After the past few years Zero Trust has become known as more of a meme and a sales pitch, rather than an approach to improving our cyber security posture and reducing our attack surface.
Zero Trust will not solve all our problems, it is not related to a specific technology, and it is not easy to implement.
It’s important to note that a technology can contribute to our zero trust approach however, a single technology alone can not provide “zero trust”.
There are also multiple versions of zero trust, so we have listed a few below. If we visit the links we notice although there are differences, the majority of the principles or tenants are similar. Below are some links and images of some of the better known versions.
The CISA model is based upon the NIST SP.800-207 (link provided below)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
High Level Overview.
As a lot of our content on this site focuses on the Microsoft security stack we are going to use the Microsoft Zero Trust model as our primary reference in this blog.
For true zero trust to be achieved it must be implemented throughout the entire organisation as an end to end strategy. Zero trust contains pillars or elements, and these combined result in our zero trust approach, these are.
- Identity.
- Endpoints.
- Data.
- Apps.
- Infrastructure.
- Network.
The primary concept is that nothing should be trusted, including the internal network, this according to Microsoft translates to “assume breach”, “verify explicitly”, and “least privilege”.
The CISA guidance provides the following points, which are based on the NIST SP referenced above.
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy.
- The enterprise monitors and measures the integrity and security posture of all owned and
associated assets. - All resource authentication and authorization are dynamic and strictly enforced before access
is allowed. - The enterprise collects as much information as possible about the current state of assets,
network infrastructure, and communications and uses it to improve its security posture.
Already we can see the amount of work required to implement zero trust correctly, and that it will require more than one specific technology to be effective. Let’s finish with a breakdown of the main components of each pillar or element.
Identity.
Identifying is the most important part of this pillar as we need to have visibility of ALL identities being used, not just those within our central identity provider, whether that’s on-premises Active Directory, Entra ID, or something like Okta. We need to implement least privilege, strong authentication and compliant access for all identities. A big challenge here is identifying shadow IT to ensure we have full visibility of all in use applications, and the accounts in use of those platforms. Ideally we want to implement single sign on (SSO) with multifactor authentication (MFA), and risk or context based conditional access across all apps to provide a seamless end user experience and standardised access control across the organisation.
Data.
As with identity, we need to identify ALL data flows, and label that data before we can make any decision on the appropriate level of protection and the controls we require. We need data loss prevention controls, and if possible automatic labelling of data. Encryption also plays an important part in securing data, but encryption alone is not enough. We need to implement policies which monitor the use of data and labels, however this is not possible if we do not understand our data, or what “normal use” looks like.
Endpoints.
We have discussed above that all identities must be verified and considered untrusted, and the same applies to devices. With a zero trust approach we consider any device provided by our organisation to require the same verification as a personally owned Bring Your Own Device (BYOD). This also applies to every device type whether a laptop, PC, smart phone or tablet, regardless of where they are connecting from, and whether they are utilising local or cloud based apps. We can manage this via compliance policies with any device not in compliance refused access to data until it is compliant. We should be using mobile device management (MDM) or cloud based endpoint management to enforce security policies across all devices to ensure all have a minimum baseline applied. We can also restrict local data storage, copying to untrusted locations, or block sharing across unmanaged apps. We can use security apps to provide device risk scores and incorporate these into device based conditional access policies.
Infrastructure and Apps.
Although also partly covered by identity, with regards to infrastructure we want a high level of assurance around administrative access. Ideally we are looking to implement Privileged Access Management (PAM) or Privileged Identity Management (PIM) which can provide Just In Time (JIT) access. All applications should be consistently deployed and authenticate with their own managed identities. End users should not be able to allow new apps to integrate with corporate apps or data without administrative approval, and all apps should be managed by Mobile Application Management Policies which restrict access via risk or context based conditional access policies. Workloads such as logic apps, and virtual machines need to be monitored for anomalies or suspicious activity
Network.
Zero trust does not recognise the network perimeter being at the firewall, we “assume breach” and therefore the internal network is no longer considered as trusted. This means we are looking to encrypt internal user to app traffic across all network types regardless of the location. If we have remote users who connect via VPN, but all internal traffic is unencrypted then we are not using zero trust principles as we are only protecting data travelling over the internet. We should be treating all networks as untrusted as if they were the internet, we should be implementing as much segmentation as possible, encrypting all traffic (including things like LDAP, and SMNP), verifying everything on the network, and using cloud enabled threat protection.
The Zero Trust approach is a good methodology, but as you can see from our brief overview it certainly is not a simple or short journey.
Cyber security is easy, right?
@2codemonte 