Modern Identity-Based Zero Trust Security Explained

Zero Trust security starts from the idea that we should have a “trusted” internal network or an “untrusted” external network. The adoption of mobile and cloud states that we can no longer have a network perimeter-centric view of security; instead, we require to securely enable access for the various users (representatives, partners, contractors, etc.) irrelevant of their location, device, or network. Within Cloud, but from many perspectives also within the work-from-home context, we could even say that what was considered “internal” is indeed external, and vice versa.

SECURITY FOR A NEW WORLD: IDENTITY-BASED ZERO TRUST

Zero trust means replacing implicit types of access decisions with explicit, risk-appropriate, lean-trust access decisions.

On the other side, there is no silver bullet for gaining a Zero Trust security architecture, but the identity and access management is the core technology that businesses should start with on their Zero Trust journey.

Identity and access management(IAM) is a collective term that covers products, processes, and policies incorporated to manage user identities and regulate user access within a company. “Access” and “user” are two key IAM concepts. “Access” points to actions permitted to be done by a user (like view, create, or change a file). “Users” could be workers, partners, contractors, suppliers, or customers. Furthermore, employees can be further divided based on their roles.

The enhanced adoption of cloud applications and an expanding remote workforce are revolutionizing network security. In a traditional setting, the focus was on perimeter-based security — assuming that everything behind the corporate firewall is safe. However, organizations have to rethink the philosophy of absolute trust in a corporate network. The Zero Trust model welcomes a new blueprint for access and treats all users, internal or external, as untrusted.

By implementing Zero Trust’s principle in identity and access management, organizations need not make a trade-off between a strong security position in the network and a productive end-user experience.

The Zero Trust Network

The Zero Trust Network, or Zero Trust Architecture, model was built by John Kindervag in 2010, who was a principal analyst at Forrester Research Inc.[1]

Now, seven years later, CISOs, CIOs, and other corporate executives are increasingly implementing Zero Trust as the technologies that support its move into the mainstream, as the obligation to protect enterprise systems and data advances significantly, and as attacks become more advanced.

Zero Trust is a security theory centered on the belief that organizations should not automatically presume anything inside or outside its perimeters and instead must verify anything and everything attempting to connect to its systems before granting access. The policy around Zero Trust boils down to don’t trust anyone. We are talking about, ‘Let’s cut off all entrance until the network knows who you are. Don’t enable access to IP addresses, machines, etc., until you recognize who that user is and whether they’re authorized’.

Adapting Zero Trust

Several enterprise IT shops are already doing several pieces of Zero Trust, experts say. They usually have multifactor authentication, IAM, and permissions in place. They are also increasingly implementing micro-segmentation in parts of their environment.

Yet developing a Zero Trust environment isn’t just about implementing these individual technologies. Instead, it’s about using these and other technologies to enforce the idea that no one and nothing has access until they have proven they should be trusted. The real challenge is to try to throw technology at the strategy and expect you to get it right. It’s better to incorporate the strategy and then incorporate technology iteratively. Not surprisingly, businesses will find that getting to Zero Trust is not an overnight success. Nor will it be simple, particularly if they have legacy methods that don’t transition well to this new model.

Another issue in moving to Zero Trust is getting staff to think in this new way. Most organizational IT experts have been equipped, unfortunately, to implicitly trust their environments. Everybody has been prepared to think that the firewall is blocking the bad guys out. People need to adjust their mindset and realize that the bad actors are already in their environment. Organizations also require to understand that Zero Trust requires ongoing effort (as does any other thriving IT or security protocol) and that certain pieces of the Zero Trust application may create more challenges than others.

For example, the ongoing work that comes with micro-segmentation, where teams must be certain to configure changes properly and update changing IP data to guarantee no interference in the access required for employee work or corporate transactions. Otherwise, companies could be dealing with a work stoppage.

A lot of companies are thinking, ‘If I get malware and it prevents me from doing business, and if I have a misconfiguration that stops me for a day, those are both bad, as the ongoing work needed with the micro-segmentation approach could point to a lot of Band-Aids and that can make networks more brittle. As a result of the complexities of implementing Zero Trust to legacy and present environments overall, companies haven’t fully implemented the model”. The new generation of security solution can provide the services without these pains.

The Defense Information Systems Agency is moving to a new cybersecurity framework, as Vice Adm. Nancy Norton outlined the “zero trust” model recently[2]. Norton described the new model as a way to help prevent data breaches by switching from a network-centric to a data-centric security model. “Zero trust is designed to ensure the people and devices accessing our critical infrastructure, resources and information are the ones who are supposed to be accessing them,” Norton said. The framework moves security standards beyond the traditional moat-and-castle format, which focuses on hardening the network perimeter and managing entry. However, this model remains vulnerable to adversaries because once they cross the “moat,” they can move freely throughout the “castle.”[3]

According to Norton’s explanation, this is one of the three key principles of zero trust: never trust, always verify. The second is to assume breach, which bucks the castle-and-moat assumption that everything inside the perimeter is safe. The third element of zero trust is to provide explicit verification for access to the network and data.

Norton added that implementing zero trust in classified networks is imperative, even though perimeters for those networks are already stronger than average: “The moat might be stronger, but the castle is that much more important,” Norton said. “So we can’t let our guard down, we have to have the same kind of defenses. The zero trust principles are even more important when we get to our classified networks.” To guarantee a successful implementation of Zero Trust architecture, stringent security and access policies must be in place. This enhances the need to have an effective IAM solution that can accelerate your Zero Trust policy’s efficiency.

Identity-based micro-segmentation has rapidly become accepted as a best practice for cloud security and enabling zero trusts. In Gartner’s April 2020 report, Market Guide for Cloud Workload Protection Platforms, analysts Neil MacDonald and Tom Croll write[4]:

“Some vendors focus exclusively on micro-segmentation. In all cases, the solution should support the growing requirement for identity-based “micro-segmentation” (more granular, software-defined segmentation also referred to as zero trust network segmentation) of east/west traffic in data centers.”[5]

Alongside, identity-based segmentation and network visibility are identified as a foundational control on Gartner’s Risk-Based Hierarchy of Workload Protection Controls.

When platforms claim to build zero-trust policies using identity, it is critical to ensure they are not just putting a label on firewall-based policies, which carry similar security risks as a legacy solution that builds policies depending on network addresses.

Why Micro-Segmentation is the First Step to Zero Trust Security

Micro-segmentation is a method to logically build network segments and completely control traffic within and among the segments. It provides the ability to control workloads in a data center or a multi-cloud environment with granular policy controls and limits the spread of lateral threats in the data center.

The concept of network segmentation is not unusual, and traditionally, network firewalls and VLAN ACLs were disposed to carry out segmentation with static IPs and subnets. But there are difficulties and limitations to this approach, including the incapacity to segment and protect cloud workloads.

Fortunately, the development of software-defined micro-segmentation has presented granular segmentation at the host level as a reality. A software-defined framework also permits the segmentation of workloads in hybrid multi-cloud environments, enabling security units to maintain a consistent security posture across the entire network[6].

This unprecedented ability to establish security policies at a granular, host-level makes it feasible for organizations to implement zero-trust security within their security infrastructure, regardless of whether the workloads/applications are in the data center or the cloud.

One of the key principles of a zero-trust approach is never to trust and always verify first. Micro-segmentation at the host level enables security teams to isolate environments and segment workloads and distributed applications. Once segmented, fine-grained security policies can be applied based on a zero-trust approach.

With the right micro-segmentation solution, high-level policies can be defined based on real-world constructs such as user groups, access groups, and network groups and can be applied to multiple applications. Consistent policies can be applied even in a dynamic virtual environment, which was almost impossible with traditional segmentation.

With software-defined micro-segmentation, the application is obscure, and only authorized users can access it. Any connection which cannot be verified by the policy parameters is blocked, ensuring lateral movement and unauthorized access are not only prevented but immediately flagged for investigation and remediation. This builds a zero-trust security micro perimeter around applications and reduces the attack surface to a minimum.

Micro-Segmentation for Your Business

The changing IT landscape makes it increasingly difficult for traditional security solutions to protect the network from cyber threats. As businesses embrace the future with digital transformation and cloud adoption, security will be a primary concern, especially with stringent regulations and compliance requirements coming into force across the world.

Software-defined micro-segmentation enables zero-trust implementation in the existing infrastructure to deliver granular, consistent, and scalable security to meet the dynamic business needs of the future.

Zero Trust approach to security is today coming into the mainstream. Suppose your organization has not yet embraced the Zero Trust security model, or you are in the early stages of implementation. In that case, you can opt for a distributed, software-defined approach to segmentation and micro-segmentation that can speed-up your move to Zero Trust security, supporting both your present and future state data center and cloud infrastructure.

There are many advantages to the additional layer of security micro-segmented networks offer as part of a defense-in-depth strategy. For instance, network segmentation can provide a coarse level of isolation for East/West traffic within a data center, while North/South client application-level access can be enforced with an Identity Aware Application Proxy (IAP) or SDP solution.

References:

https://www.gartner.com/teamsiteanalytics/servePDF?g=/imagesrv/media-products/pdf/Qi-An-Xin/Qi-An-Xin-1-1OKONUN2.pdf

https://download.microsoft.com/download/f/9/2/f92129bc-0d6e-4b8e-a47b-288432bae68e/Zero_Trust_Vision_Paper_Final%2010.28.pdf

https://searchsecurity.techtarget.com/definition/zero-trust-model-zero-trust-network

https://www.sans.org/reading-room/whitepapers/modeling/create-comprehensive-zero-trust-strategy_39790

https://www.zscaler.com/resources/security-terms-glossary/what-is-zero-trust

https://www.edgewise.net/blog/identity-based-microsegmentation-is-foundational-to-cloud-security

https://www.crowdstrike.com/epp-101/zero-trust-security/

https://www.proofpoint.com/us/blog/zero-trust-network-access/its-time-zero-trust-software-defined-perimeter-sdp

https://www.mcafee.com/enterprise/en-in/security-awareness/cloud/what-is-zero-trust.html

https://www.checkpoint.com/solutions/zero-trust-security/

https://www.vmware.com/topics/glossary/content/zero-trust-security

https://www.forcepoint.com/cyber-edu/zero-trust

[1] https://go.forrester.com/blogs/the-tao-of-zero-trust/

[2] https://www.disa.mil/NewsandEvents/2020/Norton-new-cybersecurity-model

[3] https://www.disa.mil/NewsandEvents/2020/Norton-new-cybersecurity-model

[4] https://www.gartner.com/en/documents/3983483/market-guide-for-cloud-workload-protection-platforms

[5] https://www.gartner.com/teamsiteanalytics/servePDF?g=/imagesrv/media-products/pdf/Qi-An-Xin/Qi-An-Xin-1-1OKONUN2.pdf

[6] https://colortokens.com/wp-content/uploads/Xshield-solution-sheet-1.pdf

Zero Trust Isolation — The Best Defense Against Ransomware Propagation. https://airgap.io