How To Implement Zero Trust
How Zero Trust Works
The basic idea behind zero trust is the assumption that all devices and users are untrustworthy until proven otherwise. Even after a user or entity is proven to be trustworthy once, zero trust models do not by default trust the same user or device the next time they are seen by the system. Trust in the zero-trust model is never taken for granted, but is based on observation and regular authentication to help limit risks.
The concept of zero trust is often associated with the Software Defined Perimeter (SDP), which is an effort that originally began development under the auspices of the Cloud Security Alliance (CSA).
In the general SDP model, there is a controller which defines the policies by which agents can connect and get access to different resources. The gateway component helps to direct traffic to the right data center or cloud resources. Devices and services make use of an SDP agent which connects and requests access from the controller to resources. Along the way, device health checks, user profiling including behavioral data and multi-factor authentication mechanisms are engaged to validate security posture.
The zero trust model says that at every stage of an agent or host connection, there should be a security boundary that validates that a request is authenticated and authorized to proceed. Rather than relying on an implicit trust after the correct username and password, or access token has been provided, with zero trust by definition everything is untrusted and needs to be checked prior to providing access.
Challenges of Zero Trust Deployment
Zero trust is a great idea to help organizations reduce the attack surface and limit risks, but it is not without its complexity and implementation challenges.
A key challenge with some SDP zero trust implementations is that they are based upon on-premises deployment approaches, with a need for device certificates and support for the 802.1x protocol for port-based Network Access Control (NAC).
Enabling full support, end-to-end across multiple public cloud and on-premises deployments can often be a tedious and time-consuming task.
Though it might seem like a misnomer, there is often a need for organizations to trust a zero trust solution since there tend to be data encryption termination requirements.
* Not Just Another Security Tool
Typically an organization will already have various security tools in place, including VPNs and firewalls. How a zero trust solution provider is able to navigate that minefield is often a key challenge.
Whether a zero trust solution is deployed is often a function of how easy it is to actually get set up
Zero Trust Deployment Considerations
Zero trust models work as overlays on top of existing network and application topologies. As such, having an agile data plane that can manage a distributed network is a key consideration.
The amount of effort it takes to install device certificates and binaries on an end-user system is often compounded by various challenges, including both time and resource demands. Using a solution that is agentless is a key consideration, as it can make all the difference between having a solution and having a solution that can actually be deployed rapidly in a production environment.
Consider zero trust tools with a host-based security model. In the modern world, many applications are delivered over the web and taking a host-based approach aligns with that model. In a host-based model for zero trust, the system validated that a given end-user system is properly authorized to receive an access token for a specific resource.
Understanding how encryption works in the zero trust model is also important. One option is to enforce encryption from end-to-end across a zero-trust deployment.
How To Deploy Zero Trust in the Cloud
The basic SDP method is well defined for deploying zero trust models on-premises. When it comes to the cloud, it can become more complex. Different cloud providers have different systems, adding potential complexity to any type of deployment.
Compounding the complexity is the growing trend toward multi-cloud deployments. So in addition to the challenges of deployment on a single public cloud provider, there is the complexity of having a zero-trust model that is both deployable and enforceable across multiple public cloud providers.
One of the ways to deploy zero trust across a multi-cloud deployment is by leveraging the open-source Kubernetes container orchestration platform. Kubernetes is supported on all the major public cloud providers, including Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). With Kubernetes, there is a control plane for managing distributed nodes of applications that run in docker containers.
Using a docker container as a method to package and deploy an application to enable zero trust, is an approach that further reduces complexity. Rather than needing different application binaries for different systems, by using a cloud-native approach with a Kubernetes based system, it’s possible to abstract the underlying complexity of the multi-cloud world.
The cloud is also not a uniform construct, in that all public cloud providers have multiple geographic regions and zones around the world. The purpose of the different deployments is to make sure that resources are available as close to the end-user as possible. When deploying a zero trust model to the cloud, be sure to choose a solution with multiple points of presence around the world to help make sure that there is as little network latency as possible.
Why Zero Trust Deployment is Worth the Effort
IT resources are always constrained and few if any organizations have the budget required to do all the things that are needed. Adding another layer of security with zero trust can sometimes be seen as yet another piece of complexity that will require additional time and demands from an IT department’s precious resources.
Zero trust however has the potential when properly deployed to reduce demands on overtaxed IT staff.
In a non zero-trust based network environment, the username and password are often the primary gatekeepers of access, alongside basic directory (Active Directory or otherwise) based identity and access management technology. Firewall and Intrusion Protection System (IPS) are also commonly deployed to help improve security.
Yet what none of those systems actually do is continuously validate the state of a given access request. If and when something does go wrong, if a credential is lost or stolen, there is additional time and effort required by IT staff to locate the root cause and then remediate.
In a properly configured and deployed zero-trust environment all access is validated. That means that instead of IT staff needing to figure out that a credential has been abused and a system has been breached, the zero-trust network always starts off with the assumption of zero access. Only through validation is the access granted. Zero trust means a reduced attack surface which typically translates to reduced risk.
It also means fewer hours spent by IT wondering if an account has been breached and digging through logs to figure out what happened. With zero trust, access is simply never granted to a compromised machine and potential lateral movement of an adversary across a network is restricted.
Zero Trust Deployment Checklist
When considering how to implement a zero-trust solution keep these simple questions in mind.
* Ease of Deployment: How fast can you get a system up and running? Does the provider force you to change your environment to fit their solution? ( for instance, by opening ports in the firewall)
* Multi-cloud support: Does the zero trust solution easily enable support across multiple public cloud providers? Can you effectively secure workloads on more than one cloud?
* Encryption: How does the zero trust solution handle encryption and does it keep data safe? Where are the encryptions key stored and can you bring your own keys?
* Scalability: How scalable is the zero trust architecture? Does it meet the demands of your workloads?
* Security: What security measures are being enforced by the solution provider? Does it maintain a streamlined security cycle? Can it provide added security layers such as DDoS protection on the application access level or does it require the use of third party mechanisms?
* Visibility: Can the solution provide under-the-hood traffic inspection for content, DLP and malicious/abnormal behavior?
* Service and Support: Will the zero trust solution provider be there to help troubleshoot any issues?
* Value: Does the solution provide additional value? Understand how and where the zero trust solution delivers value, features and risk reduction beyond what your existing security tools already provide.