Throw out the trust, and verify everything

A simplified zero-trust security model

trust in marketing

Those in my generation remember the famous Ronald Reagan quote related to relations with Russia: "Trust, but verify." This was a good approach when dealing with Russia, but we have not adopted this model in the information security world. Instead, the approach has been trust, OR verify. Networks have traditionally been designed with trusted zones, usually those "securely" inside the network perimeter, with everything else being untrusted. This approach is shown in the following simple diagram:

traditional perimeter security-based network

Sadly, with remote connections, interconnected offices, mobile devices, and cloud resources, the concept of a secure perimeter has gone the way of Reagan, fondly remembered, but no longer with us. This has not kept much of the business world from sticking with it, however.

A few years ago, Forrester Research, working for the National Institute of Science and Technology (NIST), proposed a new network security model, called "Zero Trust." "New" is somewhat of a misnomer, as this is just an extension of an approach that has been around for some time, otherwise known as network segmentation. Zero Trust expands a bit on the original network segmentation approach, but the core of the concept is the same.

The basic idea is to break a network down into segments, such as LAN, wireless, Web, database, etc. The assumption is that each zone is untrusted, even though it may reside within the walls of the corporate headquarters.

The specific design tenets, as defined by Forrester, include:

  1. Ensuring that all resources are accessed securely, regardless of location (in other words, the trusted zone is no more).
  2. Applying a least privilege strategy, and strictly enforcing access control. In Zero Trust, all users are initially untrusted.
  3. Inspecting and logging all traffic. Even traffic originating on the LAN is assumed to be suspicious, and is analyzed and logged just as if it came from the WAN.
  4. Supporting monitoring and control from a central console.

Full implementation of the Zero Trust model in the enterprise world requires multiple switch stacks connected to a high-speed core to handle the segmentation, often made up of multiple appliances or software packages. This approach is complex and expensive, and thus beyond the current reach of much of the business world.

Some have tried to implement this approach using virtual LANs (VLANs), which involve the tagging of traffic to provide for virtual segmentation. Unfortunately, there is no absolute way to prevent a bad actor from ignoring VLAN rules and fully accessing the physical network.

I would suggest, however, that a simplified approach to Zero Trust, which for lack of a better term I will call "Zero Trust Lite,"  can be implemented within the budget and ability of most of the business world. While the specifics are somewhat different for each network, the general idea is:

Define your network segments

You need to begin by looking at a list of your data assets, and how your users connect to your network. Certainly, the public Internet will be a zone of its own. Any sensitive assets, such as customer data, PCI or HIPAA-regulated information, etc., would be a good candidate for a zone. Wireless users, given that this network extends beyond your walls, would be a zone by themselves. For many, a single zone for LAN users is appropriate.

Dedicate one or more network switches to each of your network segments

A traditional network has a bank of one or more switches on the inside of a firewall. With a Zero Trust approach, switches must be dedicated to each zone, and outside of the firewall, to avoid mixing of traffic.

Use a full-featured firewall at the core connecting all segments

A commercial-grade firewall will normally have a number of individual ports, each of which can host a zone. To use Zero Trust Lite, you will need as many ports on your firewall as you have zones. It also needs to have a variety of additional features not seen on every firewall, such as deep packet inspection, intrusion prevention, an understanding of applications versus just ports, and some sort of gateway anti-malware ability. Such firewalls are often referred to as "next generation," but that is more of a marketing term. Some examples include Dell SonicWall and Fortinet. As you are setting up your firewall, all zones should by default have no access to any other zone. Access that is specifically needed is added thereafter.

Implement tools to insure access control and least privilege

Controlling access, and ensuring that users have the least privileges necessary is something we all should already be doing, but I have rarely reviewed an organization that is doing it well. In the recent OPM hack, the perpetrators were using stolen administrative credentials, rendering most other security measures useless. Zero Trust Lite will help prevent this issue, given that, for example, you could prevent an administrative user from network access outside of the LAN zone. You need to go a step further, however, and make sure users have the correct privilege. The challenge here is that you are managing users on a diverse group of systems. In order to do this well, you must employ some automated functionality which allows for control of a single user across multiple platforms. Using LDAP-compliant systems is very helpful with this. I have also found that identity management systems, such as Okta, are of great benefit here.

When properly implemented, the Zero Trust Lite approach would look something like this:

zero trust lite network design

As you can see, traffic from each zone is isolated from the others, and traffic only flows from one to the other as specifically permitted for a defined purpose. Thus, an intruder penetrating your wireless LAN would be limited to access defined for wireless users. If the rules prevent wireless access to the servers, there would be no danger of a data breach from this zone, even for a user with server admin credentials.

While care must be exercised in maintaining firewall rules and sizing network components, Zero Trust Lite can be used successfully by most organizations, and can greatly improve their security.

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful cybersecurity companies