What is Zero Trust?
When the concept of Zero Trust emerged in 2010, it marked a sea change in how IT and network security are handled. The term, invented by Forrester Research analyst John Kindervag, is loosely based on the “never trust, always verify” motto.
So why is this a sea change? Before 2010, IT focused on perimeter defenses and the concept of DMZs — areas of the network they deemed safe based on the protection they implemented. With this approach, enterprises established what they considered an internal trusted network with trusted users. The external network, outside the firewall or perimeter, consisted of untrusted users. The DMZ was a barrier or security zone between the ‘safe’ internal network and the ‘untrusted’ outside world.
The truth is that nothing on a network is safe unless it is explicitly proven or verified to be safe. The idea today is to protect and verify everything. “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access,” argued the US Department of Defense (DoD).
Here is how the National Institute of Standards and Technology (NIST) sees Zero Trust. “Zero Trust is the term for an evolving set of cybersecurity paradigms that move defenses from status, network-based perimeters to focus on users, assets, and resources. Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the Internet) or based on asset ownership (enterprise or personally owned),” explained NIST in a 2020 piece on Zero Trust Architecture.
Here is how Microsoft defines Zero Trust. “Instead of assuming everything behind the corporate firewall is safe, the Zero Trust model assumes breach and verifies each request as though it originates from an open network. Regardless of where the request originates or what resource it accesses, Zero Trust teaches us to ‘never trust, always verify.’ Every access request is fully authenticated, authorized, and encrypted before granting access. Microsegmentation and least privileged access principles are applied to minimize lateral movement. Rich intelligence and analytics are utilized to detect and respond to anomalies in real-time,” Microsoft explained.
The Cloud, Remote and Mobile are Driving Zero Trust Need
Zero Trust is ever more vital as enterprises move to the cloud and the workforce becomes more mobile and remote. “Cloud-based services and mobile computing have changed the technology landscape for the modern enterprise. Today’s workforce often requires access to applications and resources outside traditional corporate network boundaries, rendering security architectures that rely on firewalls and virtual private networks (VPNs) insufficient. Changes brought about by cloud migration and a more mobile workforce have led to the development of an access architecture called Zero Trust,” Microsoft explained. “Implementing a true Zero Trust model requires that all components—user identity, device, network, and applications—be validated and proven trustworthy. Zero Trust verifies identity and device health prior to granting access to corporate resources. When access is granted, applying the principle of least privilege limits user access to only those resources that are explicitly authorized for each user, thus reducing the risk of lateral movement within the environment,” Microsoft concluded.
Inventorying: Knowing What You Have
The National Cyber Security Center (NCSC) in the United Kingdom has some advice for network professionals in its Zero Trust Architecture Design Principles guide. It all starts with knowing what you have and the area where the inventory features of an ITIM solution can save the day. “In order to get the benefits from zero trust you need to know about each component of your architecture, including your users, devices, and the services and data they are accessing,” the NCSC advises. “A proper understanding of your assets will most likely involve an asset discovery phase as one of the first steps in your zero trust journey. In some environments, this can be challenging and may involve the use of automated tools to discover assets on the network. In other cases, you may be able to determine your assets by following a non-technical procedure, such as querying procurement records.”
Monitor Devices
Monitoring IT assets is critical and must adapt to the new world of Zero Trust. Here, IT Infrastructure Monitoring (ITIM) is key. “Although the network is untrusted and assumed hostile, network monitoring is still important to ensure good performance and cyber hygiene. Monitoring should be carried out on your networks to measure performance, identify all devices attached to your network, detect rogue devices and malicious activity. This is especially true if you're hosting on-premises services. Coupled with device monitoring, network monitoring can help improve visibility and correlation. For example, you could trace network connections back to the process on a device that generated them,” the Zero Trust Architecture Design Principles guide advises. “In a Zero Trust architecture it is highly likely that your monitoring strategy will change to focus on users, devices and services. Monitoring your devices, services and user behavior will help you to establish their cyber health.”
Know What People are Doing
Zero Trust is based in large part on the concept of untrusted users. Knowing what people are doing on the network is critical to achieving Zero Trust goals. “User behavior, like normal working hours or normal working location, is another important metric to monitor. It's also important to have visibility of your services and understand the interaction between users and their data. This information can be used as a signal, with any abnormal activity observed could be used by a policy engine to make an access decision,” the NCSC suggests. “You should know what actions devices, users and services are performing and what data they are accessing. Your monitoring should link back to the policies you have set, verifying they are being enforced as you expect.” the NCSC suggests.
Enter Zero Trust Network Access (ZTNA)
Zero Trust Network Access (ZTNA) is an architecture that defines a safer way for end users to access data and applications. “Zero Trust network access (ZTNA) is a product or service that creates an identity and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities,” Gartner argued in its ZTNA glossary page. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. This removes application assets from public visibility and significantly reduces the surface area for attack.
With ZTNA:
With ZTNA, existing authentication and authorization solutions must be reengineered and then monitored and managed to ensure proper operation, performance and resilience.
Access control, authentication and authorization must occur before a user is granted access to any information. At the same time, the device must also authenticate to the network. This requires a methodology for device authentication that includes device health checks to make sure they meet a minimum standard before the device is allowed to send information back and forth across the network.
Monitoring the Access Control, Authentication and Authorization Infrastructure
The IT infrastructure supporting ZTNA-based authentication, authorization and device access control systems carried a heavy load and can be overwhelmed with these continuous requirements. When the systems slow or fail, end users suffer. They can be denied access or given slow connections.
This happens because the IT infrastructure is not set up to handle the requirements. Waiting for end users’ complaints is not the answer. Instead, IT should know exactly what's working and what's not. With ITIM, the network team has deep and continuous insight into these systems’ operations and can provision resources so these security components are resilient and high-performance.
Looking for an ITIM tool? Test out WhatsUp Gold. Download your free trial version today.
View All of the ABCs of Infrastructure Monitoring
Looking to start on the basics of IT infrastructure monitoring? Our alphabetized index is an excellent place to begin or extend your education. View all our current topics.