What is Zero Trust Identity And How to Implement it?
Conventional network security has focused on perimeter defenses — once inside the network perimeter, subjects (i.e., end-users, applications, and other non-person entities that request information from resources) are often given broad access to multiple corporate resources. If the subjects are compromised, malicious actors — through impersonation and escalation — can gain access to the resources from inside or outside the network. Moreover, the growth in cloud computing, the Internet of Things (IoT), business partners, and the growing number of remote workers raises the complexity of protecting an organization’s digital resources, because more points of entry, exit, and data access exist than ever before.
A zero-trust network is one in which no person, device, or network enjoys inherent trust. All trust, which allows access to information, must be earned, and the first step of that is demonstrating valid identity. A system needs to know who you are, confidently, before it can determine what you should have access to. Add to that the understanding of what you can access–authorization–and you’ve got the core foundation of zero-trust security.
Zero trust evaluates access requests and communication behaviors in real-time over the length of open connections, while continually and consistently recalibrating access to the organization’s resources. Designing for zero trust enables enterprises to securely accommodate the complexity of a diverse set of business cases by informing virtually all access decisions and interactions between systems and resources.
Zero trust is a cybersecurity principle to plan and protect an enterprise infrastructure and workflows. Hence, a ZTA never grants access to resources until a subject, asset, or workload is verified by reliable authentication and authorization.
Historically, the perimeter-based network security model has been the dominant model for information security. It assumes users inside the corporate network perimeter are “trusted” and anyone on the outside is “untrusted.” For several decades, this view of trust has served as the basis for determining what resources a subject/asset can access.
Let's look at the scenarios which s encapsulate the notion of providing subjects access to corporate resources hosted on-premise or in the cloud. Access requests may come from within the enterprise network or the public internet, in the case of teleworkers. It is assumed the enterprise is implementing a ZTA within an existing typical corporate environment.
Scenario 1: An employee is looking for easy and secure access to corporate resources, from any work location.
This scenario will demonstrate a specific user experience where an employee attempts to access corporate services such as the corporate intranet, a time-and-attendance system, and other human resources systems by using either an enterprise-managed device or a personally owned device. The ZTA solution implemented in this project will enforce the associated access request, dynamically and in near real-time. The employee will be able to perform the following:
- Access on-premise corporate resources while connected from the corporate intranet.
- Access corporate resources in the cloud while connected directly from the corporate intranet.
- Access on-premise corporate resources while connected from a branch office.
- Access corporate resources in the cloud while connected from a branch office.
- Access on-premise corporate resources from the public internet while teleworking.
- Access corporate resources in the cloud from the public internet while teleworking.
Scenario 2:An employee is trying to access the public internet to accomplish some tasks
This scenario will show a specific user experience where an employee attempts to access an enterprise-sanctioned, web-based service on the internet by using an enterprise-managed device. Although the web-based service is not owned and managed by the enterprise, the associated access request for that resource will still be enforced, dynamically and in real-time, by a ZT(Zero Trust) solution implemented.
The solution will manage the employee’s access, regardless of location. That is, the employee can access the internet while connected inside the corporate intranet, a branch office, or the public internet by using an enterprise-managed device. If an employee is allowed by corporate policy to access non-enterprise-managed resources and services on the public internet by using enterprise-managed devices, the ZT solution will allow the enterprise to determine the extent of this access.
There are different scenarios that demonstrated the implementation of Zero-trust.
Scenario 3: Contractor Access to Corporate and Internet Resources
Scenario 4: Inter-server Communication Within the Enterprise
Scenario 5: Cross-Enterprise Collaboration with Business Partners
Now, Let's have a look at the Zero Trust Identity Architecture.
The technical components required of the ZT solution(s)include but are not limited to:
Core Components:
• The policy engine handles the ultimate decision to grant, deny, or revoke access to a resource for a given subject. The policy engine calculates the trust scores/confidence levels and ultimate access decisions.
• The policy administrator is responsible for establishing/terminating the transaction between a subject and a resource. It generates any session-specific authentication and authentication token or credential used by a client to access an enterprise resource. It is closely tied to the policy engine and relies on its decision to ultimately allow or deny a session.
• The policy enforcement point handles enabling, monitoring, and eventually terminating connections between a subject and an enterprise resource.
Functional Components:
• The data security component includes all the data access policies and rules that an enterprise develops to secure its information, and the means to protect data at rest and in transit.
• The endpoint security component encompasses the strategy, technology, and governance to protect endpoints (e.g., servers, desktops, mobile phones, IoT devices) from threats and attacks, as well as protect the enterprise from threats from managed and unmanaged devices.
- The identity and access management component includes the strategy, technology, and governance for creating, storing, and managing enterprise user (i.e., subject) accounts and identity records and their access to enterprise resources.
- The security analytics component encompasses all the threat intelligence feeds and traffic/activity monitoring for an IT enterprise. It gathers security and behavior analytics about the current state of enterprise assets and continuously monitors those assets to actively respond to threats or malicious activity. This information could feed the policy engine to help make dynamic access decisions.
Devices and Network Infrastructure Components:
• Assets include the devices/endpoints, such as laptops, tablets, and other mobile or IoT devices, that connect to the enterprise.
• Enterprise resources include data and compute resources as well as applications/services hosted and managed on-premise, in the cloud, at the edge, or some combination of these.
- Network infrastructure components encompass network resources a medium or large enterprise might typically deploy in its environment. It is assumed that the ZTA core and functional components and devices are connected via, or integrated into, the network infrastructure. Note: The network infrastructure is not depicted in Figure 1. The NCCoE will provide these components as part of its internal lab infrastructure.
Benefits of zero trust
Lower friction
Zero trust systems can be invisible to the employees at your company. They sign in, they use a strong second factor, and they are ready to go.
Portability
The authentication and authorization aren’t tied to your location. Previous methods of access control relied on trusted networks, giving privileged access to anyone inside the established corporate network. With a zero trust model, it’s easy to work from home and access all the same systems and tools.
Safety
Switching to a zero-trust system has helped many enterprises, reduce their exposure and minimize security incidents, proactively stopping phishing-based attacks and lateral movement after a compromise.
References:
(Implementing Zero Trust Architecture)National Cybersecurity Center of Excellence
Google Whitepaper on “A New Approach to Enterprise Security”
