What is Zero Trust?
Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Based on a spin-off of President Reagan’s proverb of “Trust, but verify”, Zero Trust’s principle is “Never trust, always verify.”
While Zero Trust is a buzzword today, the concept was originally coined in 2010 by then Forrester Research analyst John Kindervag, who suggested that all network traffic should be considered untrusted. His ground-breaking point of view assumes the network is breached and requires that each request is verified as though it originates from an open, unsecured network.
It's a significant departure from traditional network security. Kindervag recognized that trusting anyone and anything inside an organization’s network is an outdated assumption that creates many security risks. Under this broken trust model, it is assumed that the authenticity of an identity cannot be compromised.
The Zero Trust security model recognizes that trust is a vulnerability. Once on the network, users – including threat actors and malicious insiders – are free to move laterally and access or exfiltrate whatever data they are not limited to.
"Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised." NIST SP 800-207Zero Trust Architecture
The Zero Trust Security Model Explained
The Zero Trust security model recognizes that trust itself is a vulnerability. Once on the network, users - including threat actors and malicious insiders - are free to move laterally and access or exfiltrate whatever data they are not limited to.
Now many (if not most) users, devices, and services operate beyond the perimeter, making it critically important to minimize the blast radius of a breach and limit access and lateral movement. This includes using strategies such as network segmentation, end-to-end encryption, and multi-factor authentication.
According to NIST, the objective of Zero Trust is “to prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.” This means employing authentication, authorization, and minimizing implicit trust zones while maintaining availability and providing seamless authentication mechanisms. The access rules are made as granular as possible to enforce least privilege.
The principles of the Zero Trust security model, according to NIST SP 800-207, can be summarized to the following:
- All sources of data and computing services - from embedded IoT devices to cloud workloads - are considered resources.
- Network location alone does not imply trust. All communication must be authenticated, authorized, and encrypted, whether inside or outside the network.
- Access to resources is established by a dynamic policy, enforced on a per-session basis, and based on the state of the user, service, or machine.
- The enterprise should monitor and measure the integrity and security posture of all assets - both owned and associated (third-party).
Zero Trust Architecture
There are two primary approaches to implementing a Zero Trust architecture: identity-centric and network-centric. Both approaches implement all Zero Trust tenets and employ different technologies and policy rules to achieve success.
However, a proper Zero Trust architecture should include elements of both approaches.
Enhanced Identity Governance
The enhanced identity governance approach uses the identity of users, devices, and services as the key component of policy creation. This approach must include both human and machine identities:
- Human Identities: Humans on the network leverage usernames and passwords, or some form of multi-factor authentication, to identify themselves.
- Machine Identities: Much like humans, machines also need to identify and authenticate themselves when they connect to other resources or one another, but instead, they use cryptographic keys and digital certificates.
Enterprise resource access policies are based on identity and assigned attributes. The primary requirement to access corporate resources is based on the access privileges granted to a given user, service, or machine. To cater for a more adaptive authentication, the policy enforcement may consider other factors as well, such as device used, asset status, and environmental factors.
Enhanced identity governance works well for enterprises with an open network model, as well as those that use cloud-based applications and services that aren't as flexible, in terms of network controls, as enterprise-owned environments.
An enterprise can also choose to implement a Zero Trust Network based on network micro-segmentation and the use of gateway security components. To implement this approach, intelligent switched (or routers), Next Generation Firewalls (NGFWs), and/or Software Defined Network (SDN) components to enforce policies and protection for each resource or group of related resources.
However, this approach requires an identity governance program to fully function as the organization would have to authenticate users, services, and machines before being authorized to access resources. In addition, and given the complexity and distribution of corporate networks, this approach might be a time-consuming, resource-intensive, and error-prone exercise.
Identity is at the core of any Zero Trust approach. Access management is critical in the Zero Trust model. Evaluating identity during the authentication and authorization process ensures that a user is who they say they are, using the resource they are entitled to, no matter where they are.
Digital transformation, work trends and emerging technologies have been a real challenge for traditional perimeter security solutions. In fact, it would be safe to say that these traditional solutions are no longer adequate to protect effectively modern enterprises. The use of legacy security solutions to satisfy the new business requirements and to enforce authentication and authorization hampers productivity, scalability and user experience, and increases operational costs.
The access question
Users demand unprecedented access to applications and data outside the traditional firewall. These users access corporate resources from anywhere, often using privately-owned devices that are not secured in accordance with corporate policies. In addition, numerous machines and cloud services are either connecting with each other or communicating with corporate resources on-premise to exchange data.
How can security teams always ensure that all these parties are legitimate? They need not rely on a static, one-time authentication, rather on an adaptive, contextual mechanism that continuously evaluates the authenticity of the identity of the party requesting access to corporate resources.
The visibility question
The second challenge security teams face is lack of visibility. Having visibility into the identities of the human and non-human entities requesting access to corporate resources is the foundation of every successful security program.
How can you secure something if you don’t know it exists? Many recent outages and security incidents have been caused by forgotten X.509 certificates that expire unexpectedly. The situation is only getting worse as many more machines are used day-by-day. Many surveys have highlighted the reality that machine identities have outnumbered human identities by a scale of ten to one.
Coupled with the visibility problem is the privileges associated with these identities and the level of access they provide. A compromised privileged account can be the Trojan Horse for attackers to gain access to corporate networks, move laterally, and exfiltrate sensitive undetected.
The machine identity gap
Today, there are many more machines on a network than there are users. Machines aren't just the physical devices in your data center; now they include everything from IoT devices and sensors to software-defined workloads and the code running on them.
Unfortunately, cryptographic keys and digital certificates used to identify machines on the network and determine levels of trust are frequently untracked and mismanaged. For example, SSH keys used for securing admin access to Linux-based systems accumulate on the network over time, creating excessive levels of trust that can be exploited. Without proper visibility, control, and key rotation policies in place, it isn't possible to achieve Zero Trust security.
"Cryptography is a critical infrastructure for digital business and, therefore, requires attention and investment." Technology Insight for X.509 Certificate ManagementDavid Mahdi, David Collinson
How Cryptography Enables Zero Trust
Cryptography is everywhere. It's used at all layers of the stack to protect data, secure connections, and ensure the integrity of machines and the code running on them. It's the foundation of trust. If even one key or certificate is compromised, it can not only cause serious damage and disruption, but also erode trust in your infrastructure and your business.
A threat to cryptography, in whatever form, is a serious threat to digital trust, reliability, societies, and national economies. Reports and surveys highlight the importance of machine identities to our trust infrastructures. Attackers also have understood this importance; hence credentials are a lucrative target. Stolen or compromised credentials, such as SSH keys and code-signing keys, are increasingly the cause of data breaches or security incidents.
Despite their importance, many organizations are still employing bad hygiene practices for managing their keys and certificates. Without proper management, machine identities cannot be trusted, and therefore cannot be used to establish trust in corporate networks.
Why Zero Trust requires machine identity management
All cryptographic assets (SSH, SSL/TLS, code signing, etc.) must be managed effectively and protected from misuse to ensure that every identity can be verified and trusted.
Machine identity management aims to establish and manage trust in the identity of every machine across your enterprise. It enables organizations to manage the lifecycle of credentials used by an organization to build trust and achieve crypto-agility.
Cryptographic incidents, such as the compromise of an encryption protocol, or advances in technology, such as quantum computing, make agility an important factor of trust. Organizations need to be agile to be able to respond swiftly to these events without disrupting their trust infrastructure.
To achieve that, a strong identity governance and administration strategy must be in place. The strategy should help to discover and manage identities and credentials throughout the lifecycle.
The strategy and the tools used to implement enterprise-wide machine identity management should allow for the following:
- Visibility: Continuous discovery of all keys and certificates is critical to know how many you have, who they belong to, what access they provide, and when they need to be rotated or renewed.
- Governance: Ensuring proper ownership and control over how keys are generated, used and distributed is critical to prevent misuse or theft.
- Protection: Keys must be generated securely and with adequate entropy, issuing authorities must be trusted, and private keys must be stored securely. If these protections aren't in place, machine identities can't be trusted.
- Distribution: Automating the issuance and distribution of credentials is critical for creating and maintaining trust anchors, especially with ephemeral workloads.
- Rotation: Automated rotation or renewal of keys, secrets, and certificates is the key to minimize outages and vulnerabilities caused by expired or weak credentials.
Knowing who and what can be trusted to access critical data and infrastructure is a serious challenge. Keyfactor empowers enterprises of all sizes to securely connect trusted people, devices, and applications across their business.