection is important using web and DNS inspectors like Cisco Umbrella or Webroot DNS. Similarly, endpoint inspection applications always monitor the endpoint PC. Any potential malicious file downloaded on the endpoint via some application/web, despite the application and web browser using secure methods, can take over the system pretty easily. So, a secure endpoint application is one of the safer ways to keep monitoring the endpoint’s activity. Applications like Cisco Secure endpoint, Sophos Intercept X, End-User Endpoint Security etc are some examples. There are many other Zero Trust values that I incorporate such as multi-factor authentication and device health monitoring using Cisco Duo, and Microsoft Authenticator etc and other applications for email security inspection to minimise phishing attacks, among others.
There have been businesses as important as hospital environments with whom I have worked and while working on one such implementation, I had found that the emphasis was more on getting a stronger authentication method such as certificates, instead of user credentials. However, there was no privilege escalation mitigation. There was evidence of logs of patient records being accessed by all authenticated users belonging to the hospital such as accounts team, helpdesks, and first responders which were not necessary, and served as a potential attack vector. Being a hospital environment, the importance of security increases even more, and we ended up implementing IAM access policy rules for patient records to be accessible only to appointed doctors and specific personnel with limited visibility to records, and denying any and all access to these records for anyone else.
Many times, organisations think that security is daunting or even overrated. But all it takes is one vulnerability, one attack surface for attackers to initiate and propagate lateral movement of malwares inside an organisation and create data security breaches without a head start.
And as ZTX has one of their important pillars being “people”, understanding security for their own employees is as important as maintaining trust with their customers, outside their organisation.
Applying Zero Trust security
New implementations can be approached depending on what your focus points are. For example, if your focus is on improving endpoint identification, you can switch from single factor authentication to MFA. If you have more emphasis on databases, you can migrate to authentication tokens, oauth over MySQL, PostgreSQL, etc.
Investing in a good IAM server or services is very crucial to Zero Trust. This allows a granular level of database access control for each type of role, user or applications as per your network requirement. Moreover, one can create micro segments with Secure-Group Tagging (SGTs) and create necessary rules at Policy Enforcement Points for least privileges, or start at evaluating and improving how threat detection is used in the network. Additionally, network administration can be done using the IAM server. For example, associating group-policies to different segments, posturing and profiling for endpoints, centralised pxGrid services and context visibility of users and traffic.
Without a good IAM server, there is a chance that you may create extra load on default policies, giving escalated privilege access to a broader spectrum of users which increases attack surfaces.
If you are using an existing security solution, you should first try to optimise it to use Zero Trust principles and validate what is missing. For example, if I am still using default passwords for my network or application logins, that needs to change and move towards MFAs and passwordless authentications. It is pivotal to understand the problems in an existing setup, acknowledge the drawbacks and address the issues.
Performing security scans, audits, certificate checks, or vulnerability scans are a great start. They often give insights into what standard security best practises are missing to get on board with Zero Trust. There are open source security scans available and IT firms also offer Security-as-a-Service (Saas) for these tasks. However, that is not enough.
Consulting with a security expert is a great way to get an in depth analysis of your network and where there is a scope of improvement. You can then revise the network segmentation where required, go through existing rules, use automation to do these tasks if required and find out what type of authentication, authorization and accountings are being done for endpoints and NADs.
You can also start with orchestrating and automating threat detection tasks. This has now become a point of interest for many security firms and architects as we move towards Software-Defined Networks (SDNs) with solutions such as SD-WAN and SASE and demand implementations such as smart integrations of firewalls in perimeters, automating threat detections on servers and creating workflows to what action should the firewall or IAM server take if there an attack is encountered. And then, revisiting Indicators Of Compromise (IOCs) from threat detection and responses are a crucial step to consider, as studying these IOCs gives an idea of what went wrong, why the endpoint was vulnerable and undetectable, and more importantly, how can these reports help to prevent future ATPs. This gives further scope to study attack patterns so that you can come up with better security systems.
The point being, there is no starting point for Zero Trust as long as the principles are implemented within the network.
The key things that I can say will help you make a decision are: investing in a good IAM server, using Next Generation Firewalls, creating dynamic rules, using MFA for authentication, moving away from passwords, and integrating all these with Threat Hunting tools. If you happen to have interest in integrating all of these with automation tools and AI, that is a long lasting implementation that can help track patterns of future attacks dynamically. My team had worked with certain business critical applications for finances which were getting hindered because of new attacks happening very often. Using applications like Cisco Stealthwatch, the visibility to studying the IOCs was easier and we were able to get more knowledge about which finance businesses are more vulnerable in terms of attacks like TrickBot, Ramnit, etc.
Benefits and drawbacks of Zero Trust security
Zero Trust Security is as discussed an evolution of existing security practises. Since we cannot eliminate threats, the best we can do is protect the network and its resources with highly adaptable and scalable security strategies which eliminate implicit trust from the network. For example, your employees from the accounts team don’t require any access to confidential data present in the IT department; or vice versa. We see many employees moving into different teams internally still tend to have access to old resources because resource-based authentication and privileges are not checked. So, organisations should take access control and data wastage more seriously.
Zero Trust aims at minimising lateral movement of attacks in an organisation, which is the most common cause of threat duplication or spread of malwares and viruses. In expeditions during organising capture the flag events, we often give exercises to work with metasploits, DDos attacks and understanding attack vectors and how attacks move. For example, a phishing email attack targeting a user was used which had a false memo that was instructed to be forwarded by each employee to their peers. That email had MS powershell malware embedded and it was used to depict how often good looking emails are too good to be genuine. And since, just like that, the attack vectors are often targeted to be inside of organisations, Zero Trust suggests to always verify all network borders with equal scrutiny.
Now, as with every new technology, Zero Trust is not built in a day, so it might sound like a lot of work for many small businesses as security sometimes comes across as an expensive investment. As companies are providing solutions like SaaS and PaaS, the technical debts which exist with the organisations can be overwhelming. It can also be difficult to migrate networks from non Zero Trust towards Zero Trust implementation when existing products are not compliant with many of its principles. For example, there can be limitations to existing worlds of systems which do not go along with the Zero Trust principles, like P2P services in Microsoft Windows which share peer information to sustain. Solutions to this can include understanding these default settings and modulating them with the needs. Also, many 24*7 businesses often cannot afford downtime to update security features, and unfortunately become vulnerable to many ransomware attacks. So, it is recommended to use high-availability between resources and clustering of devices so that there is minimum impact on production of such businesses and updates can be done during live migration.
These checks are important as one should understand that this bridge between security checks, compliance and software versions and patches will only widen with time. And if any action is not taken immediately, it might turn out to be more expensive to perform damage control later with this widened gap in security.
There is no one solution to Zero Trust Security. There is no one magic box that can implement ZTX principles. So, considering what you have, what you can do better, how fast you can recover from threats and how well you can predict future threats is a strategy that can help businesses and customers get closer to Zero Trust.
Learn more about Zero Trust Security
As we move from on-prem to cloud infrastructure, we have seen an increase in cloud vulnerabilities as well. So attacks like ransomware are pretty common now. We have seen MS PrintNightmare evolving towards becoming remote execution code as well; more spooling attacks, blockchain attacks like Sybil attacks, and identity theft are on the rise, so the threat world never ceases to surprise supply chains and threat hunters.
However, people are becoming more aware of how Zero Trust, the Zero Trust Framework and its important adoptions such as microsegmentation are helping customers segregate networks based on factors like type of devices and type of traffic, and choose the policy engine rules and policy enforcement points to implement Zero Trust values at each segment. This helps with managing a hybrid network that is present in most customer deployments.
We are also emphasising on best practises for any software lifecycle, be it security chaos engineering, understanding OPSWAT for secure coding and keeping development codes safe or integrating security in DevOps. I would say that there is a continuous research and development cycle for security on its own.
Beginning to learn Zero Trust can begin simply by understanding one’s organisation security insights. How do you do your authentication for sandboxes or applications? Do you use MFA? Do you use next generation firewalls? Have you given up unused data access? Have you used threat detection tools? All these questions can ignite the curiosity of understanding the future of security.
One can also read white papers like the NIST architecture (Zero Trust Primer) and the White House’s take on Zero Trust (Executive Order on Improving the Nation’s Cybersecurity)
It’s also interesting to learn about Zero Trust forum security conferences where Industry experts share their insights on best practises.
A bonus is subscribing to InfoQ to learn more about security trends and keep oneself updated with security news everyday! :)
And remember, security has an expiry date. So, let’s take it seriously and act before time runs out.