Transform From Trust to Zero-Trust

madunixExecutive IT Director
CERTIFIED EXPERT
Name: Fadi Sodah, Experience: +25 years in Information Technology.
Published:
Zero-Trust is based on the following: "Never Trust, Always Verify: Treat every user, device, application, and data flow as untrusted."  The Zero-Trust concept focuses on securing authentication and authorization mechanisms on a per-transaction basis.
Trust: 

 

Trust is a complex neural process that binds diverse representations into a semantic pointer that includes emotions. This article talks fundamentally about the technical trust of, devices, networks, applications, users, and data.

Organizations today are challenged in protecting resources (e.g., device assets, application services, business workflows, networks, and user accounts). Trust is a fundamental concept in risk management. The adoption of cutting-edge technology like artificial intelligence (AI) and the Internet of Things (IoT) has increased.  The importance of trust is becoming more dependent on complex, often invisible, connected technologies, data streams, and third parties. But people instinctively distrust things they can't see, touch, or understand.

No organization can eliminate cybersecurity risk. However, when complemented with existing: cybersecurity policies; standards; guidelines; identity and access management; and adequately implemented and maintained a continuous monitoring program, it can reduce overall risk and protect against common threats by applying the guiding principles:    
  • Never trust; always verify
  • Operate under the assumption of a data breach
  • Verify explicitly

 

Zero-Trust: 

 

Zero-Trust creates and implements risk management measures without faith in the people, processes, or technology being used.  Zero-Trust requires the governance of policies, such as giving users the least amount of access necessary to accomplish a specific task. According to the Zero-Trust concept, no person or device inside or outside an organization's network should be given access to IT systems or services until they have been authenticated and are continually validated. The entities must be authenticated (verified) in all cases, and access is only permitted to authorized and specific resources based on contextual policies.  
 
Zero-Trust is a concept that responds to network trends in which perimeter defenses are changing to allow remote users, work-from-home users, bring-your-own-device (BYOD) users, and hybrid cloud-based assets access to organizational assets. Zero-Trust mandates a "never trust, always verify, enforce least privilege" approach to privileged access from inside or outside the network.
 
Zero-Trust principles primarily work to dissolve legacy network, perimeter models. The traditional boundaries of the network perimeter are changing, in fact, and they are dissolving. The Zero-Trust concept changes how organizations have relied on network access controls. When effectively deployed, an organization's risk from data breaches, ransomware, and insider threats is lowered.

 

Other defining principles of Zero-Trust  are the following:
  • Every digital asset is a resource (i.e., hardware, datasets, and applications).
  • Access to resources is controlled (i.e., authenticated and authorized) on a per-connection basis.
  • Communication channels are secure by default.
  • Access to resources is determined by a policy that is dynamic in nature. User identity and/or device hardware fingerprinting are taken into account.
  • All resource authentication is dynamic and strictly enforced before access is authorized.
  • All hardware connecting to resources is controlled by the organization.

 

To implement Zero-Trust, organizations can consider deploying technologies such as:
  • Multifactor authentication (MFA): Implement access management and identity verification.
  • Least privilege access: Limits user access to applications and data necessary to do their job.
  • Micro-segmentation: Divides up a network into individual micro-segments with different access credentials.
  • Continuous monitoring: Monitor all resources for cyber threats and suspicious activity.

 

Zero-Trust implementation steps:
  • Identify sensitive assets
  • Map out communication flows to sensitive assets
  • Define network micro-segments
  • Implement Zero-Trust security policies
  • Continuously monitor the environment for cyber threats and network/user anomalies


Zero-Trust Architecture: 


In contrast to how perimeter security operates, Zero-Trust architecture (ZTA) adopts the premise that all subjects, regardless of where they are placed (internally or externally), are implicitly untrusted.


There are five major logical components in ZTA (as displayed in the above Figure: (Source: Migrating to Zero-Trust Architecture: Reviews and Challenges - WILEY, Hindawi - Volume 2021, Article ID 9947347): subject, resource, policy decision point (PDP), policy enforcement point (PEP), and supplement. The resource refers to the corporate/enterprise resource being requested by a subject. Subject refers to a user or any device requesting access to the enterprise resources. The resource can be either single or multiple pieces of resources depending on the content of the request.

Policy Engine:
The Zero-Trust architecture's fundamental component is the policy engine. It relies on policies orchestrated by the enterprise's security team and information from outside sources like Security Information and Event Management (SIEM) or Threat Intelligence to verify and ascertain context. The policy engine makes the choice of whether to allow access to any network resource. Then, based on the criteria established by the enterprise, access is allowed, denied, or canceled. A policy administrator component that implements the decision communicates with the policy engine.

Policy Administrator:
The policy engine's access determinations are carried out via the policy administrator component. The communication channel between a subject and a resource may be permitted or prohibited. A third logical component, known as the policy enforcement point, is used to communicate with the policy administrator to authorize or deny a session once the policy engine has made an access decision.

Policy Enforcement Point:
Connections between a person and an enterprise resource must be enabled, monitored, and terminated by the policy enforcement point. This is regarded as a single element of Zero-Trust architecture in principle. In actuality, the policy enforcement point has two sides: the resource side, which serves as a gateway to limit access, and the client side, which could be a server or PC/laptop-based agent.

 

NIST Zero-Trust:

 

NIST SP 800-207 defines a Framework for Zero-Trust. The effectiveness of Zero-Trust elements can be measured by the following :
  • Authentication System: The explicit ability to verify the identity of a process or device.
  • Authorization System: The ability to grant/deny device access to data, assets, applications, or services by a policy enforcement point.
  • Privileged Access Management: The ability to secure, control and manage privileged access to critical assets and applications.
  • Software-Defined Perimeter or Networking: The ability to provision and control network components using code.
  • Device Compliance: The ability to validate that policy engine decisions are enforced on device endpoints.
  • Network Segmentation: Depending on the organization's environment can be divided into micro-segments.
  • Data Loss Prevention Systems: The ability to inspect network traffic and application-based traffic and apply rules to allow or deny it.
  • Security Information and Event Management Systems: A security information and event management system provides network and application traffic visibility and supports the notion of continuous monitoring and reporting on the success and failure of the enforcement of policy engine rules.

 

  Zero-Trust Migration:

 

Developing an implementation plan and the need to understand technical requirements that can engage software vendors and third-party solution integrators is a task. How can Zero-Trust be enabled in an organization's network and business applications? These are all hard questions, especially when addressing legacy systems that are hosted in legacy, on-premises environments versus new deployments in the cloud.
 
The approach to Zero-Trust migration can be done by applying the following process: Discover, Assessment, Deployment, and Operations in conjunction with the NIST Risk Management Framework.

One successful formula for migration is to start with a Discovery process. The Discovery of networking components, application services, network traffic, and core business applications is critical to building the core fabric of a Zero-Trust architecture and ultimately influences the rules for data access that will be enforced. Knowing how business data flows throughout the organization and to its partners is essential. Having an accurate inventory of organizational assets and the users/systems associated with them is also critical. The goal is to verify that a connection is trusted and has only the required privilege and rights to view and/or process business data.

 

Discovery:
  • Business Applications
  • Asset Inventory
  • Network Traffic Inventory
  • Data Flow
  • User Roles and Privileges
  • System Accounts

 

The next step in migration is the Assessment process. Assessment includes reviewing and assessing existing network policies (e.g., VLAN configurations, firewalls, data loss prevention, and intrusion detection/prevention systems). During this step, devices' security health, or hygiene can be reviewed for compliance with standards. User and system accounts will also be examined for the least privilege.

 

Assessment:
  • Conduct Role Assessment on Zero-Trust Reference Architecture
  • Threat Model
  • Assess Policy Engine Rules
  • Assess Policy Enforcement

 

The next step in this simplified migration process would be the Deployment process. This is where the Zero-Trust reference architecture is implemented.  

 

Deployment:
  • Deploy Architecture Components
  • Conduct Systems Interaction
  • Implement Policy Engine
  • Implement Policy Enforcement Points

 

Lastly, the organization's environment in Operations is continuously monitored, and policy rules are monitored for effectiveness against assets and users and then adjusted.

 

Operations:
  • Visualize and Analyze Data Flow and Trusted Connections
  • Continuously Monitor Users' Devices and System Processing
  • Correlate Security Intelligence Policy

 

Zero-Trust Migration Challenges:

 

Changing legacy networks and existing business applications to be Zero-Trust aware is not trivial. The top challenges are the following :
  • Organizational culture
  • Project budgeting and planning
  • Creating, maintaining, and controlling an organization's asset inventory
  • Assessing the complex infrastructure and data flow in the current business
  • Micro-segmentation strategies to manage risk
  • Consideration for hybrid hosting environments

 

Conclusion:

 

Effective implementation of Zero-Trust requires an assessment of the risk of access to data and the environment. Zero-Trust is a total commitment to a process that alters an organization's structure.  

 

References:


https://doi.org/10.6028/NIST.SP.800-207

https://downloads.hindawi.com/journals/scn/2021/9947347.pdf

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.20.pdf



2
337 Views
madunixExecutive IT Director
CERTIFIED EXPERT
Name: Fadi Sodah, Experience: +25 years in Information Technology.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.