Zero trust security model

Last updated

The zero trust security model, also known as zero trust architecture (ZTA), and sometimes known as perimeterless security, describes an approach to the strategy, design and implementation of IT systems. The main concept behind the zero trust security model is "never trust, always verify", which means that users and devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified.

Contents

ZTA is implemented by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly-authorized resources. Most modern corporate networks consist of many interconnected zones, cloud services and infrastructure, connections to remote and mobile environments, and connections to non-conventional IT, such as IoT devices.

The reasoning for zero trust is that the traditional approach – trusting users and devices within a notional "corporate perimeter", or users and devices connected via a VPN – is not sufficient in the complex environment of a corporate network. The zero trust approach advocates mutual authentication, including checking the identity and integrity of users and devices without respect to location, and providing access to applications and services based on the confidence of user and device identity and device health in combination with user authentication. [1] The zero trust architecture has been proposed for use in specific areas such as supply chains. [2] [3]

The principles of zero trust can be applied to data access, and to the management of data. This brings about zero trust data security where every request to access the data needs to be authenticated dynamically and ensure least privileged access to resources. In order to determine if access can be granted, policies can be applied based on the attributes of the data, who the user is, and the type of environment using Attribute-Based Access Control (ABAC). This zero-trust data security approach can protect access to the data. [4]

History

In April 1994, the term "zero trust" was coined by Stephen Paul Marsh in his doctoral thesis on computer security at the University of Stirling. Marsh's work studied trust as something finite that can be described mathematically, asserting that the concept of trust transcends human factors such as morality, ethics, lawfulness, justice, and judgement. [5]

The problems of the Smartie or M&M model of the network (the precursor description of de-perimeterisation) was described by a Sun Microsystems engineer in a Network World article in May 1994, who described firewalls' perimeter defence, as a hard shell around a soft centre, like a Cadbury Egg. [6]

In 2001 the first version of the OSSTMM (Open Source Security Testing Methodology Manual) was released and this had some focus on trust. Version 3 which came out around 2007 has a whole chapter on Trust which says "Trust is a Vulnerability" and talks about how to apply the OSSTMM 10 controls based on Trust levels.

In 2003 the challenges of defining the perimeter to an organisation's IT systems was highlighted by the Jericho Forum of this year, discussing the trend of what was then given the name "de-perimeterisation".

In response to Operation Aurora, a Chinese APT attack throughout 2009, Google started to implement a zero-trust architecture referred to as BeyondCorp.

In 2010 the term zero trust model was used by analyst John Kindervag of Forrester Research to denote stricter cybersecurity programs and access control within corporations. [7] [8] [9]


However, it would take almost a decade for zero trust architectures to become prevalent, driven in part by increased adoption of mobile and cloud services. [ citation needed ]

In 2018, work undertaken in the United States by cybersecurity researchers at NIST and NCCoE led to the publication of NIST SP 800-207 – Zero Trust Architecture. [10] [11] The publication defines zero trust (ZT) as a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised. A zero trust architecture (ZTA) is an enterprise's cyber security plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

There are several ways to implement all the tenets of ZT; a full ZTA solution will include elements of all three:

In 2019 the United Kingdom National Cyber Security Centre (NCSC) recommended that network architects consider a zero trust approach for new IT deployments, particularly where significant use of cloud services is planned. [12] An alternative but consistent approach is taken by NCSC, in identifying the key principles behind zero trust architectures:

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical science laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. From 1901 to 1988, the agency was named the National Bureau of Standards.

<span class="mw-page-title-main">Access control</span> Selective restriction of access to a place or other resource, allowing only authorized users

In physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

A digital identity is data stored on computer systems relating to an individual, organization, application, or device. For individuals, it involves the collection of personal data that is essential for facilitating automated access to digital services, confirming one's identity on the internet, and allowing digital systems to manage interactions between different parties. It is a component of a person's social identity in the digital realm, often referred to as their online identity.

The Jericho Forum was an international group working to define and promote de-perimeterisation. It was initiated by David Lacey from the Royal Mail, and grew out of a loose affiliation of interested corporate CISOs, discussing the topic from the summer of 2003, after an initial meeting hosted by Cisco, but was officially founded in January 2004. It declared success, and merged with The Open Group industry consortium's Security Forum in 2014.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

A software-defined perimeter (SDP), also called a "black cloud", is an approach to computer security. Software-defined perimeter (SDP) framework was developed by the Cloud Security Alliance (CSA) to control access to resources based on identity. Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and identity are verified before access to application infrastructure is granted. Application infrastructure is effectively “black”, without visible DNS information or IP addresses. The inventors of these systems claim that a Software Defined Perimeter mitigates the most common network-based attacks, including: server scanning, denial of service, SQL injection, operating system and application vulnerability exploits, man-in-the-middle, pass-the-hash, pass-the-ticket, and other attacks by unauthorized users.

BeyondCorp is an implementation, by Google, of zero-trust computer security concepts creating a zero trust network.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

A secure access service edge (SASE) is technology used to deliver wide area network (WAN) and security controls as a cloud computing service directly to the source of connection rather than a data center. It uses cloud and edge computing technologies to reduce the latency that results from backhauling all WAN traffic over long distances to one or a few corporate data centers, due to the increased movement off-premises of dispersed users and their applications. This also helps organizations support dispersed users and their devices with digital transformation and application modernization initiatives.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

NordLayer, formerly known as NordVPN Teams, is a network access security service with applications for Microsoft Windows, macOS, Linux, Android and iOS. The software is marketed as a privacy and security tool running on zero trust architecture providing protection on hybrid and multi-cloud cloud environments.

Privileged Access Management (PAM) is a type of identity management and branch of cybersecurity that focuses on the control, monitoring, and protection of privileged accounts within an organization. Accounts with privileged status grant users enhanced permissions, making them prime targets for attackers due to their extensive access to vital systems and sensitive data.

References

  1. "Mutual TLS: Securing Microservices in Service Mesh". The New Stack. 2021-02-01. Retrieved 2021-02-20.
  2. Collier, Zachary A.; Sarkis, Joseph (2021-06-03). "The zero trust supply chain: Managing supply chain risk in the absence of trust". International Journal of Production Research. 59 (11): 3430–3445. doi:10.1080/00207543.2021.1884311. ISSN   0020-7543. S2CID   233965375.
  3. do Amaral, Thiago Melo Stuckert; Gondim, João José Costa (November 2021). "Integrating Zero Trust in the cyber supply chain security". 2021 Workshop on Communication Networks and Power Systems (WCNPS). pp. 1–6. doi:10.1109/WCNPS53648.2021.9626299. ISBN   978-1-6654-1078-6. S2CID   244864841.
  4. Yao, Qigui; Wang, Qi; Zhang, Xiaojian; Fei, Jiaxuan (2021-01-04). "Dynamic Access Control and Authorization System based on Zero-trust architecture". 2020 International Conference on Control, Robotics and Intelligent System. CCRIS '20. New York, NY, USA: Association for Computing Machinery. pp. 123–127. doi:10.1145/3437802.3437824. ISBN   978-1-4503-8805-4. S2CID   230507437.
  5. Marsh, Stephen (1994), Formalising Trust as a Computational Concept, p. 56, retrieved 2022-07-22
  6. "Internet hackers beware: corporate LANs protected". Network World. IDG Network World Inc. 23 May 1994. ISSN   0887-7661 via Google Books.
  7. Loten, Angus (2019-05-01). "Akamai Bets on 'Zero Trust' Approach to Security". Wall Street Journal . Retrieved 2022-02-17.
  8. Higgins, Kelly Jackson. "Forrester Pushes 'Zero Trust' Model For Security". Dark Reading. Informa. Archived from the original on 26 August 2021. Retrieved 2022-02-17.
  9. Kindervag, John (2010-11-05). "Build Security Into Your Network's DNA: The Zero Trust Network Architecture" (PDF). Forrester Research . Retrieved 2022-07-22.
  10. National Cybersecurity Center of Excellence. "Implementing a Zero Trust Architecture". NIST . Retrieved 2022-07-22.
  11. Rose, Scott; Borchert, Oliver; Mitchell, Stu; Connelly, Sean. "Zero Trust Architecture" (PDF). nvlpubs.nist.gov. NIST. Retrieved 2020-10-17.
  12. "Network architectures". www.ncsc.gov.uk. Retrieved 2020-08-25.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.