Zero Trust Architecture is defined by the General Services Administration as an approach to “cyber security that assumes all networks and traffic are hostile in nature, and that any implicit trust in users should be eliminated.” ZTA is a hot topic right now across the security industry, and while it is no silver bullet in security protection, with the ever-present rise in cyber-attacks and remote work, it has become a necessary step in making organizational frameworks more secure.
Today we are going to walk through the basics of ZTA, with a bonus opinion section by yours truly:
The NIST SP 800-207 Model
The Seven Tenants
Chris’s Thoughts
With this information in mind, hopefully your organization can begin taking steps toward implementing its own zero trust policies.
1. NIST SP 800-207
As of now, the standard for ZTA is NIST SP 800-207, pictured below in figure 1 (image taken from Crowdstrike). This standard can be seen in any government entity as the Biden administration issued an executive order mandating all Federal Agencies must adhere to its guidelines. This model is fairly straightforward, and promotes a “cloud-first, work from anywhere” environment. With the rise in popularity for remote work the push for ZTA is more important than ever, and while it can get frustrating to have to constantly log back into company resources using multiple steps, having these extra safety precautions will be beneficial in the long run.
2. The Seven Tenants As per the General Services Administration, there are seven total tenants to a successful zero trust plan.
I. Rigorous enforcement:
a. All resources, old and new, require authentication of some kind. No implicit access without explicit permission.
II. Maintaining data integrity:
a. Monitor the security and integrity of all assets, owned or associated, and constantly monitor for cyber threats.
III. Gathering data to further improve:
a. Collect information from network infrastructure and communication to regulate and improve security standards.
IV. Consider every data source and computing device as a resource:
a. Any device with access to enterprise-level network is, and should be considered as, a resource.
V. Keep all communication secured:
a. Regardless of network location, be it via enterprise or non-enterprise, every device must undergo the same security requirements for resource access.
VI. Resource access granted on a per-session basis:
a. Least privilege policy is enforced, meaning users are only granted minimum privileges required to complete a task. Should more resources be required, access will require another request.
VII. Moderate Access with a dynamic policy:
a. Protect resources with transparent policies that are continuously defining resources, accounts, and type of privileges given. Process could include device characteristics (I.e., software versions) and network locations.
When these tenants are all used in conjunction with one another, it makes for a successful zero trust model.
3. Chris’s Thoughts
As a concept, I support zero trust. Specifically, I support the notion that we should assume every environment is hostile and that sensitive information should always be protected as a result. Ideally, we have high priority on administrator credentials, with an equal if not higher priority on protecting the web server. The flaw in the system as it stands now is only the web server is receiving proper protection, leaving administrators who, say, join the server on a wireless network highly at risk. Zero trust addresses this issue where most risk management frameworks would not prioritize these types of risks as high as those directly associated with the web server.
Zero trust, however, is by no means perfect and the biggest flaw is written right into the first tenant above. “Rigorous enforcement” requires old resources an organization may have relied on in the past to be replaced as they may not have the capability for this level of authentication. This creates a financial hurdle for many organizations that may not be prepared for an upfront investment and may feel overwhelmed by the initial cost.
When it comes to initiating zero trust at your organization, it is important to remember incremental change is still change, and it is certainly still effective. Overhauling entire systems upfront is not feasible for many organizations, and the initial cost could very well put off organization leaders if you are a security professional pushing for the adoption of this framework. Start small. First determine what assets exist under the organization’s control and who is responsible for each. Get a comprehensive inventory of all systems, and from there create a game plan on how best to begin updating and/or replacing these systems to create a zero-trust framework that best suits your organization’s needs.