cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

When "Trust but Verify" Isn’t Enough: Life in a Zero Trust World

Level 9

Welcome to the first in a five-part series focusing on information security in a hybrid IT world. Because I’ve spent the vast majority of my IT career as a contractor for the U.S. Department of Defense, I view information security through the lens that protecting national security and keeping lives safe is the priority. The effort and manageability challenges of the security measures are secondary concerns.

rev-trust-1418901_1280.png

Modified from image by Lisa Caroselli from Pixabay.

About Zero Trust

In this first post, we’ll explore the Zero Trust model. Odds are you’ve heard the term “Zero Trust” multiple times in the nine years since Forrester Research’s John Kindervag created the model. In more recent years, Google and Gartner followed suit with their own Zero Trust-inspired models: BeyondCorp and LeanTrust, respectively.

“Allow, allow, allow,” Windows Guy must authorize each request. “It’s a security feature of Windows Vista,” he explains to Justin Long, the much cooler Mac Guy. In this TV commercial, Windows Guy trusts nothing, and each request requires authentication (from himself) and authorization.

The Zero Trust model kind of works like this. By default, nothing is trusted or privileged. Internal requests don’t get preference over external requests. Additionally, some other methods help enforce that Zero Trust model: least-privilege authentication, some strict access right controls, using intelligent analytics for greater insight and logging purposes, and additional security controls are the Zero Trust model in action.

If you think Zero Trust sounds like “Defense-in-Depth,” you are correct. Defense-in-Depth will be covered in a later blog post. As you know, the best security controls are always layered.

Why Isn’t Trust but Verify Enough?

Traditional perimeter firewalls, the gold standard for “trust but verify,” leave a significant vulnerability in the form of internal, trusted traffic. Perimeter firewalls focus on keeping the network free of that untrusted (and not authorized) external traffic. This type of traffic is usually referred to as “North-South” or “Client-Server.” Another kind of traffic exists, though: “East-West” or “Application-Application” traffic that probably won’t hit a perimeter firewall because it doesn’t leave the data center.

Most importantly, perimeter firewalls don’t apply to hybrid cloud, a term for that space where private and public network coalesce, or public cloud traffic. Additionally, while the cloud simplifies some things like building scalable, resilient applications, it adds complexity in other areas like network, troubleshooting, and securing one of your greatest assets: data. Cloud also introduces new traffic patterns and infrastructure you share with others but don’t control. Hybrid cloud blurs the trusted and untrusted lines even further. Applying the Zero Trust model allows you to begin to mitigate some of the risks from untrusted public traffic.

Who Uses Zero Trust?

In any layered approach to security, most organizations are probably already applying some of Zero Trust principles like multi-factor authentication, least-privilege, and strict ACLs, even if they haven’t reached the stage of requiring authentication and authorization for all requests from processes, users, devices, applications, and network traffic.

Also, the CIO Council, “the principal interagency forum to improve [U.S. Government] agency practices for the management of information technology,” has a Zero Trust pilot slated to begin in summer 2019. The National Institute of Standards and Technology, Department of Justice, Defense Information Systems Agency, GSA, OMB, and several other agencies make up this government IT security council.

How Can You Apply Principles From the Zero Trust Model?

  • Whitelists. A list of who to trust. It can specifically apply to processes, users, devices, applications, or network traffic that are granted access. Anything not on the list is denied. The opposite of this is a blacklist, where you need to know the specific threats to deny, and everything else gets through.

  • Least privilege. The principle in which you assign the minimum rights to the minimum number of accounts to accomplish the task. Other parts include separation of user and privileged accounts with the ability to audit actions.

  • Security automation for monitoring and detection. Intrusion prevention systems that stop suspect traffic or processes with manual intervention.

  • Identity management. Harden the authentication process with a one-time password or implement multi-factor authentication (requires proof from at least two of the following categories: something you know, something you have, and something you are).

  • Micro-segmentation. Network security access control that allows you to protect groups of applications and workloads and minimize any damage in case of a breach or compromise. Micro-segmentation also can apply security to East-West traffic.

  • Security defined perimeter. Micro-segmentation, designed for a cloud world, in which assets or endpoints are obscured in a “black cloud” unless you “need to know (or see)” the assets or group of assets.

Conclusion

Implementing any security measure takes work and effort to keep the bad guys out while letting the good guys in and, most importantly, keeping valuable data safe.

However, security breaches and ransomware attacks increase every year. As more devices come online, perimeters dissolve, and the amount of sensitive data stored online grows more extensive, the pool of malicious actors and would-be hackers increases.

It’s a scary world, one in which you should consider applying “Zero Trust.”

20 Comments
Level 11

interesting

Level 14

Thanks for the article!

MVP
MVP

Thanks for the article!

Level 12

Zero Trust is a concept I wasn't aware of so I appreciate this article as it will help me communicate with my security guys.

Level 13

Good post, thanks.  Looking forward to the rest of the series.

Level 14

Great start and thought provoking ideas... can't wait for the rest of the series.

Level 12

Considering how often data breaches are internal, it is wise to not implicitly trust internal traffic.

I am looking forward to the follow-up about defense in depth.

Level 15

Great article. I am looking forward to the rest of the series.  We have a highly security minded CIO and we have been working diligently for the past 2+ years converting our infrastructure to support Zero Trust.  We have a long road to go but we are also working to training the users to understand the reasons why as part of the process.

Thanks!

Level 9

Good stuff!

Level 13

Interesting article.  Thanks.

Level 16

Always though that was a Soviet phrase.

Level 9

So, glad to be of help!  Thanks for the feedback!

Level 9

Thank you so much for the kind words and feedback! 

Level 20

I'm all in on the zero trust!

Level 14

Novell did this years and years ago.  Microsoft started from a basis of trust everyone.  Now we are paying the price.  The network guys here tried to implement some east - west restrictions.  Unfortunately they blocked port 135 between all the firewalls because they didn't know what it was.  It was AD replication (RPC).  Took me a while to un-clusterfeck this.

My last place was almost entirely VMWare so used NSX to provide east - west firewalling.  It seems to work quite well.

Level 11

Thanks for the article.

Level 9

Zero trust is fairly easy to setup in a brand new environment with flat networking (initially), etc.

The more complex an existing environment, the more a strict Zero Trust environment will be harder to implement.

Hybrid is the way to go if you have an established edge protected network with sound user rights and data/network access practices.

Combining internal Trust but verify with external to internal Zero Trust is probably the most popular way to inject Zero Trust into our networks/datacenters, especially with more and more apps, DevOps, Test environments moving to cloud.

Your first piece is a great start and introduction. Thanks for posting.

AAA via TACACS is a sweet solution for big parts of this.

Level 9

Brian! Glad to hear that you ar looking forward to the defense-in-depth post.  That will be final post in the series.

Level 12

that's true but my company ceo thinks that spend money for security is useless, so basically the team i work with tried to setup opensource solutions. Anyway i would prefer 1000 times solarwinds products instead of opensource.

About the Author
Becky Elliott, a Baltimore native, has worked in Information Technology for over 20+ years, mostly as a Government Contractor. In recent years, she has leaned into Tech Community as an NetApp A-Team Advocate, Tech Field Day Delegate, and aspiring “extra credit kid”. She holds a number of certifications including CISSP, Linux+, NetApp Certified Implementation Engineer - SAN.