The zero trust model explained
Zero Trust is more than a buzzword or a single
product. Instead, it is a recognition that how we work has fundamentally
changed and that we need to shift the way that we think about working securely.
At its core, Zero Trust marks a move away from
the binary security model that focuses on keeping the good guys in and bad guys
out, to one that validates every interaction before granting access to
resources.
The common mantra of “never trust, always
verify” expresses the core concept of the Zero Trust philosophy. But what does
it mean in practice and how did we get to this point? In the hopes of
understanding why we need to reconceptualize how we think about security, let’s
take a look at what has changed in recent years to bring us to this new point
of departure.
Imagine
There’s No Perimeter, It’s Easy If You Try
We used to think of work as occurring at a
physical place or location. Now we think of it as something that can be done
from multiple locations and on many devices.
As recently as a decade ago, we came to the
office and powered up our desktops in order to connect to the local network and
access all of our resources. Since we were mostly logging in from local
machines, it was fairly simple to know who was supposed to be inside the
network and who wasn’t. At the end of the day, we left work at the office.
Later on, when we began connecting remotely
and the open web was more of a risk factor, security turned out to be a higher
concern so we started implementing firewalls like a moat around our castles.
VPNs could teleport us into the network if we had the right credentials, but
there was still a pretty clear definition of where our perimeter was. And it
was generally assumed that if you had made it past the drawbridge, then you
belonged there and could be trusted to move about as you pleased.
These days, there is not much of a network to
speak of and the perimeter has been made irrelevant. The wide-scale move to
cloud services like AWS has replaced the local network, moving many of our most
valuable resources outside our supposed ring of protection. We no longer work
from cubicles, instead using different devices to access resources from cafes,
airports, homes, trains, and everywhere in between.
What we are left with are a series of
endpoints seeking to access an equally dispersed set of cloud-based resources.
So what exactly is the perimeter supposed to be protecting, and where does it
begin or end? Simply put, there is no longer a line dividing those users or
devices that we should inherently trust and those we should not.
Cat and
Mouse, Moose and Squirrel — Because on the Internet, Nobody Knows You’re a Dog
As a concept, the idea of “never trust, always
verify” sounds pretty darn catchy. But what do we really mean by this in
practice?
For starters, we cannot assume that a user or
device is who they say they are.
Since we have shed the idea that there is an
inside and outside of a perimeter, we now need to view everything as if it were
exposed or compromised, and therefore requiring authentication every time that
it requests access. There are no more “safe” or “trusted” zones to be found
here.
Data points like IP addresses are no longer
useful for authentication purposes because everyone is working from different
locations and IPs can be easily spoofed. Instead, we need to think about
identifying devices and users/applications, verifying who they are, and making
sure they have the right permissions to perform each action requested.
So how does this approach materialize in
actual practice?
4 Zero
Trust Principles You Should Know
To clarify the approach in more concrete
terms, here are four of the key principles, practices, and technologies that we
use in Zero Trust.
MFA
Multi-factor authentication (MFA) is one of
the key technologies in use today for verifying user identities. With its roots
in RSA tokens and Google’s Beyond Corp, MFA requires that a user requesting
access provide not only something that they know (ie. their credentials) but
also something that they have. This kind of verification might be carried out
with a device like a Yubikey, an application on the user’s device like Google
Authenticator, a push notification to their mobile, or in the worst of cases, an
SMS. The hope is that if an attacker has stolen the credentials from a breach,
data dump, etc, they will be denied access when challenged with MFA.
Device
Management
With machines calling in for access from
around the world, verifying that each device has proper authorization is
essential. Whether they are mobile devices belonging to employees or an AWS
server, verification becomes necessary before granting access.
Limit
Privileged Access
Not every employee should have access to all
parts of your business; they probably do not need it in order to do their job,
and it creates an unreasonable level of risk. Insider threats and compromised
user accounts are common concerns that can be mitigated if we limit what users
have access to in the first place. So even though we still require verification
for every user, the Zero Trust approach tells us to provide everyone with the
minimal level of privileges that they need, hopefully making it harder for
adversaries to access more valuable bits of information or controls.
By the same token, we should be monitoring
user behavior through all interactions to ensure that they are behaving as
expected. Chances are that Steve from accounting probably does not need to have
access to your users’ passwords or other sensitive data that is unrelated to
his job.
Embrace
Segmentation
In a similar vein, Zero Trust tells us to not
put all of our company’s eggs in one basket. In practice, this means breaking
up your data or other resources into smaller, divided sections so that even if
an adversary is able to break into one part of your system, they are unable to
make off with the entire haul in one go.
Zero
Trust is a Process, Not a Product
Implementation of the principles laid out
above will not come overnight, nor will your company achieve Zero Trust success
by buying a shiny new product.
Instead, we should look to Zero Trust as a
guiding principle that leads to a more honest conversation about how an
organization works, and which processes and technologies need to be adopted in
order for it to work more securely.
How are we granting access? According to what
types of criteria? And what kinds of verification should we require? These are
all questions that organizations should consider when deciding which Zero Trust
solution is best for them.
Gloss