Zero Trust
Bernie Madoff counted on his developers to produce reports which effectively fooled government officials, auditors, executives, and famous clients.
An experienced fighter will create openings by throwing fake attacks in order to open a pathway into an intended target.
Threat actors sometimes use false flags and fake attacks to deceive investigators so their attention is focused to where the threat actors want it redirected.
How do you know whether something that has been put in front of you is legitimate unless you take additional steps to conduct sufficient due diligence and due care?
Excuses such as, "you're getting lost in the weeds", or "you're being paranoid" are common weapons among those bullies who lack the intelligence, patience and or integrity to consistently do the right thing.
Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource. This document contains an abstract definition of zero trust architecture (ZTA) and gives general deployment models and use cases where zero trust could improve an enterprise’s overall information technology security posture.
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.
Zero Trust is a framework for securing infrastructure and data for today’s modern digital transformation. It uniquely addresses the modern challenges of today’s business, including securing remote workers, hybrid cloud environments, and ransomware threats. While many vendors have tried to create their own definitions of Zero Trust, there are a number of standards from recognized organizations that can help you align Zero Trust with your organization.
NIST SP 800-207 is the most vendor neutral, comprehensive of standards, not just for government entities, but for any organization. It also encompasses other elements from organizations like Forrester’s ZTX and Gartner’s CARTA. Finally, the NIST standard ensures compatibility and protection against modern attacks for a cloud-first, work from anywhere model most enterprises need to achieve.
As a response to the increasing number of high profile security breaches, in May 2021 the Biden administration issued an executive order mandating U.S. Federal Agencies adhere to NIST 800-207 as a required step for Zero Trust implementation. As a result, the standard has gone through heavy validation and inputs from a range of commercial customers, vendors, and government agencies stakeholders – which is why many private organizations view it as the defacto standard for private enterprises as well.
Zero Trust seeks to address the following key principles based on the NIST guidelines:
Continuous verification. Always verify access, all the time, for all resources.
Limit the “blast radius.” Minimize impact if an external or insider breach does occur.
Automate context collection and response. Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc..) for the most accurate response.
Execution of this framework combines advanced technologies such as risk based multi-factor authentication, identity protection, next-generation endpoint security, and robust cloud workload technology to verify a user or systems identity, consideration of access at that moment in time, and the maintenance of system security. Zero Trust also requires consideration of encryption of data, securing email, and verifying the hygiene of assets and endpoints before they connect to applications.
Zero Trust is a significant departure from traditional network security which followed the “trust but verify” method. The traditional approach automatically trusted users and endpoints within the organization’s perimeter, putting the organization at risk from malicious internal actors and legitimate credentials taken over by malicious actors, allowing unauthorized and compromised accounts wide-reaching access once inside. This model became obsolete with the cloud migration of business transformation initiatives and the acceleration of a distributed work environment due to the pandemic that started in 2020.
Zero Trust architecture therefore requires organizations to continuously monitor and validate that a user and their device has the right privileges and attributes. It also requires enforcement of policy that incorporates risk of the user and device, along with compliance or other requirements to consider prior to permitting the transaction. It requires that the organization know all of their service and privileged accounts, and can establish controls about what and where they connect. One-time validation simply won’t suffice, because threats and user attributes are all subject to change
As a result, organizations must ensure that all access requests are continuously vetted prior to allowing access to any of your enterprise or cloud assets. That’s why enforcement of Zero Trust policies rely on real-time visibility into 100’s of user and application identity attributes such as:
User identity and type of credential (human, programmatic)
Credential privileges on each device
Normal connections for the credential and device (behavior patterns)
Endpoint hardware type and function
Geo location
Firmware versions
Authentication protocol and risk
Operating system versions and patch levels
Applications installed on endpoint
Security or incident detections including suspicious activity and attack recognition
The use of analytics must be tied to trillions of events, broad enterprise telemetry, and threat intelligence to ensure better algorithmic AI/ML model training for hyper accurate policy response. Organizations should thoroughly assess their IT infrastructure and potential attack paths to contain attacks and minimize the impact if a breach should occur. This can include segmentation by device types, identity, or group functions. For example, suspicious protocols such as RDP or RPC to the domain controller should always be challenged or restricted to specific credentials.
More than 80% of all attacks involve credentials use or misuse in the network. With constant new attacks against credentials and identity stores, additional protections for credentials and data extend to email security and secure web gateway (CASB) providers. This helps ensure greater password security, integrity of accounts, adherence to organizational rules, and avoidance of high-risk shadow IT services.
How to build a Zero Trust Architecture
The Zero Trust model is a set of design principles constituting a framework, and not something that can be implemented using a single product. It requires the right operational strategy, policies, architecture, products and integrations to be successful.
A Zero Trust network follows these four main principles:
Set all default access controls to “deny” for all users and devices; in short, all North-South and East-West traffic are always in ‘untrusted’ mode
Leverage a variety of preventative techniques to authenticate all users and devices every time network access is requested;
Enable real-time monitoring and controls to identify and contain malicious activity and modern threats including but not limited to ransomware and supply chain attacks; and
Align to and enable the organization’s broader, comprehensive cybersecurity strategy
Although each organization’s process for implementing a Zero Trust network will be unique, CrowdStrike offers the following recommendations to develop and deploy a Zero Trust architecture:
1. Assess the organization.
Determine the attack surface and identify sensitive data, assets, applications, and services (DAAS) within this framework.
Identify and audit every credential (active, stale, shared, human user, service accounts, privileged users, etc) within your organization and ascertain the gaps in authentication policies to prevent threats using compromised credentials.
Review all privileges for risk and impact.
Assess the organization’s current security toolset and identify any gaps within the infrastructure.
Ensure that the most critical assets (crown jewels) are given the highest level of protection within the security architecture.
2. Create a directory of all assets and map the transaction flows.
Determine where sensitive information lives and which users have access to them.
Consider how various DAAS components interact and ensure compatibility in security access controls between these resources.
Segment all identities.
Know how many service accounts you have and where they need to connect.
Review all authentication protocols and remove/raise connection challenges on any outdated protocol and (e.g. deprecated NTLM protocol usage) systems (often local legacy systems).
Secure a list of all sanctioned cloud services and enforce access based on risk scores and behavior
Remove stale accounts and enforce a mandatory password rotation.
3. Establish a variety of preventative measures.
Leverage a variety of preventative measures to deter hackers and thwart their access in the event of a data breach. These measures include:
Multi factor authentication (MFA): MFA, 2FA, or third-factor authentication, are essential to achieving Zero Trust. These controls provide another layer of verification to every user inside and outside the enterprise and should be triggered by risk increases, behavior, deviations and anomalous traffic.
Least privilege principles: Once the organization has determined where the sensitive data lives, grant users the least amount of access necessary for their roles with continuous verification. Review privileged accounts regularly and assess if those elevated privileges are required as a user moves from group to group.
Identity segmentation: Micro-perimeters act as border control within the system, identity/credential, and preventing any unauthorized lateral movement. The organization can segment based on user group, role, account type, applications accessed and so on.
4. Monitor the network continuously.
Figure out where the anomalous activity is occurring and monitor all the surrounding activity.
Inspect, analyze and log all traffic and data without interruption.
Escalate and store authentication logs for anomalous or suspicious traffic and activity.
Create a clear action plan for service account and other critical resource behavior anomalies.
Benefits of a Zero Trust Architecture
Zero Trust is one of the most effective ways for organizations to control access to their networks, applications, and data. Benefits of a Zero Trust Architecture include:
Improved visibility: The main objective of a Zero Trust model is to allow the organization to approve every user and every device every time access to the network is requested – with a clear understanding of who, why and how. This capability, coupled with least-privilege access, allows the organization to maintain strict oversight of all network users and devices, as well as their activity.
Reduced risk: Unlike a traditional perimeter security model, the default access setting for all users and devices in a Zero Trust environment is “deny.” By leveraging advanced technologies to verify the user’s identity, as well as provide application access based on behavior, user risk and device risk posture, the organization can significantly reduce risk by making it more difficult for adversaries to discover the network or gain access to it.
Containment: By segmenting the network by identity, group, and function, and controlling user access, a Zero Trust strategy helps the organization contain breaches and minimize potential damage. This helps organizations improve their “breakout time” — the critical window between when an intruder compromises the first machine and when they can move laterally to other systems on the network.
Improved user experience: When implemented correctly, a Zero Trust model provides an enhanced user experience, as compared to a VPN, which often limits application use, impacts system performance and needs to be updated and authenticated frequently. In many cases, Zero Trust organizations are also more likely to leverage MFA along with single sign on (SSO) tools to streamline and simplify the user experience with a conscious effort to reduce MFA fatigue.
BYOD policy enablement: Zero Trust can help enable personal device use, in that the security protocol does not consider who owns the device, but only that the user and device can be authenticated.
Cloud compatibility: A Zero Trust architecture is a critical security measure as companies increase the number of endpoints within their network and expand their infrastructure to include cloud-based applications and servers. A Zero Trust network is essentially borderless – it applies security principals equally to all users and devices regardless of location.
Reduced complexity: With fewer products needed for your Zero Trust implementation, there will be less complexity required to build, operate and maintain it.