👊🏾 👂🏾 🎷 Zero-Trusted Security Architecture Implementation: Second Edition 🖕🏻 🏵️ 😷

Source

At the beginning of 2020, the US National Institute of Standards and Technology (NIST) published a draft of the second edition of the document, which addresses the basic logical components of a zero-confidence architecture (Zero Trust Architecture, ZTA).

Zero Trust refers to an evolving set of network security paradigms based on the principle of "trust nothing to anyone." Unlike classic approaches that pay more attention to perimeter protection, the Zero Trust model focuses on the security of resources, rather than segments of the enterprise network.

Today we will study a cybersecurity enhancement model built on the principles of architecture with zero trust, assess the risks of its use and get acquainted with some popular deployment scenarios.

Zero Trust: The Beginning

The first NIST ZTA project appeared in September 2019, although the concept of zero trust existed in cybersecurity long before the very term “zero trust” appeared.

The Defense Information Systems Agency (DISA) and the US Department of Defense published a paper in 2007 on the company's secure strategy. This strategy, called the “Black Core”, provided for the transition from a perimeter-based security model to a model focused on the security of individual transactions.

In 2010, Forrester Research chief analyst John Kinderwag, to describe various solutions that change the focus of threat perception (from security based on a perimeter protection strategy to control over all available data), formulatedthe term "zero confidence".

The Zero Trust model was an attempt to solve the classic problem, when an intruder penetrating the network gains access to all its components. Suffice it to say that, according to the Microsoft Vulnerabilities Report , the effects of 88% of critical vulnerabilities could be eliminated, or at least mitigated, depriving users of admin rights.

Perimeter-protected corporate networks provide authenticated users with authorized access to a wide range of resources. As a result, unauthorized lateral movement within the network has become one of the most serious cybersecurity issues.

Zero Trust Model

To deploy the Zero Trust model, you must distribute the minimum access privileges and maximize the details of the data packets. In a model with zero trust, you define a “protected space”, consisting of the most important and valuable data and resources, and fix the traffic routes throughout the organization in terms of their relationship to the protected resources.

As soon as an understanding of the connections between resources, infrastructure and services appears, it is possible to create microperimeters - firewalls at the level of segments of corporate networks. At the same time, users who can pass microperimeters remotely are located anywhere in the world and use various devices and data.

A distinctive feature of the Zero Trust architecture is a great attention to authentication and authorization before providing access to each company resource. At the same time, minimization of time delays in authentication mechanisms is required.

The figure shows an abstract access model in ZTA.

In the model, the user (or device) needs to access the corporate resource through a “checkpoint”. The user passes the check through the access decision point based on the security policy (Policy Decision Point, PDP) and through the policy implementation point (Policy Enforcement Point, PEP), which is responsible for calling the PDP and correctly processing the response.

The idea is to move the point of application of the policy as close as possible to the application. PDP / PEP cannot apply additional policies outside its location in the traffic stream.

Zero Trust Principles

Here are seven basic principles of ZT and ZTA (in abbreviated form) that should be taken into account when building a safe system. These principles are an “ideal goal”, but not all of them can be fully implemented in each case.

All sources of data and services are considered resources. A network may consist of several devices of different classes. A company is entitled to classify personal devices as resources if they can access data and services owned by the company.
. . , (, ), , , . , .
. .
, , (, ). — , , , .
, , . « » , , .
. , , . , , ZTA, , , .
, , , .

Here, for convenience, this is not the original NIST drawing, but the version from the Cisco article “Making a Deliberate Cybersecurity Lifestyle Choice”.

There are many logical components that make up the Zero Trust architecture in the enterprise. These components can work as a local service or through the cloud. The figure above shows the “ideal model” demonstrating the logical components and their interaction.

Integration of information about company resources, about users, about data flows and about work processes with the rules policy forms the necessary input for making a decision about access to resources.

When the user (subject) initiates the authentication procedure, digital identification is built around him. In the figure, this procedure is presented from the Subject block. Another term for such a user is the Principal, that is, a client for which authentication is allowed.

The network diagram presented above is divided into several levels of traffic. The control level (Control Plane) is separated from another part of the network that may be visible to the user. From the point of view of the principal, there is only the data layer of this network.

The Control Plane houses the Access Decision Point (PDP), which consists of two logical components:

Policy Engine (PE), . , (, ) , ;
Policy Administrator (PA), / . Policy Enforcement Point (PEP), (Data Plane).

PEP is responsible for enabling, monitoring, calling the PDP and correctly processing its response, and, ultimately, for breaking the connections between the subject and the corporate resource. Outside of PEP, there is an implicit trust zone in which the corporate resource is located.

All other fields (left and right in the figure) show the security components that can provide the information needed to make a decision about access to PDP / PEP. These include, for example, a continuous diagnostic and monitoring system (CDM) that collects information about the current state of an enterprise’s assets.

Identification and microsegmentation

In developing a ZTA, the identity of actors is used as a key component of creating an access policy. Identity refers to authentication attributes and user attributes on the network, that is, data that can be verified to guarantee legitimacy of access.

The ultimate goal of enterprise identity management is to limit the presentation of each network user to those resources to which they have rights.

An enterprise can protect resources in its own network segment with Next-Generation Firewall ( NGFW) devices), using them as a Policy Enforcement Point. NGFWs dynamically provide access to individual requests from clients. This approach applies to various use cases and deployment models, since the protection device acts as PEP and the management of these devices acts as a component of PE / PA. Overlay networks

can also be used to implement ZTA . This approach is sometimes called a software-defined perimeter ( SDP ) model and often includes concepts from a software-defined network ( SDN ). Here, the Policy Administrator acts as a network controller that installs and reconfigures the network based on the decisions made by the Policy Engine.

Key deployment scenarios

The most common ZTA deployment scenario relates to an enterprise having a head office and several geographically distributed locations connected to each other by third-party, non-enterprise network channels.

In this scheme, remote workers still need full access to corporate resources, and the PE / PA block is often deployed as a cloud service.

As an enterprise moves to more cloud applications and services, a zero-trust approach requires PEP to be located at the access points of each application and data source. PE and PA can be located in the cloud, or even at the third cloud provider (outside of Cloud Provider A and Cloud Provider B).

Another common scenario is an enterprise with visitors and / or contractors who require limited access to corporate resources. In this example, the organization also has a convention center where visitors interact with employees.

Using the ZTA Software-Defined Protection approach, visitors can access the Internet, but cannot access corporate resources. Sometimes they do not even have the ability to discover corporate services through a network scan.

Here, PE and PA can be hosted as a cloud service or on a local network. PA guarantees that all assets not owned by the company will have access to the Internet, but not to local resources.

Seven Risks of Zero Trust Implementation

Decision Making Impact

In ZTA, the Policy Engine and Policy Administrator components are key to the entire enterprise. Any administrator with access to the PE rule settings can make unauthorized changes or make errors that disrupt the operation. A compromised PA can provide access to all protected resources. To mitigate risks, the PE and PA components must be properly configured and tested.

Denial of service

PA is a key component for accessing resources - without its permission it is impossible to establish a connection. If, as a result of a DoS attack or traffic interception, an attacker violates or denies access to PEP or PA, this can adversely affect the operation of the enterprise. The enterprise has the ability to mitigate the threat by placing PA in the cloud or by replicating it in several places.

Stolen credentials

Attackers can use phishing, social engineering, or a combination of attacks to obtain the credentials of valuable accounts. Implementing multi-factor authentication can reduce the risk of access from a compromised account.

Network visibility

Part of the traffic (possibly larger) in the enterprise network may not be transparent to traditional network analysis tools. This does not mean that the enterprise is not able to analyze encrypted traffic - you can collect metadata and use it to detect suspicious activity. Machine learning methods allow you to explore traffic at a deep level.

Network Information Storage

Network traffic and metadata used to build contextual policies can be the target of hacker attacks. If an attacker gains access to traffic information, he can gain an idea of the network architecture and determine the vectors of further attacks.

Another source of intelligence for an attacker is the management tool used to encode access policies. Like stored traffic, this component contains resource access policies and can show which accounts are the most valuable for compromise.

Reliance on proprietary data formats

ZTA uses several different data sources to make access decisions. Often, the resources used to store and process this information do not have a common open interoperability standard. If one provider has a problem or is in breach of security, then the company sometimes does not have the opportunity to switch to another provider without excessive costs.

Like DoS attacks, this risk is not unique to ZTA, but since ZTA is highly dependent on dynamic access to information, a violation can affect key business functions. To mitigate risks, enterprises should evaluate service providers in an integrated manner.

Non-Person Entity (NPE) Access to Management Components

Neural networks and other software agents are used to manage security problems in corporate networks and can interact with critical ZTA components (for example, Policy Engine and Policy Administrator). The question of NPE authentication in the enterprise with ZTA remains open. It is assumed that most automated technological systems will still use some means of authentication to access the API (for example, the API Key code).

The greatest risk when using automated technology to configure and apply policies is the likelihood of false positive (harmless actions mistaken for attacks) and false negative (attacks mistaken for normal activity) reactions. Their number can be reduced by regular analysis of the reactions.

Conclusion

ZTA today looks more like a map of a reliable fortress than a map with marked key points for travel. However, many organizations already have ZTA elements in their corporate infrastructure. According to NIST, organizations should strive to gradually introduce zero-confidence principles. For a long time, most corporate infrastructures will operate in a hybrid mode with zero trust / perimeter.

To further explore the topic of applying the Zero Trust concept, pay attention to the following materials:

Zero-Trusted Security Architecture Implementation: Second Edition