Zero Trust Cybersecurity
The continued drop in compute power costs coupled with the rising payout for security exploits has led to a situation where even a company with a war chest the size of Apple cannot spend its way out.
Despite having some of the best technology talent in the world they cannot keep up with all vulnerabilities. Even if they found them all, their talented team would likely find it difficult to patch for everything. Apple is not alone in this quest as it hits every hardware and software vendor. So let’s explore a topic that was first introduced in response to NIST RFI# 130208119-3119-01.
Several organizations responded to this RFI with their thoughts on developing a Framework to Improve Critical Infrastructure Cybersecurity. Responses were submitted by IBM PWC, Forrester and others. Forrester submitted a response that included a “Zero Trust Model.” Since that response, other companies have built upon the model and, in many cases, introduced their own versions as well. I recently had the chance to review some of these models while attending a conference. This conference coupled with the recent Apple challenge mentioned above, led me to question many things such as: can you truly deploy such a model or is it only theoretical? How do you provide access to “known” individuals in this Zero Trust environment?
The short answer to the questions appears to be yes; you can implement Zero Trust and still provide access to trusted users. For example, key architectural components of the Zero Trust Forrester Model include:
- An integrated “segmentation gateway” as the nucleus of the network
- Parallel, secure network segments
- Centralized management as the network backplane
- A data acquisition network (DAN) to gain complete network visibility
Zero Day End Point
In the case of the endpoint, the end user is extremely important especially if given administrative rights to the device. The enterprise will need to treat this device and all applications on this device as untrusted each and every time the device connects. When we apply good administrative controls via policy along with technical controls of antivirus and antimalware, we begin to develop a Zero Trust environment for the end point.
When a known user attempts to execute a file the trust model is activated. First, the policies are enforced determining if this file access is allowed based on access control rules and known executable rules. This could take the form of blocking child processes or preventing the execution of files not whitelisted. Next, unknown applications are inspected against a set of rules to determine if the file is nefarious. This could be accomplished using a sandbox approach to determine if it is malicious or benign. Lastly, external removable media is inherently untrusted.
Successful end point protection will require a constant evolving model that also includes logging and analyzing the data for future problems such as Zero Day attacks.
Zero Trust Data Center
The software defined data center (SDDC) continues to grow in popularity and functionality. Within this virtualized world the technology practitioner has new tools to combat bad actors. However, the bad actors also potentially have new ways to exploit vulnerabilities if the environment is not properly architected.
VMWare has released a model for the SDDC utilizing microsegmentation so that an organization can truly implement a Zero Trust environment.
In the case of VMWare, the first step is to apply isolation. This ensures that we separate for example test and development and production environments from interacting. Virtual networks are also completely isolated from the physical networks.
Secondly, segmentation is implemented within the virtual environment. All traffic is segmented within the virtual environment such that the web tier does not interact with the database or application tier.
Lastly, utilizing a virtual firewall, the environment can enforce application, user and content based controls at the virtual interface.
Zero Trust as a model has gown in significance and today should be applied as necessary to meet organizational security needs as defined by policy, regulation or financial modeling. Great security implementation requires utilizing as many tools as possible to safeguard the critical data within the organization.
Revisiting my initial questions, yes Zero Day can be implemented and is in effect within organizations around the globe. This requires a review of current policy and in most cases new policies or technologies to adequately deploy the model. Secondly, yes you can provide access to known individuals. They are still treated as untrusted with every action taken. The proper implementation of the model will utilize proper policies and technologies to review actions and prevent bad actions constantly.
This landscape continues to evolve and we as security professionals must constantly review new ways of protecting the organizations we serve.
Thomas Addison has more than 20 years of experience in the technology industry where he has spent time as an engineer, consultant and sales leader.