Stopping an attacker bursting through the network perimeter is the “traditional” focus of organisations. The inside of the network is viewed as safe and users are given broad access to resources within it. The trouble with this approach is that unauthorised lateral movement within a network has become an enormous challenge for some organisations.
What is lateral movement? Check out this article I wrote on the Target hack in America, through which the Target Point of Sale systems were hacked and 40 million credit card details were stolen. The attackers entry point into the network was via the internet-connected HVAC (Heating, Ventilation & Air Conditioning) system, when one of the HVAC sub-contractor’s unwittingly falling victim to a phishing email campaign.
From the compromised HVAC system the attackers simply hopped from system to system with ease. Target weren’t looking for abnormal activity (of which there was a lot, such as people creating new administrator accounts) so the criminals did as they pleased. If a Zero Trust Model had been adopted by Target, each hop would have required brand new verification of the users and the lateral movement would have been made impossible.
What is Zero Trust Model?
“A zero-trust model is not about users being untrustworthy. Rather it is about strongly authenticating, authorizing and inspecting all traffic flow at all times to ensure malware and attacks don’t sneak in accidentally or maliciously.”
NIST offers an even more detailed definition:
“An operative definition of ZTA is as follows:
Zero Trust Architecture (ZTA) provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services.
This definition focuses on the crux of the issue, which is to eliminate unauthorized access to data and services, coupled with making the access control enforcement as granular as possible. That is, authorized and approved subjects (user/machine) can access the data to the exclusion of all other subjects (i.e., attackers). To take this one step further, the word “resource” can be substituted for “data” so that ZTA is about resource access (e.g., printers, compute resources, IoT actuators, etc.) and not just data access. In order to lessen uncertainties (as they cannot be totally eliminated), the focus is on authentication, authorization, and shrinking implied trust zones while minimizing temporal delays in network authentication mechanisms. Access rules are restricted to least privilege and made as granular as possible.”
How about in English?
Historically when all your IT resources were housed at your office you knew where everything was and it was relatively straight forward to contain and secure your resources. At the very least at a conceptual level you knew where your data was, where your email system was and the gateway in and out of your network was your, well, Gateway (sometimes confused with a Firewall).
Today, with such wide adoption of Software as a Service (SaaS) applications and migrations to cloud-based architectures, a growing number of remote users and the sudden inclination to Bring Your Own Device (BYOD) have rendered perimeter-based security as largely irrelevant.
With IT teams often not given appropriate budget to alter these traditional defence models, businesses find themselves more exposed than ever to new threats.
What is Zero Trust Security and why is it important?
A Zero Trust model completely replaces the old way of security thinking, which is perimeter-centric security architecture. Zero Trust assumes that everything is hostile, whether it’s external or internal which ensures that security and access decisions are enforced based on identity, device and user context – rather than whether it’s inside or outside your known perimeter.
This results in a fundamental shift in that way in which access is providing users with application-only access, not network access.
Is VPN dead?
Virtual Private Networks (VPNs) is a legacy remote access technology that allows users access into their corporate network (or some other network). This type of remote access poses a threat to business security because it creates a hole in the corporate firewall and trusts all of the traffic that comes along it. If a malicious outsider were to gain access to VPN credentials (hello phishing emails!) then they would instantly have trusted access into your network.
Once an attacker is inside, they are free to move about your network laterally to commence work on accessing and exploiting any system or application that resides within the network. VPNs aren’t necessarily simple systems to implement and maintain either, so you have the double effect of high maintenance and support costs coupled with a security risk.
Network segmentation has been used in the past as a countermeasure against this type of access, however if it’s not implemented properly (such as granting “permit any” access) you still run the risks of attackers moving around your network freely – all whilst you think that the security hole is non-existent.
How do I enable Zero Trust?
Unfortunately it’s not a switch or a technology that you can purchase off the shelf. It’s a fundamental shift in ideology for organisations to enable Zero Trust because users must be granted access to only the applications they need for their role. The applications (and servers they reside on) must also be checked to ensure that only the required information that flows between them (if any) is allowed. The access granted to users needs to be based on entitlement, user identity, device posture, authentication and authorisation.
Additionally, the shift to Zero Trust improves governance which in turn provides additional visibility and insight into who and what is accessing applications, where data is going to and coming from and how it is all being accessed, providing visibility and insight into who is accessing applications, where data is going, and how it is being accessed.
Grant users access only to those applications they need — and base that access on entitlement, user identity, device posture, authentication, and authorization.
What are some key technologies to consider?
- Isolate Your Network Infrastructure From the Public Internet
- Put Identity, Authentication, and Authorization in Place Before Providing Access
- Multi-factor authentication is a must. Weak credentials, along with the reuse of usernames and passwords across applications, significantly increase an enterprise’s attack surface.
- Use Advanced Threat Protection to Defend Against Phishing, Zero-Day Malware, and DNS-Based Data Exfiltration
- Monitor Internet-Bound Traffic and Activity
- Support Integration with Security Information and Event Management (SIEM)
More details about these key technologies can be found here from the 27th of Jan 2020.