Implementing “Zero Trust” Security
It wont be an exaggeration if I say that “Zero Trust” is the most used word by the security professionals across the globe in the last few years. The higher management often get intrigued to this buzz word when they hear it again and again at various conferences, seminars or read it in magazines, articles or whitepapers. As a subsequent step, higher management asks the security team to “Implement Zero Trust” in their organization. This is where the agony for the security team starts.
We run from pillar to post in search for the means to implement “Zero Trust”. We find tons of information about “Zero Trust” all explaining the high level theory behind it and nothing more. Then there are IT vendors who come and boast about their software/hardware being a “Zero Trust” security product each narrating a story of how we can achieve “Zero Trust” just by deploying their product. At the end of the day, we are still not sure how we will be able to achieve “Zero Trust” Security in our organization.
I have gone through the same pain and finally managed to find some light at the end of the tunnel. We should be able to clear all the confusion by answering the below two questions:
- What is “Zero Trust” Security?
- How to implement “Zero Trust” Security?
1. What is “Zero Trust” Security?
To understand “Zero Trust” Security, let us first understand the confusion around the buzz word:
From the above depiction, it becomes quite obvious that if something is vague and intangible, there will be multiple interpretations. Are the interpretations false? Not at all, security is a vast topic and “Zero Trust” is a concept which touches each aspect of security. We need to find the correct interpretations that suites our organization.
To clear the confusion and to define a standard approach, NIST came up with a special publication regarding “Zero Trust Architecture” in Aug 2020 named NIST SP 800–207. Let us understand NIST’s definition of “Zero Trust”.
NIST SP 800–207:
Zero Trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
Zero Trust Architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies.
In Simple Terms:
Zero Trust (ZT) is a policy/strategy/framework/guideline to ensure that only the right subjects are allowed to access the right resources, assuming every subject is malicious unless proven otherwise.
Zero Trust architecture (ZTA) is the blueprint which implements the Zero Trust policy/strategy/framework/guideline.
Over the years, there has been a lot of confusion over what “Zero Trust” (ZT) is and is not. Below is my interpretation of “Zero Trust” Security (ZTS):
Our approach would be more meaningful if we understand why “Zero Trust” Security came into existence.
Till the early 2000, organizations worked within the perimeter of their networks. Be it their LAN, datacenter or any other network connected by a WAN technology like MPLS. But today, the perimeter has vanished with applications moving to cloud, users spread across various locations accessing systems from different types of devices. With the proliferation of devices and user entities accessing the organization’s resources beyond the boundary of the traditional network, it became imperative to limit the implicit trust between the Users (Subjects) and the Applications (Resources) thereby evaluating trust on a per-transaction basis. This phenomenon called “De-Perimeterisation” was highlighted by the Jericho Forum back in 2004. From 2004 till data various organizations like Forrester, Google, NIST have contributed to this journey.
NIST has focused quite well on the implementation aspect of “Zero Trust” Architecture (ZTA) rather than just the theory. According to NIST, implementing ZTA is nothing but implementing the concept of PDP & PEP uniformly across the organization. Let us understand more:
PDP: Policy Decision Point, PEP: Policy Enforcement Point. These two logical components form the building blocks of the ZTA for the organization. An organization must set the ground rules for subject’s access to resources, these rules together become the ZT Policy. It is to be ensured that every subject’s access to resources must pass through the PEP. The PEP would check with the PDP for each request, PDP would provide the decision or allow/deny to the PEP after evaluating the ZT Policy. This is the crux of ZT which needs to be implemented. I call it the “Zero Trust” Security Principle.
Implementing ZTA is just instantiating the above architecture across the organization. This is where it becomes a little complex or rather more technical in nature.
Note: There can be non-technical aspects of ZTA but they are out of the scope of this article.
2. How to implement “Zero Trust” Security?
It might look like a mammoth task but it is not if we have an organized approach. When we look at the IT Landscape of any organization, we can put things into 3 distinct buckets (Network, Users & Workloads). To implement ZTA we are going to use these buckets with rather generic and encompassing names (Secure Traffic, Secure Access & Secure Data). I would like to call them the 3 Pillars of “Zero Trust” Security.
Now, implementing ZTA is as simple as applying the 3 Pillars of “Zero Trust” Security uniformly across the organization.
I would like to take one step further in pointing out the set of key security controls for each pillar. It is not an exhaustive list, it might not be everything that your organization needs but it will be a good starter for your ZTA implementation journey. Below are the few security controls for each pillar:
As mentioned earlier, implementing ZTA is a journey with iterations. It can never be a one time process as it evolves with the technology as well as with every change in the organization. We as security professionals need to ensure that our organization adheres to the “Zero Trust” Security Principle at all times.
3. Sample Zero Trust Architectures
