Zero Trust Architecture
Full Title or Meme
Zero Trust Architecture is a method that starts every interaction with no access and builds up access rights as the user adds proof of Identity and Authentication to meet the Authorization needs of the Resource sought by the User.
- The context here is focused on human user access to enterprise data and resource. All manner of computing devices may be employed by users in all manner of networks.
- Traditionally user access was granted at the point where the user entered the network with a protocol like Kerberos which was developed by Project Athena at MIT to sort the various components of a Research University into buckets that could assign trust at the entry point that followed the user wherever they went inside the MIT network.
- In Zero Trust Architecture the user is given full access to the network and then provides such attributes of Identity and Authentication as are needed at each Resource access point; in other words, the Internet.
- A Zero Trust Architecture focuses on protecting data and resources rather than building walled gardens where anyone in the garden can access all resources.
- The DoD released the 170-page zero trust architecture in 2021-02, but did not make it publicly accessible until 2021-05-13 after they remove CV-3 for security reasons.
- The prevailing sense of Identity experts, like Kim Cameron, is that the lack of an identity layer in the Internet is a defect.
- In other words, all existing methods focus on access to Resources rather than on User Experience.
- NIST page on Zero Trust Architecture
- Book on Zero Trust Networks by Evan Gilman, Doug Barth.
Executive OrderFrom the President’s Executive Order 14028 issued on 2021-05-12.
Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access.Or, as the Department of Defense puts it
The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.
The two big bullet points are:
- Assume that the network is not secure, i.e. that there is no security perimeter
- A user application only has the Least Privilege required to accomplish their work task at that time.
- Users have a low level of tolerance for any continued process of Identifying and Authenticating.
- The US NIST is trying to convince people that a Zero Trust Architecture is possible with a good User Experience.
A zero trust architecture leans heavily on components and capabilities for identity management, asset management, application authentication, network segmentation, and threat intelligence. Architecting for zero trust should enhance cybersecurity without sacrificing the user experience. The NCCoE is researching ongoing industry developments in zero trust and its component technologies that support the goals and objectives of a practical, secure, and standards-based zero trust architecture.
As with any security architecture, the first step is always to first identify the assets and resources that need protection. It is often the case that some assets might not be obvious as Mersk found when a ransom ware attack destroyed all the active network routing tables and no back-up had been generated.
- Abandon the impossible dream of any trust system that requires no effort by the user and the organization that support that user. Only hard and on-going effort will provide the trusted access that secure resources require.
- Equip the User with a device that can secure store one or more credentials which identify a Subject and authenticate the presence of a trusted user that is Authorized to assume that Subject Identifier. In this definition the Subject ID might, or might now, be unique to that user.
- Ensure that all internal access codes, especially for highly privileged users, start out and remain secure in use.
- Where users are given access to multiple zones of security, ensure that any stored passwords (or password hashes) are not reused between zones.
5 Pillars of CISA
[https://www.cisa.gov/zero-trust-maturity-model CISA’s Zero Trust Maturity Model describes these 5 pillars
- Network Environment
- Application Environment
The focus is on control within the enterprise even though most exploits are observed in the open internet. There is no explicit recognition of use of the exploits other than the very slow process of Vulnerability => Exploit => Detection => Report (CVE) => Create Fix => review supply chain => apply fix to each element of supply chain, where attackers have full access during this chain of events.
7 Tenets by NIST
These are further described in SP-800-207
- Authentication and Authorization - All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- Integrity - The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- Observable State - Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
- Minimal Access in Size - All data sources and computing services are considered resources.
- Minimal Access in Time - Access to individual enterprise resources is granted on a per-session basis.
- Encrypt All Access - All communication is secured regardless of network location.
- Monitor All Access - The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture
Planning by US DoD
It is quite clear that this is an early draft of ideas that no one has yet tried to implement.
- Department of Defense (DOD) Zero Trust Reference Architecture (2021-02) Version 1.0 (Version 1.5 is scheduled for calendar year 2022)
Zero Trust is the term for an evolving set of cybersecurity paradigms that move defenses from status, network-based perimeters to focus on users, assets, and resources. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned).” Zero Trust requires designing a simpler and more secure architecture without impeding operations or compromising security. The classic perimeter/defense-in-depth cybersecurity strategy repeatedly shows to have limited value against well-resourced adversaries and is an ineffective approach to address insider threats.
[Zero Trust] is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction
- The CV-1 defines the strategic context for a group of capabilities described in the Architectural Description by outlining the vision for a capability area over a bounded period. (Capability Viewpoint 1)
In a world of increasingly sophisticated threats, a Zero Trust framework reduces the attack surface, reduces risk, and ensures that if a device, network, or user/credential is compromised, the damage is quickly contained and remediated.
- The CV-2, Capability Taxonomy is more like a dictionary of terms - Here is our take on what it could have been:
- Capability = a name and a description (tag value pair) Elsewhere in this wiki it has been called a purpose
- See wiki page on Machine Readable Governance for the policy which is required, but not described, in the DoD doc.
- View Structure = a collection of capabilities. Elsewhere in this wiki this is called a Presentation request
- View = Presentation of data
Megan Shamas, Director of Marketing at the FIDO Alliance, moderated an afternoon panel on Zero Trust, which is often closely associated with Identity and Access Management (IAM) activities.
A core question that the panel discussed is what the top obstacle is to implementing strong authentication. Christine Owen, Director at Guidehouse, said that in her view people are often the issue.
“Part of it is because when you are changing processes, you need to have good communication with your stakeholders and with your customers to understand why it is you’re changing what you’re changing, and how their life is going to be different and better,” Owen said.
Jamie Danker, Senior Director of Cybersecurity Services at Venable, commented that ironically trust is the biggest obstacle. Users are often worried about the privacy implications of authentication and security mechanisms.
“You need to consider how information is used for just that authentication purpose and not used for other purposes,” Danker said. “Think about things like how you can minimize the data, and how you are going to inform your users about the use of the data.”
- DISA and NSA, Department of Defense (DOD) Zero Trust Reference Architecture Version 1.0 dated 2021-02 https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf
- Kim Cameron Identity Blog https://www.identityblog.com/
- Department of Defense (DoD) Zero Trust Reference Architecture version one (2021-02) https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf
- NIST and NCCoE Zero Trust Architecture https://www.nccoe.nist.gov/projects/building-blocks/zero-trust-architecture
- The Total Economic Impact of Zero Trust Solutions From Microsoft Forester 2021-12
- See the wiki page on Domains.
- NIST SP 800-207 Zero Trust Architecture 2020-08-11
- Duo zero trust