Paul McLellan

Community Member

Blog Activity
Options

Embracing a Zero Trust Security Model

4 minute read

breakfast bytes logo A couple of months ago, the National Security Agency (NSA) published a document titled Embracing a Zero Trust Security Model. I wrote about this topic almost exactly a year ago in my post From Castles and Moats to Zero-Trust Networking.

The problem with the "Castles and Moats" security model, more technically known as perimeter defense, is that if the castle wall is breached, the attackers have free run of the castle. Or in a more IT-centric view of the world, if the user breaks into your computer system (or network), they have free run of the system. It is often fairly easy to then get from the initial system to other systems inside the company. The Zero Trust model does what it says and doesn't trust anything. The motivation for this is made clear in the third paragraph of the Executive Summary of the NSA document:

The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.

Once you assume a "breach has already occurred" then one computer system within an organization does not grant any rights to another computer system just because it is in the same building, or on the same network. That may seem obvious in the context of a data center, but how about a car? There may be 100 electronic control units in a car on various networks. Does the ECU that controls the steering servo trust other ECUs? The ECU that is tracking the steering wheel? The radio? The 5G wireless connection? You see the problem. And in case you think that inside a car nothing bad could ever happen, I've got a video for you. This is not an example of Zero Trust security!

Another paragraph from the NSA document:

Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information fed from multiple sources to determine access and other system responses.

The "continuous verification" is another subtlety. Just because a system verified itself at one point, does not mean it can be trusted forever. It might have been compromised in the meantime.

I recently wrote about ransomware in my post Evolving Maturity in Ransomware. One example I discussed there was how 70,000 devices at the British National Health Service were compromised. I don't know all the details, but I assume most of those 70,000 devices trusted some other device in the system that turned out to have been compromised by the bad guys, thus allowing them to install ransomware. And obviously, in the Jeep video I linked above, the steering ECU was trusting the radio ECU, for no good reason.

I would say that one of the biggest challenges in cybersecurity is that offense is easier than defense. The offense only needs to succeed once, the defense needs to win every time. Another quote from the NSA:

The increasing complexity of current and emerging cloud, multi-cloud, and hybrid network environments combined with the rapidly escalating and evolving nature of adversary threats has exposed the lack of effectiveness of traditional network cybersecurity defenses. Traditional perimeter-based network defenses with multiple layers of disjointed security technologies have proven themselves to be unable to meet the cybersecurity needs due to the current threat environment.

If you have anything to do with security, I think that the document is worth a read. It is just six pages (plus a page of references). It is written in that weird government-speak (which at least sounds more like English than the European Union equivalent), with phrases like "Adopting the mindset required to successfully operate a Zero Trust environment will further sensitize cybersecurity defenders to recognize ever more subtle threat indicators." But there are also sentences that I consider to be pearls of wisdom:

Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. Zero Trust repeatedly questions the premise that users, devices, and network components should be implicitly trusted based on their location within the network.

"Trust but verify" is apparently a translation of a Russian proverb (Доверяй, но проверяй, thanks, Wikipedia!) that President Reagan used during the nuclear disarmament talks. Zero Trust is the opposite:

Never trust, always verify – Treat every user, device, application/workload, and data flow as untrusted. Authenticate and explicitly authorize each to the least privilege required using dynamic security policies.

This diagram (from the report) shows how Zero Trust can work in an environment where most attempts would have been successful in a non-Zero Trust environment. The bad guy has a compromised user device and credentials (password). So there are things that the bad guy can accomplish even in a Zero Trust environment. But lateral movement into the rest of the system is blocked. Access to other systems are blocked. Everything is logged so that the extent of any damage can be analyzed later.

Learn More

Once again, here is a link to Embracing a Zero Trust Security Model.

 

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.