When we talk about cybersecurity, the main trend today is the Zero Trust Security Model or also known by the acronym ZT.
Many manufacturers have taken this model as a foundation and from its interpretations proceed to design their solutions. Therefore the importance of having a cybersecurity specialist who can help you.
Knowing what Zero Trust is, and its operating pillars is essential to be able to establish the mechanisms to implement Zero Trust based on a ZTA roadmap consistent with the complexity of your organization.
What is Zero Trust?
It is a model that is based on granting a predefined status of denying access to IT assets to all users or devices until they demonstrate that they are trustworthy and access is allowed.
The main premise is: Never trust, Always verify, that is, nobody or anything should be trusted until trust is assigned through various mechanisms that evaluate the user and the device when accessing the applications.
The principle of Least privilege access has also been coined to define the default privilege that all users have: the lowest.
Their main strategies are:
Micro-segmentation
This term refers to the most exhaustive individualization of the elements of access to IT assets. It not only refers to networks and firewalls, but also aims to obtain as much information as possible from the attributes of users, applications and devices.
Granular Enforcement
Counting on micro-segmentation, then we must have granular and adaptive policies to be able to exercise the control that Zero Trust demands.
Why Zero Trust?
Zero Trust security solutions provide an additional layer of protection by verifying the identity of users (i.e: with FIDO Security Keys) and devices before granting them access to sensitive data.
It also helps organizations comply with regulations such as PCI DSS (Payment Card Industry Data Security Standard) and HIPAA (Health Insurance Portability and Accountability Act).
Zero Trust Benefits
Zero Trust security solutions help protect against threats such as phishing attacks, malware, and denial-of-service attacks.
They also help prevent unauthorized access to sensitive data, reduce the number of failed login attempts, and improve user productivity.
How Does Zero Trust Work?
A zero trust security solution uses behavior analytics to identify suspicious activity and block it before it occurs.
It does this by analyzing how people behave online and then using that behavior to determine if an individual is trying to do something malicious.
ZT vs. ZTA
There is an important semantic difference that can lead to confusion and they are Zero Trust versus Zero Trust Architecture (ZT vs ZTA).
The difference is very simple:
Zero Trust (ZT) is the security model, the guiding principles (which we will see in the next section)
Zero Trust Architecture (ZTA): is the plan that is governed by the concepts of ZT and that encompasses the relationship between the components, planning and access policies.
From here come other terms that are important
Zero Trust Enterprise: is the network infrastructure and operational policies that are implemented as a result of a ZTA plan
Zero Trust Network Access (ZTNA): Usually refers to some commercial solution based on ZT concepts.
Zero Trust Principles
Below I describe the pillars of Zero Trust according to NIST and that they should be the ideal pillars of any Zero Trust Architecture (ZTA) plan.
All IT Assets are Resources
All data sources, infrastructure, devices, applications and all other computing services are considered Resources
A network to protect can be composed of multiple devices, everything that connects to the network infrastructure is also considered a resource to protect, including BYOD devices.
Any Network is Insecure, There Is No Perimeter
All communications are secured regardless of your network location, coexistence with attackers within any network is assumed.
The connection network does not guarantee trust (no implicit trust), there is no perimeter that defines the internal (secure) or external (insecure) network, both must be treated as insecure and therefore insured, protecting their confidentiality and integrity.
One Resource, One Access, One Session
Access is evaluated before logging in to each resource, no prior authorizations are inherited. This access is granted with the lowest privilege required to run the activity.
If you need to access another resource, the authentication previously performed on another resource is invalid. This prohibits all types of lateral movement.
Adaptive Access Policies
Access to resources is determined by dynamic policies that may include behavior attributes
Not only authentication implies access granting. Many other attributes are evaluated that can be used to enforce access policies.
User attributes, their behavior as well as the hygiene of the access devices or any other attribute that is considered useful to enforce the defined security policies can be used.
Every Access Device is Evaluated: Your Own or Others
The assets of the organization or its related parties are monitored in terms of integrity and security postures
No asset inherits trust, its security hygiene is evaluated and contrasted against the established security policies, prior to granting any access
This applies to devices of the organization or its partners (BYOD)
Strict and Prior Compliance with Authentication and Authorization
Authentication and authorization are dynamically and strictly enforced before access is granted
Via strict identity management including MFA and asset management, proper authentication and authorization must be enforced. This includes re-authentication re-evaluations when necessary.
Visibility and Analytics
The organization collects as much information as possible about the current status of assets, networks, and communications and uses this data to improve its security posture.
Visibility is a key factor in Zero Trust, collecting and correlating events or data. That visibility allows for continuous improvement of implemented security postures.
Premises of a Zero Trust Network
Below are the main premises dictated by NIST to design a ZTA plan.
No Implicit Trust Zone
The entire internal network is NOT considered an Implicit Trust Zone (no implicit trust zone), for the mere fact of being internal
You must act as if there is always an attacker on the network. For this reason, all accesses and communications are secured even if they are in the organization’s internal network.
Coexistence between Corporate and Personal Devices
Access devices do not necessarily belong to the organization
Bring Your Own Device (BYOD) is a reality and should be considered within Zero Trust. Third-party devices should be evaluated as much or more than corporate devices.
No Resource Inherits Trust
The evaluation of security postures is continuous, iterative and exclusive to the resource to be accessed. There is no room for granting access based on previous or similar access.
Remote Access
Not all of the organization’s resources are directly connected to its network or infrastructure.
The cloud, remote work, remote offices or branches are a reality and use the network as a basic interconnection mechanism. It is the organization’s responsibility to secure communications.
Awareness that the Network is Insecure
The subjects or assets of the organization that connect remotely must not trust the network to which they connect
Subjects must be aware of the risks inherent in any connection and hence the need to secure all their communications to the maximum.
Mobility Between Networks
Security postures apply to assets whether they move between the enterprise network or other networks.
No matter what moves you make between networks, security postures remain stable and consistent. Also its reassessment remains in force.
Zero Trust Implementation
To implement a zero-trust security solution, organizations must first understand what behaviors indicate potential threats.
Once they’ve identified those behaviors, they need to develop policies that allow employees to access the Internet while protecting them from malicious attacks.
Important Considerations When Implementing Zero Trust
While it is true, the benefits of ZTNA in terms of shielding your security far outweigh the risks of implementing zero trust. It is always good to say it so that the controls that will mitigate these risks are always incorporated.
Take care of your Identity Provider
In ZTNA, the primary authentication provider is unique, to have greater control and Single Sign-On (SSO) or Single Sign-On
This makes it a single point of failure or single point of failure and as such must then be very protected, with very strict security configurations (hardening).
This also implies having high availability and fault tolerance for the equipment that supports primary authentication, as well as for all the equipment that connects to it and that requires to be installed On-Premises.
“Manage” Zero Trust Service Administrators
Privileged access to the administration of the Zero Trust service should be kept to a minimum using excellent management of administrative roles.
If at Zero Trust we only give access to apps that a contributor role requires, we must be a very strict example of giving admins the admin role they require based on their role in the Zero Trust story.
To do this, Zero Trust tools have a wide range of role options that can be assigned.
Zero Trust Network Access Vendors
Here is the purely referential list of the main companies that provide Zero Trust services that in my opinion are the most representative.
| Vendor | Product or Service |
|---|---|
| Check Point | Harmony Connect |
| Cisco | Duo Security |
| Citrix | Secure Private Access |
| Cloudflare | Cloudflare Access |
| Forcepoint | Private Access |
| BeyondCorp Remote AccessGoogle Cloud Platform Identity-Aware Proxy | |
| Microsoft | Azure AD Application ProxyWeb Application Proxy for Windows Server |
| Netskope | Netskope Private Access |
| Okta | Okta Identity Cloud |
| Palo Alto Networks | Prisma Access |
Zero Trust Network Access from Cisco Systems
As an expert in Cisco Systems technologies, I conclude (as does this Forrester report) that the most comprehensive solution for implementing Zero Trust is Duo Security from Cisco Systems.
Duo packages Google’s Zero Trust framework, BeyondCorp, in a SaaS. This places that high level of security within the reach of corporations from the day it is activated.
It is a very reliable SaaS dedicated 100% to cybersecurity, that is, its service is to provide security; Duo is NOT an add-on inside another solution. This makes it unique in its kind, guaranteeing updates, improvements and maintenance in accordance with the highest quality standards.
Duo has several integrations that are 100% tested and documented and handles multiple second factor devices that allow to decrease the fraction of users.
Duo provides its own authenticator application called Duo Mobile Application and also provides support for all kinds of MFA mechanisms including the most secure FIDO WebAuthn passwords.
Zero Trust Features of the Cisco Solution
User Trust
You need to ensure that the user attempting to authenticate is really who they say they are and is not someone who has fraudulently obtained access credentials.
For this purpose, an additional layer of security is added to the primary credentials (username and password) with additional mechanisms that increase the user’s identity guarantee.
This is where MFA or Multiple Factor Authentication technologies come into play, or as it is also known as 2FA or (Second Factor Authentication) and in some cases as two-step authentication.
This technology is based on authenticating the user in various areas:
Something I know: Username and Password or primary authentication
Something I have: Double factor mechanism for example a yubikey type passkey or the Swissbit iShield FIDO2 key
Who I am: Biometrics
Once these mechanisms have been successfully overcome, the user can be said to be a trusted user.
Device Trust
From this moment on, Zero Trust adds more security layers, the next is to ensure that the access device complies with certain adaptive access policies that reduce the risk of breaches caused by vulnerabilities in operating systems and related software.
At this point it is suggested that various aspects be evaluated in order to grant trust to a device, such as:
- Location: geolocation or networks from which you access
- Health: status of updates to the operating system, related software, and defined security postures
- Ownership: in BYOD (Bring Your Own Device) environments, it is knowing if the access device is owned by the organization (corporate) or by the collaborator (personal)
Securing Access to Every Application
By increasing the granularity of access policies, Zero Trust recommends decreasing the exposure surface by limiting access to each application by only the users or groups that require access to that application.
Conclusions
Zero Trust Network Access is here to stay, and the complexity of its implementations are directly proportional to the complexity of the IT infrastructure, services and assets to be protected.
That is why it is necessary to opt for ZTNA solutions whose implementation methods are fast and with low TCO or Total Cost of Ownership.
This is where Cisco’s Zero Trust solution, Duo Security, blows the rest away and easily takes the lead.
In this Blog I have invested many articles that practically support what I am saying, so I invite you to consult them.
References:
- Rose,S., Borchert, O., Mitchell,S., Connelly, S. (Agosto 2020). NIST Special Publication 800-207 – Zero Trust Architecture, National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
- Duo Security, Zero Trust Security for the Workforce. https://duo.com/solutions/zero-trust-security
