Cloud Security
What IS Zero Trust?

What IS Zero Trust?

Introduction

If you’d talked to me recently and mentioned the words “VPN” or firewall, I may have been triggered and mentioned Zero-Trust. However zero-trust is a concept that takes time to digest (it took me a while when I first heard several years ago). So this is a primer aimed at providing a straightforward vendor-neutral explanation of Zero-Trust.

Who This Is For / Why Should I Care?

  • If you believe that firewalls, VPNs, and Anti-Virus are enough to keep your company and data secure, then this article is for you! 
  • If you are responsible for infrastructure or security at a startup, start baking in a Zero Trust model. It’s a modern and scalable model for securing your infrastructure, takes some groundwork at first, but pays dividends later on. Also, as with all things security, it’s hard to apply retroactively.
  • If you are tired of applying security initiatives in an ad-hoc manner (whitelisting allow listing IP addresses) and want to get your security act in order with less walls and gatekeeping.

What is ZeroTrust

ZeroTrust is not giving access until an entity (human or machine) has proven, or strongly authenticated, they are who they are. Additionally, they are given access based on least-privilege, or in other words access to only resources they need to do their job. Access can be based on a number of contextual factors such as:

  • Time of Day
  • Geographic Location
  • Authentication methods used
  • History authentication patterns
  • Etc…

With the ubiquity of SaaS based apps used in the workplace we can no longer rely on simple networking rules to protect us. ZeroTrust moves the perimeter out where IAM (Identity and Access Management) is the new perimeter.

“IAM is the new perimeter”

The Traditional, Non-Zero Trust Way

To better understand Zero Trust, let’s visit briefly the traditional method access was given. In the old world, we relied on an IP address to “trust” an entity. So we would allow access based on an IP address and nothing else. That’s it! Oh, and once you got access, then you had access TO THE ENTIRE NETWORK and can roam freely. We trusted that if you got past the gate and moat of the castle, you can roam around anywhere else in the kingdom without being asked again for identification or for re-verification of your access permissions.

Can you imagine that?

Would you allow all the doors to be unlocked in an office building provided that they got through the lobby doors successfully?

Enter ZeroTrust

In the ZeroTrust world, sometimes we are not even letting you see the application front door until you authenticate. In this case we are asking for Multi-Factor Authentication (MFA), which would be username/password and a second factor such as a TOTP code. We could also use other contextual factors in addition or instead such as a device certificate installed on a company managed laptop. Trust comes in many forms and ways. It’s up to you to measure that trust and decide what to provide access to based on your requirements.

In ZeroTrust, network access would be more available, but strong authentication would be your gateway in.

“Zero Trust is useful when you have a dynamic workforce that needs access to secure environments. Instead of relying on IP Allow Lists, which is impossible to scale, Zero Trust enables secure access dynamically for multiple scenarios.”

Let’s take a look at a few examples:

Zero Trust Scenario: Mobile Access to Internal Applications and Data

The most common scenario is for executives and engineers to access a variety of data from their mobile devices. This could range from a Business Insights (BI) dashboard, like SAP Hana, to Confluence (Wiki) access for engineers and employees. Previously we would require them to have MDM configured and/or a VPN client setup and connected before access was provided. This obviously increases the level of complexity to access data, and often does not variate the level of access once past the VPN moat.

So we have the following issues with this methodology:

  • Increased complexity for access
  • Does not scale well, especially with a mobile workforce
  • Does not provide granular access internally. One level of network access internally.

Zero Trust Scenario: Beta Website Access

Problem

Your company is working on launching a new super secret product and the marketing / product team have a beta version of the website. However, as with many companies, they are relying on several people internally and externally to test and update the website. People are scattered globally. Additionally, automation scripts are in use to run tests.

Solution

Place the beta website behind Zero-Trust. Individuals that need to access the website can use their EXISTING credentials and get access to the site for a longer period of time without re authenticating. If they change computers or location they would reauthenticate.

For scripts running against the site, it could be as simple as generating a limited duration token such as a JWT (JSON Web Token) to include in the request. A more complex, yet trusted system, could be the use of role based authentication.

Summary

I know, Zero Trust is a hard concept. However with an ever increasing distributed workforce and the proliferation of applications coming online, Zero Trust helps improve security while making it manageable and possibly a better user experience. Think about it, you’re already using Zero Trust with many SaaS applications now (GSuite, O365, Slack, Atlassian, GitHub, etc). These are highly available applications allowing access from anywhere. They have mechanisms in place to detect whether you who you say you are or if something goes wrong.

Appendix: Zero Trust Resources

Zero Trust Open Source Projects

Zero Trust Commercial Providers

Other Zero Trust Write-Ups

Don’t take my word for it. This is a complex topic. Go and read on and let it soak in.

If you found this article helpful please share it and let me know. Any comments or questions, please feel free to email me [email protected]

Leave a Reply