What IS Zero Trust?
If you’d talked to me recently and mentioned the words “VPN” or firewall, I may have been triggered and mentioned Zero-Trust. However zero-trust is a concept that takes time to digest (it took me a while when I first heard several years ago). So this is a primer aimed at providing a straightforward vendor-neutral explanation of Zero-Trust.
Who This Is For / Why Should I Care?
- If you believe that firewalls, VPNs, and Anti-Virus are enough to keep your company and data secure, then this article is for you!
- If you are responsible for infrastructure or security at a startup, start baking in a Zero Trust model. It’s a modern and scalable model for securing your infrastructure, takes some groundwork at first, but pays dividends later on. Also, as with all things security, it’s hard to apply retroactively.
- If you are tired of applying security initiatives in an ad-hoc manner (
whitelistingallow listing IP addresses) and want to get your security act in order with less walls and gatekeeping.
What is ZeroTrust
ZeroTrust is not giving access until an entity (human or machine) has proven, or strongly authenticated, they are who they are. Additionally, they are given access based on least-privilege, or in other words access to only resources they need to do their job. Access can be based on a number of contextual factors such as:
- Time of Day
- Geographic Location
- Authentication methods used
- History authentication patterns
With the ubiquity of SaaS based apps used in the workplace we can no longer rely on simple networking rules to protect us. ZeroTrust moves the perimeter out where IAM (Identity and Access Management) is the new perimeter.
The Traditional, Non-Zero Trust Way
To better understand Zero Trust, let’s visit briefly the traditional method access was given. In the old world, we relied on an IP address to “trust” an entity. So we would allow access based on an IP address and nothing else. That’s it! Oh, and once you got access, then you had access TO THE ENTIRE NETWORK and can roam freely. We trusted that if you got past the gate and moat of the castle, you can roam around anywhere else in the kingdom without being asked again for identification or for re-verification of your access permissions.
Can you imagine that?
Would you allow all the doors to be unlocked in an office building provided that they got through the lobby doors successfully?
In the ZeroTrust world, sometimes we are not even letting you see the application front door until you authenticate. In this case we are asking for Multi-Factor Authentication (MFA), which would be username/password and a second factor such as a TOTP code. We could also use other contextual factors in addition or instead such as a device certificate installed on a company managed laptop. Trust comes in many forms and ways. It’s up to you to measure that trust and decide what to provide access to based on your requirements.
In ZeroTrust, network access would be more available, but strong authentication would be your gateway in.
Let’s take a look at a few examples:
Zero Trust Scenario: Mobile Access to Internal Applications and Data
The most common scenario is for executives and engineers to access a variety of data from their mobile devices. This could range from a Business Insights (BI) dashboard, like SAP Hana, to Confluence (Wiki) access for engineers and employees. Previously we would require them to have MDM configured and/or a VPN client setup and connected before access was provided. This obviously increases the level of complexity to access data, and often does not variate the level of access once past the VPN moat.
So we have the following issues with this methodology:
- Increased complexity for access
- Does not scale well, especially with a mobile workforce
- Does not provide granular access internally. One level of network access internally.
Zero Trust Scenario: Beta Website Access
Your company is working on launching a new super secret product and the marketing / product team have a beta version of the website. However, as with many companies, they are relying on several people internally and externally to test and update the website. People are scattered globally. Additionally, automation scripts are in use to run tests.
Place the beta website behind Zero-Trust. Individuals that need to access the website can use their EXISTING credentials and get access to the site for a longer period of time without re authenticating. If they change computers or location they would reauthenticate.
For scripts running against the site, it could be as simple as generating a limited duration token such as a JWT (JSON Web Token) to include in the request. A more complex, yet trusted system, could be the use of role based authentication.
I know, Zero Trust is a hard concept. However with an ever increasing distributed workforce and the proliferation of applications coming online, Zero Trust helps improve security while making it manageable and possibly a better user experience. Think about it, you’re already using Zero Trust with many SaaS applications now (GSuite, O365, Slack, Atlassian, GitHub, etc). These are highly available applications allowing access from anywhere. They have mechanisms in place to detect whether you who you say you are or if something goes wrong.
Appendix: Zero Trust Resources
Zero Trust Open Source Projects
- pomerium an identity-access proxy, inspired by BeyondCorp.
- buzzfeed/sso a “double OAuth2” flow, where sso-auth is the OAuth2 provider for sso-proxy and Google is the OAuth2 provider for sso-auth.
- openshift/oauth_proxy an openshift specific version of this project.
- pusher/oauth2_proxy official hard fork of this project
Zero Trust Commercial Providers
Other Zero Trust Write-Ups
Don’t take my word for it. This is a complex topic. Go and read on and let it soak in.
If you found this article helpful please share it and let me know. Any comments or questions, please feel free to email me [email protected].