Trusted User
Trust, as defined by Merriam Webster, is “the assured reliance on the character, ability, strength, and truth of someone or something.” Our networks have gone through a number of transitions over the years to ensure we ‘trust’ users and devices that are accessing network resources. From firewalls protecting the network from outside threats to internal access controls that are password-protected and micro-segmentation to secure different assets, trust was always the model. If you can supply a username and password, we trust you. Today, networks have no boundaries: users from all over need access to network resources using any kind of device, and as such, we live in a zero-trust world. We can no longer rely on trusting the user.
An Architecture of Trust
There is no shortage of vendors supporting a zero-trust approach to network security, and the concept of zero trust goes back several years. The idea here is to trust no one, but also ensure that legitimate users have access to the resources they need to conduct business. Sounds familiar if you think back to a time when least privilege was very popular—ensure users have the least amount of privilege and the right level of permission to access resources to do their job.
Zero trust goes far beyond least privilege and incorporates an architecture of trust. Not so much a paradigm shift in the way we deliver access policies and controls or specific application layer protections, zero trust utilizes existing security technologies, including micro-segmentation at the network layer, resilient authentication process, and behavior visibility. Zero trust is about understanding user workflows and traffic patterns, what applications are in use and who accesses them, what the east / west traffic looks like on the network, and which users are accessing other resources. Going back to the trust but verify days, verify as often as needed to ensure when a user leaves one system to access another, there is some level of verification, including the use of multi-factor authentication (MFA). This provides constant visibility and awareness, logs and audits user activity, and helps protect against unauthorized lateral movement and privilege escalation attacks.
Trusted Cloud
Zero trust extends outside the on-premises systems and includes the use of cloud-based applications that users and development teams are accessing. Cloud-based applications and the storage and sharing of corporate data in the cloud are also at risk. The zero-trust architecture must extend to the cloud to provide comprehensive protection.
Trusted Identity
As a component of zero trust, identity governance can facilitate the model by providing insight into a user’s identity and privilege to improve visibility and detect inappropriate activity. Having visibility into the users that are accessing corporate resources and monitoring that access by incorporating policies and controls that require the user to provide the proper identity and authentication are all part of the zero-trust model.
Trusted Things
In certain environments, zero trust can include everyone’s favorite subject, the Internet of Things (IoT). Let’s not abandon the idea that connected things can also pose a risk to the infrastructure. With the automation of smart devices connecting to the network, zero trust must encompass these devices to ensure that, although automated, they are connecting to the proper assets needed to complete a specific task and that they are not overtaken by some threat actor using the device to work laterally across the network. Gartner predicts over 20 Billion IoT devices will be connected by 2020, and although there are a few IoT trust frameworks out there, many of those devices have little security built-in, so including them in the zero-trust architecture is a must have.
Bill Virtue
Bill is a Senior Systems Engineer at Connection with over 30 years of experience in Networking Solutions, Information Security, and Identity Management. Bill is a founding member of the ISSA NH chapter dedicated to promoting Information Security within the business community. Bill is also a US Navy veteran and held Operations Management positions within the Atlantic Fleet. Bill has broad knowledge in the Security and Compliance space and has consulted on large scale enterprise deployments and security projects and contributed to many technical articles and technology white papers. When he has free time, Bill enjoys catching up with family and friends and riding his Harley Davidson.
