What it takes to build a zero trust network

The zero trust model, centered on the notion that nothing either inside or outside the network perimeter can be trusted without verification, is garnering increasing attention from enterprises struggling to prevent data breaches using conventional approaches.

Organizations that want to implement the model, however, need to be prepared to jettison practices based on deeply embedded notions of trusted insiders and the secure corporate network, said security experts at SecurIT, a CSO-organized event on the topic, in San Francisco last month.

The zero trust model

Analyst firm Forrester Research coined the term ‘zero trust’ back in 2010 to describe a security model where anyone and any device attempting to connect to a network asset is treated as untrustworthy. The model emphasizes the use of device and user credentials, rather than network location, as the basis for granting or denying access to network assets.

Forrester and others have said the approach is critical to preventing attackers from moving about undetected inside a network looking for high-value targets after they have breached the perimeter. Numerous recent data breaches have happened because conventional security controls and data leak prevention tools were unable to spot malicious activities being carried out by external actors using stolen credentials to move about freely. The problem lies in the long-held practice by organizations to implicitly trust users and traffic on the internal network while treating only external users as untrusted.

Threat actors are not the only issue. A growing mobile workforce and the increasing use of cloud services to host applications and services have also made it harder for many enterprises to establish and enforce a network perimeter. The old castle-and-moat approach of gating access to internal resources via a heavily reinforced perimeter no longer works because of how scattered enterprise data has become and the many ways in which it can be accessed.

“Trust is a dangerous vulnerability that can be exploited,” in such an environment says John Kindervag, former Forrester analyst and creator of the zero trust model and currently field CTO at Palo Alto Networks.  To be secure, organizations need to get past the notion of the trusted and untrusted user and network.

“In zero trust everything is untrusted,” says Kindervag. There can no more be any trusted networks, trusted devices or trusted people. “We need to wipe the idea that people are on the network,” and focus instead on the packets traversing over it, he says. All traffic—not just external—has to be monitored.

The long road to zero trust

Implementing a zero trust network can be challenging. Google, one of the pioneers in this space, spent some six years moving away from its VPN and privileged network access model to BeyondCorp, its own version of a zero trust environment. Along the way, the company had to redefine and restructure job roles and classifications, build an entirely new master inventory service for keeping track of devices, enable better visibility over its apps, and overhaul user authentication and access control policies. Pulling off the effort required support from the board level down.

One of the key tenets to keep in mind when embarking on the path to zero trust is that nothing can have access to internal resources until it can be verifiably trusted. The network itself must not determine which services you can access, said Tom Kemp, CEO of Centrify.

The trust you assign a user cannot be based on whether that user is attempting to access an enterprise application from inside your network perimeter or outside of it.  Instead access needs to be based on what you know about the user, what you know about their device and what is being accessed Kemp says.

The focus needs to be on securely authenticating users, knowing their roles and their access privileges and being able to spot abnormal user and device behavior. It also means being able to securely validate devices, identify the context in which a device is being used and ensuring all required security controls are present on them. In such an environment capabilities like multi-factor authentication (MFA) and user and entity behavioral analytics (UEBA) are key to establishing user trust. The goal with zero trust is “to move to a model of never trusting, always verifying,” Kemp notes.

Designing security from the inside out

When planning for zero trust it is vital to design security from the inside-out and not outside-in as most organizations do today. You need to be less concerned about your attack surface and focus more on the “protect surface”—the digital assets that you actually need to protect, Kindervag says.

The goal should be to move your security and access controls as close to the surface you want to protect, instead of sticking them far away at the network perimeter.  “People confuse network segmentation with zero trust. But unless we know the protect surface, why are we segmenting?” he asks.

Content distribution network Akamai, which is well on the way to implementing a zero trust environment, has already eliminated its enterprise perimeter. That’s because a user’s location no longer confers a degree of trust at the company says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies.

Sometime later this year, Akamai will spin down all VPN access for remote workers for the same reason. Soon after Akamai will get rid of passwords as well. Anyone that wants to access the company’s applications and systems –employees included—will initially be treated as a guest. Trust will be established by verifying the user, their access rights and their device.  

A security perimeter will still be around individual machines, but the idea of a privileged network sitting behind an enterprise perimeter has been obsoleted, Gero says. Such a zero trust model offers a much more consistent and secure way of enabling access to enterprise assets than perimeter centric approaches, he notes.

Few things are more important when getting started on zero trust though than visibility. “Visibility is the first key step,” to enabling a zero trust network Gero says. “It will help you create a strategy,” he says noting Akamai’s efforts to build a comprehensive inventory of all its apps and devices when the company initially launched the effort.

To protect your most sensitive data, you have to know where it is, how it flows across the enterprise, the users accessing it and the devices that are being used to access it. As Google has noted, when you can’t trust the network to provide secure access to enterprise assets, you need reliable and current data about the people and the systems accessing them.

Also vital to enabling zero trust is strong methods for securely identifying and authenticating users and devices. Google, for instance, only allows devices that are procured and actively managed by the enterprise on its network. All devices have a unique identity established via a device certificate and need to meet strict security controls to be qualified for network access. The company uses a database tightly coupled with Google’s HR processes for identifying users and ensuring information on roles and access privileges are always up to date.

“All access to enterprise resources is fully authenticated, fully authorized, and fully encrypted based upon device state and user credentials,” Google has noted in one of several whitepapers the company has released on BeyondCorp to help others get started.