What is Zero Trust?
To talk about Zero Trust Security it is important to stop for a minute and review what the previous approach to Security has been and what implications the Zero Trust security model adds.
When we talk about the predominant security model, we understand that the approach suggested that within our Data Center, we had a gateway where we could put our Firewall, SIEM, WAF, etc., this allowed us to separate the devices that we considered trusted against the not that they were untrusted, in other words, we had our security perimeter configured within 4 walls within the company premises and everything that existed outside of our private network was trusted and what existed in the public network was considered suspicious.
From this binary differentiation where what was inside was good and what was outside was bad, we left ample space for threats that already existed within our network since this previous model required a certain level of perfection in implementation and operation, which is honestly not realistic.
The questions towards this model began to arise as soon as the creation and accelerated migration to the cloud took shape and thus began to design the Zero Trust model, which premise is that there is already a threat within the private network, and hence, no internal or external entity can be trusted.
The 4 pilars of identity
With this model, we change that black and white distinction that we maintained and in that transition we put aside the format of the IPs to have control over the devices we trust and which we do not, as previously said, private IPs were considered safe and the public ones were considered insecure, instead we add up the concept of Identity and classify it in the following 4 concepts: Identity of the Machine, Human Identity, Identity to Machine to Machine and Human Identity to Machine.
These four identities that interact with each other, have their particularities, the first two define the identity of each of the devices through different variables such as the use of applications, data, etc. and the last two define who can communicate with whom and in what way, adding an authentication layer that would use a multi-factor authentication method, remember that in this model it is understood that any node, user or communication could be a potential vector of attack therefore nothing can be trusted.
In search of a new model
The obligatory question would be - How do I go from a traditional model to the Zero Trust model? The implementation can be complex on a technical level depending on the size of the company, but if the correct steps are followed, the correct application of this new method can be facilitated.
The first step should be to do some exploration infrastructure perimeter, personal devices, users, entry points, services, etc., followed by mapping and identifying key points of traffic flow, inbound traffic, destinations, outbound traffic, sources, etc.
Taking these points into account, we could then carry out an adequate strategy based on the segmentation of resources and last, but not least, have a limiting way of thinking, as its name says, Zero Trust with each one of devices, which would lead us to create much more prohibitive protection policies for accesses, permissions, antivirus, firewalls and with little margin of action for any potential attack.
Figura 1. Goals for Zero trust pillars. Microsoft Corporation 2021
What's the veredict?
Each of these two different schemes have advantages and disadvantages, call it greater attack vectors in the Zero Trust model, where there are many more access points for a possible cyberattack, a rigidity in the case of the traditional scheme where we could not work on another than outside of our desktop computer inside the office, etc.
The answer to which scheme to follow would depend on the needs of each of the companies that try to protect their data and their users; however, it would seem that large companies are already migrating from from the typical model to the Zero Trust Security model. This new trend was definitely influenced of the current needs of the post-pandemic workplace, with more than three quarters of global companies setting up a remote work in some way. Migrating to this model definitely provides better visbility from a cybersecurity perspective, particularly as this model can leverage independet technologies, sizes and budget.
The sentence is: Sound your horns and proceed with caution.
By,
Bernado Buendia
Senior Security Engineer
References:
[Gandalf - you shall not pass]. (2016, February 16). CBT Nuggets. https://www.cbtnuggets.com/blog/certifications/security/firewalls-of-middle-earth