Selcouth Cyber Security Services Private Limited

Zero-Trust 101

InfoSec + Security Architecture acc3ssp0int todayFebruary 9, 2021 476

Background
share close

Zero-Trust is an up and coming security concept which says a simple thing: “Continuously validate all users, against set security configurations, before they are being granted permissions or are allowed to keep their existing access to resources & information”.

This architecture assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.

Principles of Zero Trust

  • All information and services in the environment are considered resources.
  • All communication must be secured regardless of network location.
  • Access to individual enterprise resources must be granted on a per-session basis.
  • Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and might include other behavioral and environmental attributes.
  • The enterprise continuously monitors and measures the integrity and security posture of all owned and associated assets.
  • All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  • The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

Getting Started with Zero Trust

Asses the organization

  • Define the protect surface and identify sensitive data, assets, applications and services (DAAS) within this framework.
  • Assess the organization’s current security toolset and identify any gaps within the infrastructure.
  • Ensure that the most critical assets are given the highest level of protection within the security architecture.

Create an inventory of all assets along with a transactional flow of information.

  • Determine where sensitive information lives and which users need access to it.
  • Consider how various DAAS components interact and ensure compatibility in security access controls between these resources.

Establishing various preventative measures

  • Multifactor authentication: MFA, 2FA, or third-factor authentication, are essential to achieving Zero Trust. This enforces the “something you have” providing another layer of verification for every user regardless of location (inside and outside the enterprise).
  • Least privilege principles: Once the organization has determined where the sensitive data lives, grant users the least amount of access necessary for their roles in the enterprise.
  • Micro-segmentation: Micro-perimeters act as border control within the system, preventing any unauthorized lateral movement. The organization can segment based on user group, location or logically grouped applications.

Continuous monitoring & maintenance of the network & systems.

  • Figure out where the anomalous activity is occurring and monitor all the surrounding activity.
  • Inspect, analyze and log all traffic and data without interruption.
  • Adopt additional pro-active approaches (threat hunting, for example) to current incident response plan.

Benefits of having Zero Trust

  • High visibility of current threat surface & protections in place.
  • Maximized use of authentication & authorization.
  • Granular insight into all user activity.
  • Dynamically provision of access.
  • Reduced lateral movement ability.
  • Minimize data exfiltration.
  • Protection against threats regardless of location.
  • Improved overall security posture.

Current Challenges Around Zero Trust

  • Legacy Applications, Network Resources, Tools & Protocols: Traditionally, all of these can’t be protected with identity verification, usually posing a cost-prohibitive obstacle i.e. it’s often too expensive to re-architect these systems. Many times these legacy systems are excluded from the approach, which makes them the weakest link.
  • Zero trust vs. productivity: Introducing a zero-trust cybersecurity approach potentially affects productivity as well. The core challenge of zero trust is locking down access without bringing workflows to a stop.
  • Visibility and Control: Most organizations are not equipped with comprehensive insight into – or capability to set protocols around – all individual users within their network and are thus vulnerable to threats posed by unpatched devices, unprotected services, and over-privileged users.
  • Rapidly changing threat surface and threat landscape: This can potentially lead to challenges with technologies that are limited in deployment modality
  • Zero-trust cybersecurity requires commitment to ongoing administration: If controls aren’t updated immediately, unauthorized parties could gain access to sensitive information.
    • For instance, if an individual leaves the organization but could still access internal information for a week. This underscores a zero-trust strategy. If companies cannot act quickly in these situations, data is at risk.

Conclusion

To deliver Zero Trust, we must cover, in detail, both Privileged Account and Session Management as well as Privilege Elevation and Delegation Management. But clearly that is not enough. To sufficiently verify who (or what) a requester is, it must include Multi-Factor Authentication as well as Privilege Threat Analytics. Going further, managing the rapidly changing threat surface, speed of administration, legacy services & resources will have to be protected & worked into traditional security, gradually moving into hybrid zero trust which is likely to become the status quo.

References

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html

https://www.crowdstrike.com/epp-101/zero-trust-security/


At Selcouth, We believe that achieving cyber security is a continuous journey in which we partner with our clients to address the everchanging threat landscape. To address such threats, get in touch with us! You can also view our full range of service offerings and trainings!

Written by: acc3ssp0int

Rate it
Previous post

AppSec acc3ssp0int / February 2, 2021

OAuth 2.0 – Part two

Continuing our previous post, where we discussed the basics of how OAuth 2.0 authentication worked, some known issues which arise due to either lack of understanding of the framework itself, or poor configuration of the same. In this blog, we’ll [...]


Similar posts

AppSec w1r3sh65rk / February 22, 2021

Secure Code Review – Part One

Before we travel through the Secure code review in SDLC phase. Let us first understand what is Secure Coding, why it should be the part of early phase of SDLC, importance and best practices, available tools. Security Code Review: A secure code review is a part of the code review process to identify missing best ...

Read more trending_flat

AppSec acc3ssp0int / February 15, 2021

OAuth 2.0 – Part Three

Hello everyone, in this final installation of the OAuth blog series, we’ll be covering two vulnerabilities in the OAuth implementation. If you haven’t checked out the previous parts you can check out part one here and part two here. Before we get started, a big thanks to PortSwigger and their Web Security Academy Labs! The ...

Read more trending_flat