Zero Trust - Jayson Nutt

## Zero Trust You may have heard the terms Zero Trust, Zero Trust Network, or Zero Trust Architecture thrown around quite a bit in the news recently. The Zero Trust idea is nothing new, it has been around for over a decade at this point, but as cloud applications continue to increase in popularity and employees are increasingly working from different physical locations due to COVID-19 related lockdowns, Zero Trust is quickly becoming the new way to approach enterprise security. It is an approach aimed at addressing what I like to call the ‘Data Diaspora,’ data that is no longer centralized on a corporate network but rather is spread out geographically amongst cloud application providers, home networks, and other places. ### Traditional Security Approach Traditional approaches to security focus almost entirely on putting the defenses at the perimeter, much like a moat around a castle, while keeping the data secure inside the walls. The primary defense in these types of models is typically the firewall, the bridge, that determines who can and cannot enter the enterprise network and gain access to the data. Anyone who makes it within the walls is inherently trusted and allowed more or less unfettered access to the data. ![[traditional_security.jpeg]] There are two main issues with this traditional security approach. First, data is no longer stored solely on the corporate network. The increased popularity of cloud applications and work-from-home efforts means that the data is now stored in home networks and on cloud service provider’s servers where enterprise security controls are weaker. Second, there is an inherent weakness created when blindly trusting everyone that makes it within the walls. If an attacker is successful in entering the castle, the chances of compromise are exponentially higher. ### The Zero Trust Approach Zero Trust aims to address these issues by removing the inherent trust within the castle walls–trusting no one and enforcing checks at every level instead–and adding more focus to the defenses on the machines themselves where the data is stored. There are three main principles in the Zero Trust model. They are: verify explicitly, least privilege, and assume breach. #### Verify Explicitly The first principle, verify explicitly, is strongly tied to identity. How do I know you are who you say you are and not an attacker trying to trick me into letting you in? The model calls for checks at every level that perform some verification that the request/activity is legitimate. This could be a person trying to gain access to the network, a computer or device that is requesting access to a file, or even a software service requesting access to a license file on a server. Trust no one and verify everything. Hence, Zero Trust. Checks can include many things like geography: where on the planet is the reqeust is coming from? It could include time, is this a reasonable time for this request or do we expect the person to be sleeping? It could include a compliance check, is this request coming from a corporate owned computer with corporate security software and connecting over a secure channel? The verification process can, and often times does, take into account multiple different checks. What you’re looking for here are anomolies. If you see atypical activity, deny access and investigate. #### Least Privilege The principle of Least Privilege is not unique to the Zero Trust model, but it is part of it. To abide by the principle of Least Privilage you must provide just enough access for the user, program, or process to do their job. Nothing more. If you’re creating a user account for a person in accounting, you may grant that account access to things like the payroll system, accounting network share, and accounting related documents. Assuming, of course, that the person needs this access to perform their duties. They may not touch payroll and only deal with billing. In that case, access would not be given for payroll. You also wouldn’t give them access to network administration infrastructure like domain controllers. Restricting access to only what is needed limits the blast radius if the account were to get compromised. If the accounting account were to get compromised, the adversary would not have access to create new accounts or delete marketing data, for example. Least privilege extends beyond just user account and includes processes and programs on the computer as well. #### Assume Breach This principle says that we should assume that the adversary is already on our internal netork–they are already within our castle walls. This differs from the traditional approach of assuming everyone within the walls in trusted. When you assume breach, you make decisions, respond, and act as if you are already compromised. This is a way of being in the situation and mindset of having already been breached without having to go through the real thing. It is preparing for the worst-case scenario. ### Conclusion The approaches we take to security are changing just like the way we use technology is changing. Users moving away from the corporate office and into home offices and the transition to cloud applications has made some of the traditional security practices outdated and forced us to rethink the way security ought to be done. Zero Trust challenges the traditional security mindset and moves the protection as close as possible to the data itself, wherever it resides.