Zero Trust Architecture Keeps Us Safe
October 05, 2021 by Adam Valenzuela, director of technology research & exploration, Tyler Federal Division
Since the creation of the first computer system, bad actors have sought to gain access to data with malicious intent. “Zero-trust” architecture is a modern take on a problem that has been around since the dawn of computing: What is the best way to keep a system safe?
What is zero trust?
For the purposes of this discussion, “trust“ is the assumption that an entity acting within a specific context is doing so in a manner not harmful to a computer system. This entity could be a person, another IT system, server, or automated device. A traditional network security model assumes all users enter the network legitimately and all machines on the network are there for a legitimate, non-malicious reason.
Traditional Network Security Model
In a traditional network security model, once a legitimate user establishes a virtual private network (VPN) connection, that user can access any network resource within the organization without further security checks. Additionally, servers within the network boundary can talk to each other freely without validation under the assumption each server can be trusted as they are within the network boundary. Exterior security, such as a VPN firewall, is the primary defense mechanism against intrusion. The assumption within a traditional network is that the perimeter cannot be breached, and therefore, all resources within it are safe.
Zero-Trust Model
The zero-trust model does not assume that the perimeter cannot be breached and is centered around eliminating trust entirely. Access to the network does not grant an implicit ability to access all other resources. Users on the VPN within a zero-trust network must still go through authentication for each system they wish to access, and machines on the network must have a secondary identity and authentication mechanism. By doing this, a smaller perimeter is established around each system, insulating against breaches by holding each system responsible for validation of any entity accessing them. In machine interactions, this lack of trust goes both ways — the machine calling the network isn’t implicitly trusted, nor is the machine being called implicitly trusted. This makes it necessary to establish some form of two-way validation, such as paired security certificates, on both ends of the connection.
Why do we need zero trust?
Zero trust has always been recommended, but the current security climate has made it apparent that this architecture is necessary in a modern environment. By relying solely on the network boundary, IT systems are vulnerable to many attacks, and improper operation and data leaks can be induced by relying on implicit trust between machines. Too much trust within a network not only puts a system at risk of compromise, but it also multiplies the impact of that compromise. Malware and other viruses spread more easily along trusted lines, as a single compromise can package large amounts of data for export beyond the network boundary. Improper trust can also allow network resources to be used for malicious purposes, such as an open email relay, allowing spam emails or hiding the origin of a phishing attempt. Trust makes the magnitude of every breach worse, and no system is failproof against breaches — especially when insider threats and other social vulnerabilities are considered. Therefore, by eliminating trust, the ability for breaches to do significant damage is eliminated.
Zero Trust in Current Networks
Most current networks don’t rely entirely on the external boundary for security but still fall short of embracing all zero-trust principles. For instance, in most cases, simply accessing the VPN will not allow a user to access all resources on a network. The user must still provide credentials to access other resources, such as providing a username and password when logging on to internal systems. Single sign-on (SSO) and other convenience tools were created to simplify this process, effectively creating new trust points and vulnerabilities within networks. Modern SSO tools account for this by relying on multifactor authentication, as well as continual authentication, to ensure a balance of convenience and security. Machine entities, or servers, are given trust more freely in traditional models. These models often assume any server on the network calling an email relay can be trusted without providing secondary authentication, and machines that communicate with web services may still rely on trust rather than implementing more complicated identity validation mechanisms. One additional concern is the zero-trust model is only as secure as the amount of trust placed within the identity validation mechanism. A simple username and password to access a database from an application server will result in an easy-to-compromise scenario in which trust can once again be used against the network. To combat this, identity validation should rely on multifactor authentication principles and public key architecture to ensure credentials have not been compromised.
White House Executive Order
On May 12, 2021, the White House issued Executive Order on Improving the National’s Cybersecurity, which requires the federal government to develop a plan to implement zero-trust architecture. On September 7, The Cybersecurity & Infrastructure Security Agency (CISA), issues it’s Zero Trust Maturity Model for public comment. A few years ago, multifactor authentication was a value-add on, and not a required security control. In the years ahead, the same might be said for zero trust.
Conclusion
Ultimately, perfect zero trust is a theoretical model that cannot truly be achieved. There is no way to establish absolute certainty that network elements have not been compromised. Security certificates could have been manually replaced by compromised individuals, and even multi-actor scenarios could be circumvented with collusion. However, significant security advancements can be made by relying on varied security gates to eliminate trust as much as possible. By not relying overly on implicit trust, vulnerabilities can be mitigated and networked solutions can be insulated against breaches. Zero-trust architecture helps to both reduce the chance of a breach happening and to reduce the impact of a breach when it inevitably does occur.