Learning to Trust Zero Trust

“Trust but verify” is a Russian proverb. “Don’t trust, verify always” is the Zero Trust equivalent of this proverb!

But before we move into citing a concrete definition and details, we should know what Zero Trust is.
23 Nov 2022
ZTA in Simple Terms

It is a cybersecurity paradigm focused on enterprise resource protection. This includes data; no matter where it resides, cloud or on-premises, and resources like printers, compute resources and Internet of Things (IoT) actuators.

The objective of the paradigm is to prevent unauthorised access to data and resources but at the same time enable authorised and approved subject to have access to the same. The word subject can mean user, device or an application/ service. The paradigm also envisions making the access control enforcement as granular as possible.

Thus, “Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero-trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.”

Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
The crux of the concept is that trust must be continually evaluated. If a subject needs access to data or resources, it is granted after authentication and authorisation, but it will not go beyond the minimum privileges needed to perform the mission.

Benefits of Implementing ZTA

The ZTA paradigm comes packed with a slew of benefits:

  1. Supporting employees/ workers with secure and reliable access to a multitude of resources from anywhere using any device, any time
  2. Resource protection irrespective of whether it is on-prem or cloud
  3. Improving visibility and governance: who, what, and how users are accessing enterprise data and apps.
  4. Limiting of insider threat borne of the need-to-know approach to resource access
  5. Limiting of lateral movements of attackers in the system which perimeter security-oriented networks are otherwise prone to.
  6. Limiting the cost for recovery and mitigation
  7. Ensuring confidentiality and security of sensitive enterprise data
  8. Enhanced risk mitigation courtesy of continuous assessment and review of resource access
ZTA: How it Works

The Zero Trust Architecture evaluates the level of confidence about the subject’s identity for a unique request and if the device used to place the request have proper security posture. The system also evaluates if there are other factors that should be considered and that change the confidence level. Also the access rules are made as granular as possible to enforce those least privileges needed to perform the action in the request.

Image courtesy: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

Three terms assume significance in the context of Zero Trust. They are Implicit Trust Zone, Policy Decision Point (PDP) and Policy Enforcement Point (PEP). Implicit Trust Zone represents an area where all the entities are trusted to at least the level of the last PDP/PEP gateway. In other words, the PDP/ PEP engine decides as to whether a request for resource should be allowed access to the Implicit Trust Zone from where it can access the resource.

The PDP/ PEP gate is more like an airport security checkpoint. The passengers, once they have been through the security check are granted access to boarding gates where they can wait for the entry to the airplane. They are considered worthy of trust once they are through. The boarding area is thus the Implicit Trust Zone in the analogy. In our case, the idea is to explicitly authenticate and authorize all subjects, assets and workflows that make up the enterprise.

Challenges of Implementing the ZTA

For where there are opportunities, there are challenges. The road to ZTA implementation has its fair share of challenges.

  1. There is no single solution encompassing all the tenets of Zero Trust. A one-size-fits-all approach is off the table for obvious reasons. Many different technologies need to be integrated and often, they are of varying maturity.
  2. Investment in terms of time, resources and technical capabilities. Migration of extant and legacy systems to a Zero Trust environment is not as easy as it sounds.
  3. And finally, there is no such thing as 100% fool-proof security. The ZTA control plane is still susceptible to compromise.
Overcoming ZTA Implementation Challenges

The challenges need a holistic approach to overcoming them.

  1. Getting hold of visibility: The resources within the enterprise and who needs access to the same and when; these queries should be ascertained at a granular level. This exercise must be inclusive of:
    1. Identities
    2. Permissions
    3. Configurations
    4. Activities crisscrossing the cloud infrastructure which are about access to networks and resources that are publicly exposed.
  2. Managing risk: Continuous risk assessment exercise across the cloud IT stack including but not limited to:
    1. Identity
    2. Networks
    3. Compute & storage segments
    4. Publicly exposed resources if any
    5. Third-party risks originating from vendors, clients etc.

Taking care of governance: Agencies concerned must implement least-privilege policies by taking care of workflows, continuous integration and delivery pipelines and stave off misconfigurations. Just-in-time access policies are also a must-have rather than awarding engineers with all-access pass for specific, limited-time projects.

Tracking behaviour: Anomalies that may be borne out of compromised identities must be detected and mitigated.

Beinex and the Zero Trust Architecture

Beinex has solid experience in fostering Zero Trust Architecture capabilities amongst clients. Considering the fact that 90+ entities of Beinex are government clients, our Digital Transformation Team is well positioned to implement the paradigm in multiple domains.

Contact us to know more about our offerings.