Tech vendors use zero trust when selling new and expensive products that may initially sound only sellable to enterprise-level organizations. It integrates several controls ranging from identity and access management to network (east-west/north-south) security. The term may be fancy and complex, but its concept is not so new. Personally, the author’s view of Zero Trust is a granular implementation of different least privilege types such as implicit deny, separation of duties, and other similar check and validate models.
Zero Trust is described straightforwardly by Chaitanya Kunthe in her article. “Nothing should be implicitly trusted – not your identities, devices, or network components.”
The National Institute of Standards and Technology (NIST) published the NIST 800-207: Zero Trust Architecture (ZTA) in 2020. It guides how to implement ZTA regardless of the organization’s size and the type of security controls in place. It neither promotes a single technology nor any vendor but explains how ZTA should work and what features, processes, and configurations should be in place.
Similar to any access control model, Zero Trust follows the same concept. Its core areas include:
- Subject – The one that initiates the action to access a resource
- Device – Medium responsible for identifying and authenticating the subject
- Decision Point – Contains policies and rules and provides authorization
- Object – The resource being accessed
One of the motivations for this blog is to provide alternative options in implementing zero trust and not solely relying on vendors’ recommendations and proposed tech builds. Some of the helpful questions to consider include:
- What aspects of zero trust are relevant for my organization?
- Do I have the current processes, resources, and technologies to implement zero trust?
- Which zero trust areas do I need to invest in?
By answering the above questions, we will identify if we can optimize and maximize the current resources or if we need to procure new products and services. It will also help determine which products/services you need and not subscribe to everything the vendor sells.
This NIST document has provided seven (7) ZTA tenets (principles) that can be used to evaluate your IT setup and the vendors who are selling Zero Trust technologies. The author has added a short description of the tenet and the complexity of setting it up and implementing it.
|Zero Trust Architecture Tenets
(NIST SP 800-207)
|All data sources and computing services are considered resources.||All data sources and computing services, both on-prem and cloud, should be accurately and periodically inventoried and classified.||Low|
|All communication is secured regardless of network location.||Policies, access control lists (ACLs), authentication mechanisms, and encryption should be defined and implemented regardless of the type of network. Full security enforcement must be in place.||Med|
|Access to individual enterprise resources is granted on a per-session basis.||Any user access should be terminated after the session is finished, regardless of the user type/role.||Low|
|Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.||There must be a mechanism to observe and validate the requests, actions, and behavior of the subject and, based on existing policies and analyses, grant, revoke or block access. It is not mentioned whether the mechanism is a single/centralized technology. It can be an individual or separate tool but must satisfy the features described.||High|
|The enterprise monitors and measures the integrity and security posture of all owned and associated assets.|| There is a monitoring capability in place. The response does not necessarily require real-time because zero trust starts with implicit deny. Any slight doubt on the access requested is by default denied. A Security Operations Center (SOC) can satisfy this tenet for enterprise-level organizations.
There is also no requirement on whether it is fully automated or human resource-intensive the capability is. There is also security posture scoring tools and integrity checking apps that can complement this tenet.
|All resource authentication and authorization are dynamic and strictly enforced before access is allowed.|| In older environments, the user who is successfully identified and authenticated can enter. Authorization can happen when there is an attempted transaction. For this tenet, identification, authentication, and authorization are done before allowing the requestor to enter. In this manner, if the requestor is not authorized to do anything to the environment, there is no need to enter even if there is a successful authentication.
The authentication and authorization can be changed and enforced.
|The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.||There is a health check on the in-scope assets of the organization. It may be a combination of endpoint, network, and security. This tenet is managed both by the SOC or Security Engineering team for enterprise-level organizations.||High|
After knowing the different tenets of ZTA, one quick action item that can be done is to do a checklist assessment of your organization. IT leaders/stakeholders can talk about the state of the people, processes, and technology and identify which are currently present or not. Afterward, you can locate the ones that can be procured or shelved in the meantime.
Zero-trust is not about buying and integrating the latest security technologies in one pane. The mentioned approach may result in zero trust, but there are other ways to implement it successfully. The IT organization must know the current set of people, processes, and technologies and how it fares with the different ZTA tenets. From there, whatever the organization’s movement, the stakeholders will have enough visibility and control.