Zero Trust Architecture (ZTA): A Primer
By Ron McFarland, PhD, MSc, CISSP, CDNA
Introduction
In the past, the notion of trust was once localized to a company’s environment. In essence, the security perimeter was confined to the walls of the organization. But these discrete perimeters do not exist anymore as more workers and companies that they work for are now more highly distributed. In today’s modern IT organizational environment, data is distributed and shared between various SaaS (Software as a Service) applications, such as Microsoft Office 365, Dropbox, Salesforce, and many other SaaS applications. In addition, IaaS (Infrastructure as a Service) applications, such as Azure, AWS, the Google Cloud Platform, and others provide organizations with methods to distribute and share data for their highly distributed workers. Remote users and devices, IoT devices and more.
While a highly distributed work environment has many positives for the organization and their workers, the cost is that a highly distributed environment significantly broadens the attack surface for cybercriminals. The variety of distributed environments (IaaS, SaaS, etc.) provides an attacker with a much greater opportunity to target and cause harm to an organization. While our localized environments of the past had a smaller data and information security footprint, today’s highly distributed work environments offer a multitude of entry points for the attacker to collect and damage assets.
Cybersecurity Resiliency
After a multitude of high-profile cyberattacks on organizations in the past several years, cybersecurity researchers stress the need for companies to upgrade their cybersecurity technology to effect resiliency in their systems. Resiliency is a strategic concept that combines business continuity, information systems security, and the organization’s response to attacks together (IBM, 2021). The essence is that resilience, in the context of this article, is an approach intended to deliver the business’ outcomes despite the demands and risks associated with cybersecurity incidents.
A strategy of cybersecurity resiliency is important for a business’ continuity of operations (IBM, 2021). It extends beyond the organization’s security posture and, when implemented, can reduce the risk to the organization’s critical information systems and data infrastructure. Cybersecurity resilience can also limit the financial and repetitional loss of a cyberattack, as the implementation of a resilience strategy will limit the exposure of the information system and key organizational data.
Also, the implementation of a resilience strategy supports several compliance models including the ISO/IEC 27001 (International Organization for Standardization), the California Consumer Privacy Act (CCPA), and other national and state compliance laws and compliance models that require organizations to manage data assets such as employee details, intellectual property, customer data, personally identifiable information, financial information, or other third-party entrusted information. In general, a strategic goal that embraces resiliency can attract customers and gain their trust, due to the enhance security posture that an organization takes. In essence, this approach can be a competitive advantage for an organization.
Using a Zero Trust Architecture to Support Cybersecurity Resiliency
While layered network architecture schemes moved away from flat network architectural designs, they were devised quite a long time ago and do not sufficiently provide the protection necessary for today’s organization. Designed in the 2000’s ,as reported by the SANS Institute (Cuppens, et. al, 2004) and Alateeq (2005), the secure network segmentation approach provided protection between layers and does not effectively provide protection between clients, services, and devices within each segmented layer. The SANS institute model, as one of the several layered network architectural models of the era, is shown in the Figure 1 below. Notice that each segment contains a perimeter, which contains filtering aspects between each layer. However, within each layer, the devices and sub-zones often do not filter nor verify traffic that travels between devices, databases, servers, and user computers within each segment.
Additional models have been developed in the past few decades to support additional verification and to bolster the trust within the network. Zero Trust is a philosophy that can support many different types of architectures and many different types of commercial products. Suffice it to say that it is not possible to create a “one-size-fits-all” Zero Trust architecture (Garbis, et. al, 2021).
As a good starting place for Zero Trust (e.g., Zero Trust Architecture or ZTA), the US National Institute of Standards and Technologies (NIST) Zero Trust Architecture, from Special Publication 800–207 was produced to support the implementation of ZTA in organizations (Rose, et. al, 2020). The authors of the NIST 800–207 define ZTA as “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero-trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows (Rose, et. al, 2020).”
ZTA as a Philosophy
While ZTA is a philosophy and an approach, not a technology, the essence of Zero Trust is to “Never Trust and Always Verify.” Within this approach, no device, workload, user, or system should be trusted by default, regardless of the location that it is operating from — either from inside or outside of the security perimeter (Rose, et. al, 2020).
Zero-Trust Architecture (ZTA) is a ‘Never Trust, Always Verify’ concept seeks to improve cybersecurity by eliminating trust in a segmented network model and, simultaneously, invoking the validation of network requests continuously. Further, ZTA replaces Virtual Private Networks (VPNs), which can become messy to deploy and maintain, and provides solitary access to applications and data (Adahman, 2022).
While the growth of ZTA has spiked over the years, organizations are still reluctant to invest in this security approach due to the cost and expense of re-engineering their networks. However, Adahman (2022) in research demonstrated that the implementation of ZTA causes an impact reduction of $684K on average over four years for small to medium-sized businesses (SMB).
The ZTA Model
In general, ZTA is a tangible security model with 7 security principles that embraces the following aspects of an organization’s infrastructure including:
1. Zero-Trust Networks,
2. Zero-Trust Workloads,
3. Zero-Trust Data,
4. Zero-Trust People,
5. Zero-Trust Devices,
6. Zero-Trust Automation and orchestration,
7. Zero-Trust Visibility and analytics.
The NIST SP 800–207 Concept map is provided in Figure 2 below. Further, a brief description of the 7 security principles is provide in the section below.
Zero-Trust Networks
The essence of a zero-trust network is to divide the network and rule each component within the network and within each network segment. To this end, the first criteria essential is to understand the network by first identifying the organization’s assets (including hardware, software, firmware, data, etc.). This includes understanding where and how information is stored and shared, including cloud services that may be deployed and used.
Once an understanding of data, hardware, and software is clearly understood and delineated, the network architecture must further define micro segmentation around valuable assets. This will call for the creation of multiple junctions and inspection points beyond the generalized security segmentation prevalent in many network topologies. The intention is to continually monitor ingress and egress traffic to/from and within each microsegment with the intention to block malicious or unauthorized lateral movements. Micro segmentation provides the ability to more readily contain and isolate traffic and data exfiltration in the event of a breech (Rose, et. al, 2020).
Zero-Trust Workloads
Zero-trust workloads secure the organization’s workloads, particularly those that run in the public cloud, as an essential element to protect the organization. In particular, the documentation and understanding of the organization’s cloud assets, containers, functions, and virtual machines is essential, as these assets are vulnerable and attractive targets to attackers.
Zero-Trust Data
Zero Trust Data is all about the protection of the organization’s data while data is shared continuously between users and computers. Mobile devices (including laptops, tablets, usb devices, etc.), application servers, databases, and any data stores of data are the focal point for protection of data and must be documented, delineated, and designed into the ZTA scope of protection.
Zero-Trust People
Implementing ZTA in the organization involves designing support for people to use the organization’s information system effectively and appropriately. Given that 81% of data breeches involve stolen credentials (Saleem & Naveed, 2020), username and password no longer are sufficient to prove the identity (IAM — Identity and Access Management) of each user in the system. As one example of strengthening the IAM for a given user, the use of multi-factor authentication (MFA), the enhancement of IAM rules and the continual verification within each relevant secure microsegment can support a robust ZTA for people.
Zero-Trust Devices
Research has also noted that 70% of reported breeches involve compromised devices (Saleem & Naveed, 2020). As a result, every device in a ZTA should be treated as a threat vector, whether it is a workstation, a mobile device, or an IoT device. Security teams must be able to identify every device on the network so that the device can be isolated if it is compromised. Further, identification and continual monitoring of a baseline set of known devices on a network will allow for the identification of unauthorized devices added onto the network.
Visibility and Analytics/Automation and Orchestration
ZTA calls for visibility and analytics. Visibility and Analytics supports continual monitoring, logging, and supports the correlation of log and event records to determine if a security event is in process or has occurred. The zero-trust architecture and cybersecurity posture of an organization must further integrate with the broader IT infrastructure of the organization to be both effective and foster rapid and agile incident response. Cybersecurity policies, procedures, and operational best practices must be continually updated and shared to support a robust zero-trust response to suspected and detected cybersecurity events.
Conclusion
To improve cybersecurity resilience, organizations will need to transition from either a flat network architecture to a layered architecture (as shown in Figure 1) and embrace the Zero Trust Architecture philosophy that proposes to continually monitor trust in a company’s information infrastructure. As briefly presented in this article, ZTA involves many incremental measures that each contribute to a protected and more resilient system.
ZTA is more about a philosophy and an approach rather than a specific set of technologies. ZTA will ultimately impact the culture and the way that a organization does business, but has the advantage of continuity of operations and cybersecurity resiliency.
References
Adahman, Z. (2022). Zero-Trust Architecture and Its Cost-Effectiveness on Network Security.
Alateeq, I. N. (2005). Design secure network segmentation approach.
Cuppens, F., Cuppens-Boulahia, N., Sans, T., & Miège, A. (2004, August). A formal approach to specify and deploy a network security policy. In IFIP World Computer Congress, TC 1 (pp. 203–218). Springer, Boston, MA.
Garbis, J., & Chapman, J. W. (2021). Zero trust architectures. In Zero Trust Security (pp. 19–51). Apress, Berkeley, CA.
IBM. (2021). What is cyber resilience? IBM: What is Cyber Resilience? Retrieved September 13, 2022, from https://www.ibm.com/topics/cyber-resilience
Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture (No. NIST Special Publication (SP) 800–207). National Institute of Standards and Technology.
Saleem, H., & Naveed, M. (2020). SoK: Anatomy of Data Breaches. Proc. Priv. Enhancing Technol., 2020(4), 153–174.
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, PhD, MSc, CDNA, CISSP
CMTC Email: rmcfarland@cmtc.com
Email: highervista@gmail.com
LinkedIn: https://www.linkedin.com/in/highervista/
Website: https://www.highervista.com
YouTube Channel: https://www.youtube.com/channel/UCJ57_1OgZ5H1nMVdGElcvrw
