As we are closing year 2019, I am sharing few thoughts and providing a quick summary on the latest NIST Zero Trust Architecture (ZTA) best practices. This is a quick good read for your vacation ahead of something we need to focus on in 2020. Zero Trust Architecture best practices is the new way of thinking especially for cloud first companies. This is the new security culture.
All companies nowadays are designing solutions and applications working and living on the cloud as the main back end, which is consumed by mobiles and remote roaming devices on the front end. While this fully cloud first and Mobile first transformation is changing the way people are working in a very dynamic and efficient way, it also has its own challenges. On top of these challenges is security. Although the concept of working anywhere on any platform and device is pretty handy for the end user, however it’s a nightmare for Security professionals. The shift between focusing on network security to data and device security is a complete transformation. That’s the core of Zero Trust Architecture best practices.
Back in the old days most of our defenses were focused on the network perimeter which is the fine line between the local network and the outside world (The line between good guys and bad guys). ZTA comes with a new concept saying that nothing is granted so whether you are on the local network or external network you need to authenticate and be authorized to access any resource. There is no more implicit trust based on your location or device connected through the network. Bad people can also be living on your local corporate network (Insiders)
What is Zero Trust Architecture (ZTA)?
NIST released on September 2019 the ZTA draft publication and opened the door for any feedback till the 22 of November 2019. NIST realizing the new cloud and mobile challenge is trying to propose a set of guidelines and best practices to adopt and implement ZTA in your organization. This is a vendor neutral best practices that can be applied on any company.
The concept of the Zero Trust is not new. Several companies and software tools were available in the market to serve this purpose. However, this was somehow limited due to the technology limitation itself. Zero trust architecture best practices moves our defense strategy from network zones and perimeter security to data and resource security. Protecting data and resources is the new focus for security professionals. It’s all about data security and how its consumed on which device from which location.
Zero Trust Architecture best practices introduces new concepts as dynamic access (Authorization) and just in time access (When needed only and for specific duration). Any access for any resource requires authentication before establishing the connection. Authentication happens for both the user and the device.
How ZTA works?
Zero Trust Architecture best practices are driven to help organizations and corporates improve their security posture and focus on the real assets which is the data and critical resources. It’s all about authentication at all levels and authorization (Applying the minimum needed permissions)
The below image is basic idea on how ZTA works. All requests from any user or machine trying to access any resource goes first to the Policy decision/Enforcement point.
Zero Trust Architecture provides technology and capabilities to allow the PDP/PEPs to move closer to the resource. Back in the old days this PDP/PEP was near the user on the perimeter network. Once the user/Machine are logged, they can reuse this authentication everywhere.
Zero Trust Architecture best practices
NIST identified core principles and guidelines as follows:
- All data sources and computing services are considered resources. All systems which may include end point devices are resources that needs proper authentication and authorization.
- All communication is secure regardless of network location. Whether on the LAN or WAN all connections are secured (encrypted) and Authenticated.
- Access to individual enterprise resources is granted on a per-connection basis. There are no implicit rights. Access to one resource will not automatically grant you the access to other resources however its as per needed.
- Access to resources is determined by policy, including the observable state of user identity and the requesting system, and may include other behavioral attributes. Proper Identity management applies to all resources and leveraging the least privilege concept everywhere. The enterprise ensures all owned and associated systems are in the most secure state possible and monitors systems to ensure that they remain in the most secure state possible. Patching is the basis for any security program. Continuous patching for your applications, Operating system and Hardware is crucial. This can be accompanied by Vulnerability management programs.
- User authentication is dynamic and strictly enforced before access is allowed. Solid Identity management which for sure includes MFA is a must. Finally applying Just In Time will ensure the access is not granted 24×7 by default.
Main Threats with Zero Trust Architecture
So, looks like this is the answer to everything and we should be good. Well no, I wish to say yes but the life of a security professional is always challenging. The ZTA introduces few new threats.
Denial of Services or Network Disruption
Remember the PEP we discussed earlier (Policy decision/Enforcement point), this can be targeted by attackers using DDOS attacks (Denial of services). Careful planning for the PEP which includes high availability or maybe installing it in the cloud helps mitigating this problem.
There is no bullet proof solution to this risk as there will always be someone with some permission on a resource/system. ZTA can help limiting such kind of threat with least privilege and Just in time practices
Reliance on Proprietary Data Formats
One of the common issues is to get locked in with specific vendor because of the tools used to process information and specific data formats collected during authentication and authorization process. If this vendor went out of business, then mostly our business will suffer. However, if interoperability concept is applied to ensure our data and resources can move from one vendor to another then we can mitigate such threat.
How Microsoft Azure applies Zero Trust Architecture?
Zero Trust architecture and implementation will differ from on vendor to another however Microsoft are aligned with the NIST draft discussed earlier. Microsoft basic definition of Zero trust is Treating every request as if it’s coming from untrusted network.
According to Microsoft structured approach shown below, they have four main pillars in the Journey of Zero Trust which will continue for more years to come. ZTA is a long journey for most of security professionals. The below points is how Microsoft Azure applies Zero trust architecture. Also this is applied to all Microsoft Cloud services as Office 365…..etc.
MFA is a must and move to Passwordless authentication
Identity protection is key before moving to the cloud. The same applies with Zero Trust where it needs rigorous authentication at each level. Identity protection from my point of view should be the first step for any company moving to the cloud. MFA provides assurance that your identity is highly protected. Several options are available when it comes to MFA as using your phone as second authentication, Authenticator Application, passwordless authentication (Windows Hello, FIDO USB devices……etc.) and others.
Devices to be Modern managed and meet health requirements
Next will be the devices and ensuring they are managed by a proper Mobile device Management. People now can use their corporate devices or their personal devices. This needs to be managed by tools like Intune, Azure AD conditional access. According to Microsoft, modern management for devices using cloud services as Enterprise Mobility +Security will help in identifying, classifying and managing all kind of devices with different platforms. On the other hand Data on these devices need to be properly labelled, classified and protected. Solutions like Microsoft Unified Labeling comes in this picture.
Move devices and users to respective network segments and grant bare minimal permissions
A great example shown in the below image is level of access to the network whether this is Local network or Wireless.
All devices coming to the network, if they are not known to the company (Not corporate or registered devices) then they are offered the basic guest network which is like the ones you get in hotels and airports. However, for devices belonging to employees or even corporate devices, they are moved to internet zone (internet connected resources). Finally, if there are still apps not accessed on internet (Legacy or not published) then using VPN you can connect to Corporate network. Granting bare minimal permissions (Least privilege) and applying just in Time for applications, network and identity reduces the attack surface.
Require applications and services to provide their health certificate
Finally the future step which Microsoft and others are working on it is how the application or service itself validates the health of connection. Service health to be ensured at each connection. This is highly needed since we are encouraging our users to work anywhere on any device, which might not be managed.
We need to understand that Zero Trust is not a technology or something that you can install over the weekend. It’s an architecture and a new mindset dealing with our today and future threats and attacks. Zero trust is a long journey most of the companies will embark very soon to defend and survive the new cloud and mobile model. This will allow companies to safely build and leverage this transformation to maximize the benefits for is business.
Finally I hope this post was helpful and see you all in 2020. Happy New Year.