Prepare for Zero Trust Security Model at the organization level: Foundations and Implementation

by Ashish Shrivastava

The increasing usage of cloud-based services, mobile computing, internet of things (IoT), and bring your own device (BYOD) in the industry have changed the technology space for the enterprises. Secure architectures that rely on secure and careful design, access controls to isolate and restrict access to corporate technology resources and services, security perimeter, Security awareness, education & training and infrastructure security are no longer sufficient for a workforce that regularly requires access to applications and resources that exist beyond corporate network boundaries. The shift to the digital world as the network of choice and the continuously evolving threats, Industries led must adopt a Zero Trust security model.

The COVID19 pandemic accelerated Zero Trust model adoption since the beginning of the disease in late 2019. Since the after start of the COVID19 pandemic, most of the industries worldwide adopted the work-from-home model. The biggest shift of the workforce to work from home has resulted in an increasing number of security breaches and cyberattacks.

Consider the scenario, where a malicious actor comprises legitimate user’s credentials and attempts to access organizational resources. The malicious actor is using an unauthorized device. In a traditional network, the user’s credentials alone are often sufficient to grant access, but in a zero-trust environment, the device is not known. So, the device fails authentication and authorization checks and access is denied. The malicious activity is logged.

This article will talk about the foundation and guiding principles for implementing a Zero Trust security model and asses your Zero Trust readiness. It will help you to prepare the strong foundation and strategy to implement zero trust security model to protect against the ever-growing threats of cyber-attacks.

Foundation of Zero-trust architecture?

Organizations today are challenged in protecting resources (e.g., device assets, application services, business workflows, networks, and user accounts). A Zero Trust security model when implemented reduces external and internal threats in the organizations for their systems and data.

While preparing for a Zero Trust initiative, Zero Trust architecture reduces risk across in the organizations that are migrating to the cloud and/or transforming legacy network-based controls by establishing strong identity verification and authentication, validating device prior to granting access, and ensuring least privilege access to only explicitly authorized resources.

Zero Trust requires that every transaction in the organization between systems (user identity, device, network, and applications) be strictly validated, strongly authenticated, and authorized within organization’s policy constraints before granting access.

When Zero trust effectively centralizes deployed and is applied to each data or resource access request, an organization’s risk from data breaches, ransomware, and insider threats is minimized.

The foundational principle of zero trust is that trust should not be implicit “trust no user or device.”, it must always be granted to a user or a system when accessing organizational resources or data.

Defining principles of zero trust as per NIST, following are:

• Never trust, verify explicitly – Treat every user, device, application/workload, and data flow as untrusted. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies
• Run under the assumption of a security breach – Consider every digital asset is a resource (i.e., hardware, datasets, and applications). Access to resources should be controlled (i.e., authenticated, and authorized) on a per-connection basis and deny by default. All the resource should heavily scrutinize all the resource i.e users, devices, data flows, and requests for access. Log, inspect, and continuously monitor all configuration changes, resource accesses, and network traffic for suspicious activity. Communication channels should secure by default and all the hardware connecting to resources should controlled by the organization.
• Access based on least privileged- The principle of least privilege refers to an information security concept in which a user is given the minimum levels of access or permissions, needed to perform his/her job functions. Authenticate and explicitly authorize each to the privilege required using dynamic security policies. Limit user access with just-in-time and just-enough-access, risk-based adaptive polices, and data protection to help secure both system and data.

According to NIST Zero trust guide that no implicit trust is granted to assets or user accounts only based on their network location or based on asset they owned. Instead of assuming everything is safe behind the firewall, the Zero Trust security model assume all requests for access run under the assumption of a security breach and explicitly verifies each request. Zero Trust security model teaches us to “never trust, always verify.”, regardless of where the request originates or what resource it accesses, Every access request should fully authenticated, authorized, and encrypted before granting access to any critical resource. A Zero Trust security model relies on security policies, are used to decide whether to allow access, deny access, or control access with additional authentication challenges (such as multi-factor authentication), terms of use, or access restrictions.

Implementing Zero Trust Architectures

Developing an implementation plan and the need to understand technical requirements, how can zero trust be enabled in an organization’s network and business applications?
These are all hard questions, especially when addressing legacy systems, on-premises environments versus in new deployments in the cloud.

Assess Your Zero Trust Maturity

Implementing of Zero Trust security model takes time and effort: it cannot be implemented overnight. For many networks, existing infrastructure can be leveraged and integrated to incorporate Zero Trust concepts, but the transition to a Zero Trust architecture often requires additional capabilities. Include Zero Trust functionality incrementally as part of a strategic plan can reduce risk accordingly at each step. As the Zero Trust implementation matures over time, enhanced visibility and automated responses allow defenders to keep pace with the threat.

The best approach to reaching a Zero Trust framework is to start with a single use case, or a vulnerable user group, for validation of the model.

As you consider security architecture transformation, it’s important to benchmark your starting position to identify areas for improvement and measure Zero Trust maturity as you evolve.

Potential challenges on the path to Zero Trust

When implementing Zero Trust in enterprise networks, several challenges may arise that reduce the effectiveness of the solution.
The first potential challenge is a lack of full support throughout the enterprise, possibly from leadership, administrators, or users. If leaders are unwilling to spend the necessary resources to build and sustain it, if administrators and network defenders do not have the requisite expertise, or if users are allowed to violate the policies, then the benefits of Zero Trust will not be realized in that environment.

Security Domains of Zero Trust Architecture

Zero trust architecture is based on the assumption that attackers are already present in a network.
As NIST (the U.S. Department of Commerce’s National Institute of Standards and Technology) describes it: “Zero-Trust Architecture is an enterprise’s cybersecurity plan that utilizes zero-trust concepts and encompasses component relationships, workflow planning, and access policies.”

Using the NIST SP 800-207 document as a reference point, we can classify these Zero Trust Architecture under three major security domains and managing access to resources can be considered in three distinct domains – granting access, controlling access, and continuous monitoring.

Granting Access Domain: What factors should be considered in allowing access? How does one determine and verify the identity of an accessor, what is the integrity of an accessor, and the current state of an accessor? The three major security control and factor within this domain are “Authentication and Authorization,” “Integrity,” and “State.” If these factors are not properly implemented, unauthorized or compromised users or devices may get access when they shouldn’t.

Controlling Access Domain: How much access should be granted, and for how long the access is allow in terms of both time and activity? This domain fall under the principle of least privilege. The factors within the “Controlling Access” domain is “Minimal Access in Size” and “Minimal Access in Time.” If these factors are not implemented correctly, an enterprise risks granting too much access, which could lead to a security breach.

Monitoring and Securing Access: When zero trust access protocols are established, access must be continuously monitored and secured. If these factors are not followed, the zero-trust architecture could be vulnerable to network, infrastructure, and environment attacks.

Building Zero Trust into your organization

Implementation can be approach by implementing Zero Trust security controls and technologies spread across six foundational elements: identities, devices, applications, data, infrastructure, and networks.
As you begin to assess Zero Trust readiness in your organization and begin to plan on the changes to improve protection across these fundamental identities such as devices, applications, data, infrastructure, and networks, consider these key factors to help drive your Zero Trust implementation more effectively.

• Identities: When an identity attempts to access a resource, we should verify that identity with strong authentication, ensure access control in placed and compliant, and follows principle of least privilege access. User, device, location, and behavior should analyze in real time to determine risk and deliver ongoing protection. Password-less authentication should enable.
• Devices: Once an identity has been validated and granted access to a resource, then data can flow to a variety of different devices, from IoT devices to smartphones, and on-premises workloads to cloud hosted servers. This flow can create a massive attack surface area, it require monitoring of the device and enforce health & compliance for secure access.
• Applications: Applications and APIs provide the interface for the data consumption. System can be legacy on-premises, cloud workloads, or SaaS applications. Security controls should be applied in-app permissions, allow access based on real-time analytics, monitor for malicious behavior, monitor and audit of user actions, and secure validation of critical configuration. All apps should be provided with least privilege access with continuous verification along with in-session monitoring and response for all the apps.
• Data: Where possible, data should remain secure even if it leaves the devices, apps, infrastructure, and networks under the organization controls. To ensure protection, data should always be classified, labeled, and encrypted, and access should be restricted. Access decisions should govern by a security policy.
• Infrastructure: Infrastructure (whether on-premises servers, cloud-based VMs, containers, or micro-services), should assess for configuration, and then automatically block and flag for any malicious behavior and should take protective actions. User and resource access should segment for each workload. Unauthorized deployments should always be block and alert the system. Granular level access control should available across all the cloud workloads.
• Networks: All data is ultimately accessed over network infrastructure. Networks should be segmented, enable real-time threat protection, end-to-end encryption apply, monitoring, and analytics should in placed.

As you start to assess your Zero Trust readiness in the organization and begin to improve protection across fundamental elements such as identities, devices, applications, data, infrastructure, and networks, you should consider these key fundamental is help drive your Zero Trust implementation more effectively.

We can build the following security control and tools to drive Zero Trust implementation:

1. Strong Authentication System: The explicit ability to verify the identity of a process or device. Along with multi-factor authentication, roles for employees need to be tightly controlled, and different roles should have clearly defined responsibilities that keep them restricted to certain segments of a network.
2. Authorization System: Implement access management along with strong identity verification. The ability to grant or deny device access to data, assets, applications, or services by a policy enforcement point. Enforce the principle of least privilege when determining who needs access to what.
3. Data classification and protection. Discover, classify, protect, and monitor sensitive data to minimize exposure from malicious or accidental exfiltration.
4. Privileged and policy-based Access Management: The ability to secure, control, and manage privileged access to critical assets and applications via defined security policies.
5. Software-Defined Perimeter or Networking: Move beyond simple centralized network-based perimeter to comprehensive and distributed segmentation using software-defined micro-perimeters
6. Device Compliance: The ability to validate that policy engine decisions are enforced on device endpoints.
7. Network Segmentation: Network traffic can be segmented at either the macro or micro level depending upon the organization’s application and data resources. Move beyond simple centralized network-based perimeter to comprehensive and distributed segmentation.
8. Invest in automated alerting and remediation to reduce your mean time to respond (MTTR) to attacks.
9. Intelligence and AI. Utilize cloud intelligence and all available signals to detect and respond to access anomalies in real time.
10. Data Loss Prevention Systems: The ability to inspect network traffic and application-based traffic and apply rules to allow or deny it.
11. Security Information and Event Management Systems: A security information and event management system provides network and application traffic visibility and supports the notion of continuous monitoring and reporting on the success and failure of the enforcement of policy engine rules.

Summary

A zero-trust is a technology that helps organizations mitigate data breaches by removing the concept of automatic trust from network architecture. By adopting the zero-trust model, organizations can enhance their ability to fight advanced threats such as ransomware through leveraging micros-network segmentation and multi-layered access controls.

Zero-trust is not only used to enhance data security; it proves helpful to improve your organization’s data management efforts and helps you to have complete visibility over your data flow between your endpoints devices and connected networks.

Remember, “Never trust, always verify.”

Reference:

https://csrc.nist.gov/publications/detail/sp/800-207/final
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf