What IS Zero Trust?
Table of Contents
- Who This Is For/Why Should I Care?
- What is Zero Trust?
- The Traditional, Non-Zero Trust Way
- Enter Zero Trust
- Appendix: Zero Trust Resources
If you’d talked to me recently and mentioned the words “VPN” or “firewall,” I may have been triggered and mentioned Zero Trust. However, Zero Trust is a concept that takes time to digest (it took me a while when I first heard it several years ago). So, this is a primer aimed at providing a straightforward vendor-neutral explanation for Zero Trust.
Who This Is For/Why Should I Care?
- If you believe that firewalls, VPNs, and Anti-Virus are enough to keep your company and data secure, then this article is for you!
- If you are responsible for infrastructure or security at a startup, start baking in a Zero Trust model. It’s a modern and scalable model for securing your infrastructure. It takes some groundwork at first but pays dividends later on. Also, as with all things security, it’s hard to apply retroactively.
- If you are tired of applying security initiatives in an ad-hoc manner (
whitelistingallowing listing IP addresses) and want to get your security act in order with fewer walls and gatekeeping.
What is Zero Trust?
Zero Trust is not giving access until an entity (human or machine) has proven or strongly authenticated they are who they are. Additionally, they are given access based on least-privilege, or, in other words, access to only the resources they need to do their job. Access can be based on a number of contextual factors such as:
- Time of Day
- Geographic Location
- Authentication methods used
- History authentication patterns
With the ubiquity of SaaS-based apps used in the workplace, we can no longer rely on simple networking rules to protect us. Zero Trust moves the perimeter out where IAM (Identity and Access Management) is the new perimeter.
The Traditional, Non-Zero Trust Way
To better understand Zero Trust, let’s briefly visit the traditional method access was given. In the old world, we relied on an IP address to “trust” an entity. So we would allow access based on an IP address and nothing else. That’s it! Oh, and once you got access, then you had access TO THE ENTIRE NETWORK and can roam freely. We trusted that if you got past the gate and moat of the castle, you could roam around anywhere else in the kingdom without being asked again for identification or re-verification of your access permissions.
Can you imagine that?
Would you allow all the doors to be unlocked in an office building provided that they got through the lobby doors successfully?
Enter Zero Trust
In the Zero Trust world, trust comes in many forms and ways. It’s up to you to measure that trust and decide what to provide access to based on your requirements. Sometimes, we are not even letting you see the application front door until you authenticate. In this case, we are asking for Multi-Factor Authentication (MFA), which would be a username, password, and a second factor such as a TOTP code. We could also use other contextual factors, or instead, a device certificate installed on a company-managed laptop.
With Zero Trust, network access would be more available, but strong authentication would be your gateway in.
Let’s take a look at a few examples.
Zero Trust Scenario: Mobile Access to Internal Applications and Data
The most common scenario is for executives and engineers to access various data from their mobile devices. This could range from a Business Insights (BI) dashboard like SAP Hana to Confluence (Wiki) access for engineers and employees. Previously, we would require them to have MDM configured and/or a VPN client setup and connected before access was provided. This obviously increases the level of complexity to access data but often does not variate the level of access once past the VPN moat.
So we have the following issues with this methodology:
- Increased complexity for access
- Does not scale well, especially with a mobile workforce
- Does not provide granular access internally (one level of network access internally)
Zero Trust Scenario: Beta Website Access
Your company is working on launching a new, super-secret product, and the marketing or product team has a beta version of the website. However, as with many companies, they are relying on several people internally and externally to test and update the website. People are scattered globally. Additionally, automation scripts are in use to run tests.
Place the beta website behind Zero Trust. Individuals who need to access the website can use their EXISTING credentials and access the site for a longer period of time without re-authenticating. If they change computers or locations, they will need to reauthenticate.
For scripts running against the site, it could be as simple as generating a limited duration token such as a JWT (JSON Web Token) to include in the request. A more complex yet trusted system would be a role-based authentication.
I know, Zero Trust is a hard concept. However, with an ever-increasing distributed workforce and the proliferation of applications coming online, Zero Trust helps improve security while making it manageable and possibly a better user experience. Think about it: you’re already using Zero Trust with many SaaS applications like GSuite, O365, Slack, Atlassian, and GitHub. These are highly available applications, allowing access from anywhere. They have mechanisms in place to detect whether you who you say you are or if something goes wrong.
Appendix: Zero Trust Resources
Zero Trust Open Source Projects
- pomerium an identity-access proxy, inspired by BeyondCorp.
- buzzfeed/sso a “double OAuth2” flow, where sso-auth is the OAuth2 provider for sso-proxy and Google is the OAuth2 provider for sso-auth.
- openshift/oauth_proxy an openshift specific version of this project.
- pusher/oauth2_proxy official hard fork of this project
Zero Trust Commercial Providers
Other Zero Trust Write-Ups
Don’t take my word for it. This is a complex topic. Go and read on and let it soak in.
If you found this article helpful please share it and let me know. Any comments or questions, please feel free to email me [email protected].