SoS Musings - Zero Trust Security

By grigby1 

Due to the acceleration of digital transformation initiatives, the expansion of the attack surface, and the persistent failure of perimeter-based security approaches, Zero Trust has assumed greater significance than ever before. Zero Trust is a security model founded on the tenet that strict access controls are maintained and no one, including those already within the network perimeter, is trusted by default. Conventional security architectures prioritize perimeter protection for an organization. The Zero Trust approach emphasizes that risk is both internal and external. Realizing the benefits of this security model requires time and strategic planning due to its implementation and complexity. According to a report published by Cisco, nearly 90 percent of organizations have started adopting Zero Trust security, but extensive progress has yet to be made by many. The report, derived from a survey of 4,700 information security professionals worldwide, discovered that 86.5 percent have initiated the implementation of some facet of the Zero Trust security model. However, mature deployments comprise only 2 percent of these organizations. Organizations are encouraged to consider implementing and advancing the Zero Trust strategy in order to reduce the vulnerability of their modernized operating environments to attacks. 

According to the National Security Agency's (NSA) "Embracing a Zero Trust Security Model" guidance, Zero Trust is a security model that encompasses system design principles and a coordinated strategy for cybersecurity and system management. The model eradicates the assumption of trust in any individual component, node, or service. Instead, it calls for ongoing verification of the operational status through real-time data obtained from various sources to determine access and other system actions. This approach assumes that a breach is highly probable or has already taken place. Therefore, it consistently restricts access to only essential resources and actively monitors for any abnormal or malicious behavior. Zero Trust integrates extensive security monitoring, precise risk-based access controls, and system security automation in a coordinated way across all parts of the infrastructure to prioritize the protection of critical assets such as data in real-time within a constantly changing threat environment. The data-centric security model supports the implementation of the least-privileged access concept, which grants or denies access to resources based on multiple contextual factors.

A single technology or device cannot help an organization in achieving Zero Trust. Experts have pointed out that effective Zero Trust implementation in an organization requires the use of a variety of strategies and technologies, such as microsegmentation, Identity and Access Management (IAM), Multi-Factor Authentication (MFA), and more. Microsegmentation is a practice in which security perimeters are divided into smaller zones in order to preserve separate access for different parts of the network. Tightly-focused security policies enhance the Zero Trust approach by authorizing user access exclusively to the necessary applications and data, contingent upon their role and identity, as opposed to merely identifying IP addresses. An individual who possesses entry authorization to a particular secure zone will be unable to enter another zone without receiving explicit authorization to do so. MFA is advised for Zero Trust environments due to its supplementary security measure of requiring the use of two or more factors (e.g., Personal Identification Number (PIN), token, fingerprint) for authentication. IAM handles user identities and access within an organization through the implementation of products, processes, and policies. IAM systems execute identification, authentication, and authorization procedures in order to ensure that access to enterprise resources, such as computers, hardware, software applications, and more are only restricted to the right individuals. It is highly recommended that organizations delve deeper into the various technologies and principles that can facilitate the establishment of Zero Trust within their operations.

There are resources available to assist organizations in implementing the Zero Trust model. In addition to the "Embracing a Zero Trust Security Model" guidance released by NSA in 2021, the agency has provided Cybersecurity Information Sheets (CSIs) titled "Advancing Zero Trust Maturity Throughout the User Pillar," "Advancing Zero Trust Maturity Throughout the Device Pillar," and "Advancing Zero Trust Maturity Throughout the Network and Environment Pillar." For example, the latest CSI outlines how to use Zero Trust principles to strengthen internal network control and contain network intrusions to a segmented portion of the network. The CSI delves into organizations mapping data flows based on usage patterns and operational business requirements, as well as automating security policies, in order to increase operational efficiency and agility. The National Institute of Standards and Technology (NIST) published "Zero Trust Architecture (NIST SP 800-207)" that defines the basic tenets and deployment models of Zero Trust architecture. This document provides an overview of Zero Trust architecture, including deployment models and use cases for improving enterprise security. Examples of deployment scenarios and uses cases include enterprises with satellite facilities, multi-cloud and cloud-to-cloud enterprises, enterprises with contracted services and/or nonemployee access, collaboration across enterprise boundaries, and enterprises with public- or customer-facing services. The Cybersecurity and Infrastructure Security Agency's (CISA) "Zero Trust Maturity Model" publication is one of several roadmaps that agencies can use as they move toward a Zero Trust architecture. The model aims to help agencies develop Zero Trust strategies and implementation plans, as well as to demonstrate how various CISA services can support Zero Trust solutions. Within each of the pillars highlighted, the maturity model delves into traditional, initial, advanced, and optimal Zero Trust architectures.

Researchers continue to explore the implementation of a Zero Trust strategy. An MIT Lincoln Laboratory study explored Zero Trust architectures to review their implementation in government and industry as well as identify technical gaps and opportunities, and develop a set of recommendations for approaching Zero Trust. The study emphasized that Zero Trust security principles could protect against insider threats by treating every component, service, and user as constantly exposed to and potentially compromised by a threat actor. Each time a user requests access to a new resource, their identity is verified, and the access is mediated, logged, and analyzed. Experts at Carnegie Mellon University (CMU) have identified Zero Trust-related issues that require further investigation. By focusing on these areas, government, academic, and industry organizations can work together to develop solutions that will improve and accelerate Zero Trust architecture transformation efforts. The potential research areas for Zero Trust identified by CMU include reaching an agreement on a generally accepted set of basic Zero Trust definitions, establishing a shared understanding of Zero Trust, establishing standard Zero Trust maturity levels, explaining how to progress through Zero Trust maturity levels, ensuring Zero Trust supports distributed architectures, and more. The identification of these areas for future research raises awareness, encourages collaboration between public and private organizations to solve real-world problems, and accelerates the adoption of Zero Trust in government and industry.

Organizations must protect their networks and online environments from attacks as cybercriminals become more intelligent and threats escalate. Zero Trust could serve as an effective security strategy for organizations because it reduces the attack surface and the risk of a data breach. 

To see previous articles, please visit the Science of Security Musings Archive.

Submitted by Gregory Rigby on