Let’s Breakdown Zero Trust

Let's Breakdown Zero Trust

Understanding Zero Trust: A Modern Security Paradigm

Before diving into the origins of Zero Trust back in the 2000s, let’s clarify what Zero Trust means in the 2020s. To help with that, we’ve created an engaging video that explains what Zero Trust security is all about and explores the factors behind its growing popularity.

The Evolution of Zero Trust: From Concept to Security Standard

Zero Trust, as we know it today, didn’t emerge from a single idea but rather from the collective insights of security professionals responding to the same emerging trends. Here’s a brief look at how this security paradigm evolved:

  • Pre-2000s Security Model:
    • Relied on a hardened perimeter around corporate intranets.
    • Used firewalls and single log-ins for network access.
    • Trusted users once inside the network (castle-and-moat or M&M model).
  • Changes in the 2000s:
    • Reliable home internet and public Wi-Fi blurred physical office boundaries.
    • Employees, contractors, and partners needed remote access to company data.
    • Initially, corporate VPNs provided secure network access.
  • Limitations of VPNs:
    • VPN compromises could expose entire networks.
    • The concept of a hardened perimeter became less viable.
  • Department of Defense’s “Black Core” Architecture (2005):
    • Focused on securing individual transactions with end-to-end encryption.
    • Aimed for a seamless, secure network integrating all DoD information systems.
  • Security Challenges in the Mid-2000s:
    • Viruses like Blaster and SoBig exploited network vulnerabilities.
    • Paul Simmonds’ 2004 “de-perimeterization” framework called for:
      • Cross-enterprise trust and authentication.
      • Better data classification standards.
      • These ideas laid the groundwork for modern Zero Trust.

Understanding these developments helps us appreciate how Zero Trust evolved from the need for secure, flexible access to corporate data and the shortcomings of previous security models.

How Forrester Coined and Shaped the Zero Trust Model

The term “Zero Trust Model” first emerged in 2009, thanks to Forrester’s John Kindervag. His influential report introduced three core principles that still shape our understanding of Zero Trust today:

  • Secure Access for All Resources:
    • Ensure secure access regardless of location.
    • Apply the same level of encryption and protection for internal and external data.
  • Adopt Least Privilege Strategy:
    • Enforce access control strictly, allowing users access only to the data needed for their roles.
    • Implement role-based access control to operationalize least privilege.
  • Inspect and Log All Traffic:
    • Continuously monitor network traffic to detect anomalous or suspicious behavior.
    • Identify activities like unusual downloads or access patterns that deviate from normal user behavior.

These principles have evolved but remain foundational to Zero Trust. The concept of continuous authentication, while not explicitly mentioned in Kindervag’s initial report, has since become integral to the Zero Trust framework.

The term _Zero Trust Model_ first emerged in 2009, thanks to Forrester’s John Kindervag

Microperimeters and Insider Threats in Zero Trust Security

The 2010 Forrester report was a groundbreaking document that introduced two concepts still sparking debate in the Zero Trust community.

  1. Microperimeters and Network Perimeters:
    • Kindervag’s Zero Trust Model challenges the traditional corporate network perimeter, advocating for de-perimeterization by stating “the perimeter no longer exists.”
    • Despite this, the report frequently references threats as either “internal” or “external,” suggesting a lingering attachment to the network model.
    • Kindervag advises segmenting networks into microperimeters to restrict access, apply security controls, and monitor traffic. While useful, this idea has been exploited by vendors to promote firewalls and VPNs, which are not aligned with Zero Trust principles.
  2. Insider Threats:
    • The Forrester report emphasizes the danger of malicious insiders, using examples like Russian spies, Chelsea Manning, and Edward Snowden to highlight internal threats.
    • However, it conflates different types of breaches:
      • Third parties using stolen credentials.
      • Employee errors due to carelessness or ignorance.
      • Deliberate malicious actions by employees.

This conflation can be seen in the report’s transformation of “internal incidents” into more sinister “malicious activities,” reflecting the ongoing tension and confusion around these issues in the Zero Trust landscape.

The Misguided Focus on Malicious Insiders in Zero Trust Security

Focusing on malicious insiders has led to some of the worst excesses in Zero Trust security technology, often resembling intrusive bossware. While companies invest heavily in preventing insider misbehavior, they often overlook the risks that come from employees simply doing their jobs. This misalignment diverts attention and resources from more pressing security issues, leaving organizations vulnerable to threats that don’t fit the “insider threat” narrative.

Google’s BeyondCorp: Bringing Zero Trust to the Forefront

In 2014, Google launched its BeyondCorp initiative, which played a pivotal role in transforming Zero Trust from an intriguing concept into an essential security strategy. Interestingly, Google’s announcement didn’t mention the term “Zero Trust”—it’s unclear whether they aimed to replace the term or were simply unaware of it—but BeyondCorp clearly represented an evolution of Zero Trust Architecture (ZTA).

By this time, the business world was embracing the cloud, with SaaS applications becoming the norm. BeyondCorp was the first Zero Trust implementation to truly envision a perimeterless world. Google’s approach was groundbreaking: “We are removing the requirement for a privileged intranet and moving our corporate applications to the Internet.”

Key features of BeyondCorp included:

  • Authenticated, Authorized, and Encrypted Access: Every access request to enterprise resources was fully authenticated, authorized, and encrypted based on device state and user credentials.
  • Fine-Grained Access Control: Google enforced fine-grained access to different parts of enterprise resources, allowing all employees to work from any network without needing a traditional VPN.

Despite its influence on the broader security landscape, not all of BeyondCorp’s ideas have persisted in later Zero Trust implementations.

Google’s BeyondCorp_ Bringing Zero Trust to the Forefront

Device Trust and BYOD

A critical aspect of Zero Trust Architecture is ensuring that all devices accessing the network are secure. While strong authentication, role-based access control (RBAC), and encryption are vital, they can’t protect against threats from malware-infected devices.

Despite widespread agreement on the importance of device trust, many Zero Trust reports and vendors offer few concrete suggestions for maintaining device security. Some even claim that Zero Trust can support BYOD policies and lessen the need for endpoint management.

However, Google explicitly rejected the compatibility of BYOD with BeyondCorp. They emphasized that “only managed devices can access corporate applications,” issuing unique certificates to identify and verify the security of each device. This approach, though somewhat lacking in detail, goes further than many other Zero Trust guides in outlining a practical process for ensuring device trust.

Google’s BeyondCorp initiative not only advanced the concept of Zero Trust but also provided a more concrete framework for its implementation, highlighting both the potential and challenges of achieving true perimeterless security.

NIST’s Zero Trust How-To Guide

The National Institute of Standards and Technology (NIST) provides the most comprehensive guide to Zero Trust currently available. Their 2020 report explores the various aspects of Zero Trust Architecture (ZTA), offering detailed guidance on managing the transition.

Key Points from the NIST Report

  • Flexible Approach:
    • NIST doesn’t prescribe a single “right way” to implement Zero Trust. Instead, it covers different architectures, deployments, trust algorithms, and use cases.
    • This flexibility has contributed to the report’s relevance and longevity.
  • Transition Management:
    • The report provides practical advice for transitioning to ZTA, from creating an asset inventory to evaluating vendors.
  • Security Approach:
    • NIST describes Zero Trust as an approach to security rather than a rigid set of policies or technologies.

Evolving Standards

While the report remains a valuable resource, some aspects have become outdated. For example, the report tries to be “technology agnostic” regarding authentication methods, listing username/password, one-time codes, and device certificates as options. By 2023, it’s clear that not all authentication methods are equally secure, with passwords being particularly weak. Strong authentication is essential for effective Zero Trust.

Evolving Standards

Identifying Threats

NIST’s report highlights several potential threats to ZTA, including:

  • Stolen credentials
  • Compromised policy administrators (such as identity providers)
  • Lack of interoperability between vendors

Additionally, the report points out a less recognized risk: the “subversion of ZTA decision process.” In practice, security policies can be undermined by admins and executives who grant themselves exceptions, such as accessing resources from personal devices.

NIST’s guide offers a robust foundation for understanding and implementing Zero Trust, while also acknowledging the challenges and evolving nature of security practices.

The Future of Zero Trust is Just Beginning

You might be tired of hearing about “Zero Trust” by now, but its core principles are here to stay. As SaaS apps dominate the digital landscape, the traditional network perimeter becomes obsolete. In this perimeterless world, strong authentication, encryption, and access control are essential.

The Flexibility and Future of Zero Trust

Zero Trust’s popularity and profitability stem from its flexibility. There’s no single “right way” to implement Zero Trust. In fact, the essence of Zero Trust is that it’s not something you achieve but something you continually practice. This ongoing practice will keep evolving as it interacts with the real-world demands of security.

Zero Trust’s journey is far from over. As technology advances and security challenges evolve, so too will the principles and practices of Zero Trust, ensuring its relevance and necessity in the years to come.

 

 

 

 

0/5 (0 Reviews)