Zero Trust Does Not Mean Zero Access
By Randy Becker, CISO & VP, Network and Security Consulting
Zero Trust is not new, but it has recently started to show up a lot in security circles. A quick search shows that there are a lot of organizations with thoughts on this topic. Given the infamous SolarWinds breach, we are starting to hear more about “Zero Trust,” “Defense in Depth,” and my personal favorite “Assume the Breach.” Last Friday CISA quietly posted the following important guidance on Zero Trust: NSA Releases Guidance on Zero Trust Security Model. This should be on the short list of reading for everyone.
What is Zero Trust?
The Zero Trust model takes a different approach to security by assuming that people and devices are inherently insecure and that users are connecting from untrusted devices and networks both inside and outside the network. This model requires a change of mind and new way of thinking: never trust, always verify, and assume a breach has occurred. Another way of looking at this is that think of your users only connecting to resources from a guest network vs. having a connection to the internal network with unrestricted access to all resources. This is obviously an oversimplification, but you get the picture. This mindset helps prepare you to ensure that all access is authenticated, authorized, encrypted, monitored, audited, and of course automated to take actions when the protection of critical assess/data is required.
Micro-segmentation Protects Against Lateral Movement
Micro-segmentation should certainly be considered and is a key in preventing lateral movement. This may not be an easy undertaking and will require a complete understanding of your application data flows and all communications which is probably the most challenging aspect of micro-segmentation.
Employing the Model of Principal of Least Privilege
This new security mindset means that the principal of least privileged access be applied for every access decision, including administrative or elevated privilege requests. This model must answer the questions of who, what, when, where, and how secure access to critical infrastructure and data is permitted or denied when accessing resources within your environment.
The Challenge: Zero Trust Requires a Mindset Change
We must first acknowledge that we need to change our mindset and that traditional methods are not going to cut it in today’s world of increasingly complex and diverse systems. Organizations are tasked with knowing where all the systems, data, users, and devices exist and the impossible job or keeping a current inventory.
The security threats are becoming progressively more sophisticated with each attack. We are seeing new adversary tools, tactics, and techniques daily. As we have seen in the recent news with FireEye, when threat actors do not have the necessary tools, they may just break in and steal the tools. A new mindset is necessary!
Here is a quick summary of the NSA’s recommendations (from the CISA link above) on how to adopt a Zero Trust mindset.
• Organizations must have aggressive systems monitoring, management, and defensive operations capabilities
• Assume all requests for critical resources and all network traffic may be malicious, and all devices and infrastructure may be compromised
• Accept that all access approvals to critical resources incur some level of risk, and as a consequence you should be prepared to perform rapid damage assessment, control, and recovery operations
Next Steps: Where Do We Start?
Since so many organizations are using Office 365 or Microsoft 365, beginning a Zero Trust approach to Azure Active Directory is a great start. This Microsoft blog post outlines how you can jump right in and start to plan your practical deployment: Zero Trust Deployment Guide for Microsoft Azure Active Directory. As part of the core principle of your Zero Trust strategy, be prepared to identify your users, groups, devices, and integrate your applications with Azure AD. Learn about Conditional Access and how to use it to identify risk and how using Privileged Identity Management (PIM) can help you with privileged access. The Deployment Guide offers a lot of important detail you can use to ensure your deployment is successful.
If you’d like help getting started on implementing a Zero Trust approach in your organization, reach out to your GreenPages Account Executive who can connect you with a Security Engineer or reach out to us!