• United States




Throw out the trust, and verify everything

Jul 07, 20156 mins
Computers and PeripheralsNetwork SecurityNetworking

A simplified zero-trust security model

trust in marketing
Credit: Thinkstock

Those in my generation remember the famous Ronald Reagan quote related to relations with Russia: “Trust, but verify.” This was a good approach when dealing with Russia, but we have not adopted this model in the information security world. Instead, the approach has been trust, OR verify. Networks have traditionally been designed with trusted zones, usually those “securely” inside the network perimeter, with everything else being untrusted. This approach is shown in the following simple diagram:

Sadly, with remote connections, interconnected offices, mobile devices, and cloud resources, the concept of a secure perimeter has gone the way of Reagan, fondly remembered, but no longer with us. This has not kept much of the business world from sticking with it, however.

A few years ago, Forrester Research, working for the National Institute of Science and Technology (NIST), proposed a new network security model, called “Zero Trust.” “New” is somewhat of a misnomer, as this is just an extension of an approach that has been around for some time, otherwise known as network segmentation. Zero Trust expands a bit on the original network segmentation approach, but the core of the concept is the same.

The basic idea is to break a network down into segments, such as LAN, wireless, Web, database, etc. The assumption is that each zone is untrusted, even though it may reside within the walls of the corporate headquarters.

The specific design tenets, as defined by Forrester, include:

  1. Ensuring that all resources are accessed securely, regardless of location (in other words, the trusted zone is no more).
  2. Applying a least privilege strategy, and strictly enforcing access control. In Zero Trust, all users are initially untrusted.
  3. Inspecting and logging all traffic. Even traffic originating on the LAN is assumed to be suspicious, and is analyzed and logged just as if it came from the WAN.
  4. Supporting monitoring and control from a central console.

Full implementation of the Zero Trust model in the enterprise world requires multiple switch stacks connected to a high-speed core to handle the segmentation, often made up of multiple appliances or software packages. This approach is complex and expensive, and thus beyond the current reach of much of the business world.

Some have tried to implement this approach using virtual LANs (VLANs), which involve the tagging of traffic to provide for virtual segmentation. Unfortunately, there is no absolute way to prevent a bad actor from ignoring VLAN rules and fully accessing the physical network.

I would suggest, however, that a simplified approach to Zero Trust, which for lack of a better term I will call “Zero Trust Lite,”  can be implemented within the budget and ability of most of the business world. While the specifics are somewhat different for each network, the general idea is:

Define your network segments

You need to begin by looking at a list of your data assets, and how your users connect to your network. Certainly, the public Internet will be a zone of its own. Any sensitive assets, such as customer data, PCI or HIPAA-regulated information, etc., would be a good candidate for a zone. Wireless users, given that this network extends beyond your walls, would be a zone by themselves. For many, a single zone for LAN users is appropriate.

Dedicate one or more network switches to each of your network segments

A traditional network has a bank of one or more switches on the inside of a firewall. With a Zero Trust approach, switches must be dedicated to each zone, and outside of the firewall, to avoid mixing of traffic.

A commercial-grade firewall will normally have a number of individual ports, each of which can host a zone. To use Zero Trust Lite, you will need as many ports on your firewall as you have zones. It also needs to have a variety of additional features not seen on every firewall, such as deep packet inspection, intrusion prevention, an understanding of applications versus just ports, and some sort of gateway anti-malware ability. Such firewalls are often referred to as “next generation,” but that is more of a marketing term. Some examples include Dell SonicWall and Fortinet. As you are setting up your firewall, all zones should by default have no access to any other zone. Access that is specifically needed is added thereafter.

Implement tools to insure access control and least privilege

Controlling access, and ensuring that users have the least privileges necessary is something we all should already be doing, but I have rarely reviewed an organization that is doing it well. In the recent OPM hack, the perpetrators were using stolen administrative credentials, rendering most other security measures useless. Zero Trust Lite will help prevent this issue, given that, for example, you could prevent an administrative user from network access outside of the LAN zone. You need to go a step further, however, and make sure users have the correct privilege. The challenge here is that you are managing users on a diverse group of systems. In order to do this well, you must employ some automated functionality which allows for control of a single user across multiple platforms. Using LDAP-compliant systems is very helpful with this. I have also found that identity management systems, such as Okta, are of great benefit here.

When properly implemented, the Zero Trust Lite approach would look something like this:

As you can see, traffic from each zone is isolated from the others, and traffic only flows from one to the other as specifically permitted for a defined purpose. Thus, an intruder penetrating your wireless LAN would be limited to access defined for wireless users. If the rules prevent wireless access to the servers, there would be no danger of a data breach from this zone, even for a user with server admin credentials.

While care must be exercised in maintaining firewall rules and sizing network components, Zero Trust Lite can be used successfully by most organizations, and can greatly improve their security.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author