Home » Zero Trust

Zero Trust

When we talk about cybersecurity, the main trend today is the Zero Trust Security Model or also known by the acronym ZT.

Many manufacturers have taken this model as a foundation and from its interpretations proceed to design their solutions. Therefore the importance of having a cybersecurity specialist who can help you.

Knowing what Zero Trust is, and its operating pillars is essential to be able to establish the mechanisms to implement Zero Trust based on a ZTA roadmap consistent with the complexity of your organization.

What is Zero Trust?

It is a model that is based on granting a predefined status of denying access to IT assets to all users or devices until they demonstrate that they are trustworthy and access is allowed.

The main premise is: Never trust, Always verify, that is, nobody or anything should be trusted until trust is assigned through various mechanisms that evaluate the user and the device when accessing the applications.

The principle of Least privilege access has also been coined to define the default privilege that all users have: the lowest.

Their main strategies are:

Micro-segmentation

This term refers to the most exhaustive individualization of the elements of access to IT assets. It not only refers to networks and firewalls, but also aims to obtain as much information as possible from the attributes of users, applications and devices.

Granular Enforcement

Counting on micro-segmentation, then we must have granular and adaptive policies to be able to exercise the control that Zero Trust demands.

Why Zero Trust?

Zero Trust security solutions provide an additional layer of protection by verifying the identity of users (i.e: with FIDO Security Keys) and devices before granting them access to sensitive data.

It also helps organizations comply with regulations such as PCI DSS (Payment Card Industry Data Security Standard) and HIPAA (Health Insurance Portability and Accountability Act).

Zero Trust Benefits

Zero Trust security solutions help protect against threats such as phishing attacks, malware, and denial-of-service attacks.

They also help prevent unauthorized access to sensitive data, reduce the number of failed login attempts, and improve user productivity.

How Does Zero Trust Work?

A zero trust security solution uses behavior analytics to identify suspicious activity and block it before it occurs.

It does this by analyzing how people behave online and then using that behavior to determine if an individual is trying to do something malicious.

ZT vs. ZTA

There is an important semantic difference that can lead to confusion and they are Zero Trust versus Zero Trust Architecture (ZT vs ZTA).

The difference is very simple:

Zero Trust (ZT) is the security model, the guiding principles (which we will see in the next section)

Zero Trust Architecture (ZTA): is the plan that is governed by the concepts of ZT and that encompasses the relationship between the components, planning and access policies.

From here come other terms that are important

Zero Trust Enterprise: is the network infrastructure and operational policies that are implemented as a result of a ZTA plan

Zero Trust Network Access (ZTNA): Usually refers to some commercial solution based on ZT concepts.

Zero Trust Principles

Below I describe the pillars of Zero Trust according to NIST and that they should be the ideal pillars of any Zero Trust Architecture (ZTA) plan.

All IT Assets are Resources

All data sources, infrastructure, devices, applications and all other computing services are considered Resources

A network to protect can be composed of multiple devices, everything that connects to the network infrastructure is also considered a resource to protect, including BYOD devices.

Any Network is Insecure, There Is No Perimeter

All communications are secured regardless of your network location, coexistence with attackers within any network is assumed.

The connection network does not guarantee trust (no implicit trust), there is no perimeter that defines the internal (secure) or external (insecure) network, both must be treated as insecure and therefore insured, protecting their confidentiality and integrity.

One Resource, One Access, One Session

Access is evaluated before logging in to each resource, no prior authorizations are inherited. This access is granted with the lowest privilege required to run the activity.

If you need to access another resource, the authentication previously performed on another resource is invalid. This prohibits all types of lateral movement.

Adaptive Access Policies

Access to resources is determined by dynamic policies that may include behavior attributes

Not only authentication implies access granting. Many other attributes are evaluated that can be used to enforce access policies.

User attributes, their behavior as well as the hygiene of the access devices or any other attribute that is considered useful to enforce the defined security policies can be used.

Every Access Device is Evaluated: Your Own or Others

The assets of the organization or its related parties are monitored in terms of integrity and security postures

No asset inherits trust, its security hygiene is evaluated and contrasted against the established security policies, prior to granting any access

This applies to devices of the organization or its partners (BYOD)

Strict and Prior Compliance with Authentication and Authorization

Authentication and authorization are dynamically and strictly enforced before access is granted

Via strict identity management including MFA and asset management, proper authentication and authorization must be enforced. This includes re-authentication re-evaluations when necessary.

Visibility and Analytics

The organization collects as much information as possible about the current status of assets, networks, and communications and uses this data to improve its security posture.

Visibility is a key factor in Zero Trust, collecting and correlating events or data. That visibility allows for continuous improvement of implemented security postures.

contacta a especialista en ciberseguridad
Hagamos una Prueba de Concepto Gratuita a través de un MSP

Premises of a Zero Trust Network

Below are the main premises dictated by NIST to design a ZTA plan.

No Implicit Trust Zone

The entire internal network is NOT considered an Implicit Trust Zone (no implicit trust zone), for the mere fact of being internal

You must act as if there is always an attacker on the network. For this reason, all accesses and communications are secured even if they are in the organization’s internal network.

Coexistence between Corporate and Personal Devices

Access devices do not necessarily belong to the organization

Bring Your Own Device (BYOD) is a reality and should be considered within Zero Trust. Third-party devices should be evaluated as much or more than corporate devices.

No Resource Inherits Trust

The evaluation of security postures is continuous, iterative and exclusive to the resource to be accessed. There is no room for granting access based on previous or similar access.

Remote Access

Not all of the organization’s resources are directly connected to its network or infrastructure.

The cloud, remote work, remote offices or branches are a reality and use the network as a basic interconnection mechanism. It is the organization’s responsibility to secure communications.

Awareness that the Network is Insecure

The subjects or assets of the organization that connect remotely must not trust the network to which they connect

Subjects must be aware of the risks inherent in any connection and hence the need to secure all their communications to the maximum.

Mobility Between Networks

Security postures apply to assets whether they move between the enterprise network or other networks.

No matter what moves you make between networks, security postures remain stable and consistent. Also its reassessment remains in force.

Zero Trust Implementation

To implement a zero-trust security solution, organizations must first understand what behaviors indicate potential threats.

Once they’ve identified those behaviors, they need to develop policies that allow employees to access the Internet while protecting them from malicious attacks.

Important Considerations When Implementing Zero Trust

While it is true, the benefits of ZTNA in terms of shielding your security far outweigh the risks of implementing zero trust. It is always good to say it so that the controls that will mitigate these risks are always incorporated.

Take care of your Identity Provider

In ZTNA, the primary authentication provider is unique, to have greater control and Single Sign-On (SSO) or Single Sign-On

This makes it a single point of failure or single point of failure and as such must then be very protected, with very strict security configurations (hardening).

This also implies having high availability and fault tolerance for the equipment that supports primary authentication, as well as for all the equipment that connects to it and that requires to be installed On-Premises.

“Manage” Zero Trust Service Administrators

Privileged access to the administration of the Zero Trust service should be kept to a minimum using excellent management of administrative roles.

If at Zero Trust we only give access to apps that a contributor role requires, we must be a very strict example of giving admins the admin role they require based on their role in the Zero Trust story.

To do this, Zero Trust tools have a wide range of role options that can be assigned.

Zero Trust Network Access Vendors

Here is the purely referential list of the main companies that provide Zero Trust services that in my opinion are the most representative.

VendorProduct or Service
Check PointHarmony Connect
CiscoDuo Security
CitrixSecure Private Access
CloudflareCloudflare Access
ForcepointPrivate Access
GoogleBeyondCorp Remote AccessGoogle Cloud Platform Identity-Aware Proxy
MicrosoftAzure AD Application ProxyWeb Application Proxy for Windows Server
NetskopeNetskope Private Access
OktaOkta Identity Cloud
Palo Alto NetworksPrisma Access
Mi lista de Proveedores de Zero Trust más Representativos

Zero Trust Network Access from Cisco Systems

approach Zero Trust de Cisco
Approach Zero Trust de Cisco.

As an expert in Cisco Systems technologies, I conclude (as does this Forrester report) that the most comprehensive solution for implementing Zero Trust is Duo Security from Cisco Systems.

Duo packages Google’s Zero Trust framework, BeyondCorp, in a SaaS. This places that high level of security within the reach of corporations from the day it is activated.

It is a very reliable SaaS dedicated 100% to cybersecurity, that is, its service is to provide security; Duo is NOT an add-on inside another solution. This makes it unique in its kind, guaranteeing updates, improvements and maintenance in accordance with the highest quality standards.

Duo has several integrations that are 100% tested and documented and handles multiple second factor devices that allow to decrease the fraction of users.

Duo provides its own authenticator application called Duo Mobile Application and also provides support for all kinds of MFA mechanisms including the most secure FIDO WebAuthn passwords.

Zero Trust Features of the Cisco Solution

User Trust

You need to ensure that the user attempting to authenticate is really who they say they are and is not someone who has fraudulently obtained access credentials.

For this purpose, an additional layer of security is added to the primary credentials (username and password) with additional mechanisms that increase the user’s identity guarantee.

This is where MFA or Multiple Factor Authentication technologies come into play, or as it is also known as 2FA or (Second Factor Authentication) and in some cases as two-step authentication.

This technology is based on authenticating the user in various areas:

Something I know: Username and Password or primary authentication

Something I have: Double factor mechanism for example a yubikey type passkey or the Swissbit iShield FIDO2 key

Who I am: Biometrics

Once these mechanisms have been successfully overcome, the user can be said to be a trusted user.

Device Trust

From this moment on, Zero Trust adds more security layers, the next is to ensure that the access device complies with certain adaptive access policies that reduce the risk of breaches caused by vulnerabilities in operating systems and related software.

At this point it is suggested that various aspects be evaluated in order to grant trust to a device, such as:

  • Location: geolocation or networks from which you access
  • Health: status of updates to the operating system, related software, and defined security postures
  • Ownership: in BYOD (Bring Your Own Device) environments, it is knowing if the access device is owned by the organization (corporate) or by the collaborator (personal)

Securing Access to Every Application

By increasing the granularity of access policies, Zero Trust recommends decreasing the exposure surface by limiting access to each application by only the users or groups that require access to that application.

Conclusions

Zero Trust Network Access is here to stay, and the complexity of its implementations are directly proportional to the complexity of the IT infrastructure, services and assets to be protected.

That is why it is necessary to opt for ZTNA solutions whose implementation methods are fast and with low TCO or Total Cost of Ownership.

This is where Cisco’s Zero Trust solution, Duo Security, blows the rest away and easily takes the lead.

In this Blog I have invested many articles that practically support what I am saying, so I invite you to consult them.

References:

Scroll to Top