Zero trust architecture

Last updated

Zero trust architecture (ZTA) or perimeterless security is a design and implementation strategy of IT systems. The principle is that users and devices should not be trusted by default, even if they are connected to a privileged network such as a corporate LAN and even if they were previously verified.

Contents

ZTA is implemented by establishing identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly-authorized resources. Most modern corporate networks consist of many interconnected zones, cloud services and infrastructure, connections to remote and mobile environments, and connections to non-conventional IT, such as IoT devices.

The traditional approach by trusting users and devices within a notional "corporate perimeter" or via a VPN connection is commonly not sufficient in the complex environment of a corporate network. The zero trust approach advocates mutual authentication, including checking the identity and integrity of users and devices without respect to location, and providing access to applications and services based on the confidence of user and device identity and device status in combination with user authentication. [1] The zero trust architecture has been proposed for use in specific areas such as supply chains. [2] [3]

The principles of zero trust can be applied to data access, and to the management of data. This brings about zero trust data security where every request to access the data needs to be authenticated dynamically and ensure least privileged access to resources. In order to determine if access can be granted, policies can be applied based on the attributes of the data, who the user is, and the type of environment using Attribute-Based Access Control (ABAC). This zero-trust data security approach can protect access to the data. [4]

History

In April 1994, the term "zero trust" was coined by Stephen Paul Marsh in his doctoral thesis on computer security at the University of Stirling. Marsh's work studied trust as something finite that can be described mathematically, asserting that the concept of trust transcends human factors such as morality, ethics, lawfulness, justice, and judgement. [5]

The problems of the Smartie or M&M model of the network (the precursor description of de-perimeterisation) was described by a Sun Microsystems engineer in a Network World article in May 1994, who described firewalls' perimeter defence, as a hard shell around a soft centre, like a Cadbury Egg. [6]

In 2001 the first version of the OSSTMM (Open Source Security Testing Methodology Manual) was released and this had some focus on trust. Version 3 which came out around 2007 has a whole chapter on Trust which says "Trust is a Vulnerability" and talks about how to apply the OSSTMM 10 controls based on Trust levels.

In 2003 the challenges of defining the perimeter to an organisation's IT systems was highlighted by the Jericho Forum of this year, discussing the trend of what was then given the name "de-perimeterisation".

In response to Operation Aurora, a Chinese APT attack throughout 2009, Google started to implement a zero-trust architecture referred to as BeyondCorp.

In 2010 the term zero trust model was used by analyst John Kindervag of Forrester Research to denote stricter cybersecurity programs and access control within corporations. [7] [8] [9] However, it would take almost a decade for zero trust architectures to become prevalent, driven in part by increased adoption of mobile and cloud services.[ citation needed ]

In 2018, work undertaken in the United States by cybersecurity researchers at NIST and NCCoE led to the publication of NIST SP 800-207 – Zero Trust Architecture. [10] [11] The publication defines zero trust (ZT) as a collection of concepts and ideas designed to reduce the uncertainty in enforcing accurate, per-request access decisions in information systems and services in the face of a network viewed as compromised. A zero trust architecture (ZTA) is an enterprise's cyber security plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

There are several ways to implement all the tenets of ZT; a full ZTA solution will include elements of all three:

In 2019 the United Kingdom National Cyber Security Centre (NCSC) recommended that network architects consider a zero trust approach for new IT deployments, particularly where significant use of cloud services is planned. [12] An alternative but consistent approach is taken by NCSC, in identifying the key principles behind zero trust architectures:

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical science laboratory programs that include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. From 1901 to 1988, the agency was named the National Bureau of Standards.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

Identity and access management, sometimes also referred to as just Identity management (IdM), is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IAM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

The Jericho Forum was an international group working to define and promote de-perimeterisation. It was initiated by David Lacey from the Royal Mail, and grew out of a loose affiliation of interested corporate CISOs, discussing the topic from the summer of 2003, after an initial meeting hosted by Cisco, but was officially founded in January 2004. It declared success, and merged with The Open Group industry consortium's Security Forum in 2014.

Information security standards are techniques generally outlined in published materials that attempt to protect a user's or organization's cyber environment. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Security controls or security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

A software-defined perimeter (SDP), sometimes referred to as a black cloud, is a method of enhancing computer security. The SDP framework was developed by the Cloud Security Alliance to control access to resources based on identity. In an SDP, connectivity follows a need-to-know model, where both device posture and identity are verified before access to application infrastructure is granted. The application infrastructure in a software-defined perimeter is effectively "black"—a term used by the Department of Defense to describe an undetectable infrastructure—lacking visible DNS information or IP addresses. Proponents of these systems claim that an SDP mitigates many common network-based attacks, including server scanning, denial-of-service, SQL injection, operating system and application vulnerability exploits, man-in-the-middle attacks, pass-the-hash, pass-the-ticket, and other attacks by unauthorized users.

The following outline is provided as an overview of and topical guide to computer security:

BeyondCorp is an implementation, by Google, of zero-trust computer security concepts creating a zero trust network.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

A secure access service edge (SASE) is technology used to deliver wide area network (WAN) and security controls as a cloud computing service directly to the source of connection rather than a data center. It uses cloud and edge computing technologies to reduce the latency that results from backhauling all WAN traffic over long distances to one or a few corporate data centers, due to the increased movement off-premises of dispersed users and their applications. This also helps organizations support dispersed users.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

NordLayer, formerly known as NordVPN Teams, is a network access security service with applications for Microsoft Windows, macOS, Linux, Android and iOS and Browser extension. The software is marketed as a privacy and security tool that enables the implementation of Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), and Firewall-as-a-Service (FWaaS) in hybrid and multi-cloud cloud environments.

Privileged Access Management (PAM) is a type of identity management and branch of cybersecurity that focuses on the control, monitoring, and protection of privileged accounts within an organization. Accounts with privileged status grant users enhanced permissions, making them prime targets for attackers due to their extensive access to vital systems and sensitive data.

Cybersecurity engineering is a tech discipline focused on the protection of systems, networks, and data from unauthorized access, cyberattacks, and other malicious activities. It applies engineering principles to the design, implementation, maintenance, and evaluation of secure systems, ensuring the integrity, confidentiality, and availability of information.

References

  1. "Mutual TLS: Securing Microservices in Service Mesh". The New Stack. 2021-02-01. Archived from the original on 2021-03-13. Retrieved 2021-02-20.
  2. Collier, Zachary A.; Sarkis, Joseph (2021-06-03). "The zero trust supply chain: Managing supply chain risk in the absence of trust". International Journal of Production Research. 59 (11): 3430–3445. doi:10.1080/00207543.2021.1884311. ISSN   0020-7543. S2CID   233965375.
  3. do Amaral, Thiago Melo Stuckert; Gondim, João José Costa (November 2021). "Integrating Zero Trust in the cyber supply chain security". 2021 Workshop on Communication Networks and Power Systems (WCNPS). pp. 1–6. doi:10.1109/WCNPS53648.2021.9626299. ISBN   978-1-6654-1078-6. S2CID   244864841. Archived from the original on 2024-04-15. Retrieved 2023-07-26.
  4. Yao, Qigui; Wang, Qi; Zhang, Xiaojian; Fei, Jiaxuan (2021-01-04). "Dynamic Access Control and Authorization System based on Zero-trust architecture". 2020 International Conference on Control, Robotics and Intelligent System. CCRIS '20. New York, NY, USA: Association for Computing Machinery. pp. 123–127. doi:10.1145/3437802.3437824. ISBN   978-1-4503-8805-4. S2CID   230507437.
  5. Marsh, Stephen (1994), Formalising Trust as a Computational Concept, p. 56, retrieved 2022-07-22
  6. "Internet hackers beware: corporate LANs protected". Network World. IDG Network World Inc. 23 May 1994. ISSN   0887-7661 via Google Books.
  7. Loten, Angus (2019-05-01). "Akamai Bets on 'Zero Trust' Approach to Security". Wall Street Journal. Archived from the original on 2022-02-18. Retrieved 2022-02-17.
  8. Higgins, Kelly Jackson. "Forrester Pushes 'Zero Trust' Model For Security". Dark Reading. Informa. Archived from the original on 26 August 2021. Retrieved 2022-02-17.
  9. Kindervag, John (2010-11-05). "Build Security Into Your Network's DNA: The Zero Trust Network Architecture" (PDF). Forrester Research . Retrieved 2022-07-22.
  10. National Cybersecurity Center of Excellence. "Implementing a Zero Trust Architecture". NIST . Retrieved 2022-07-22.
  11. Rose, Scott; Borchert, Oliver; Mitchell, Stu; Connelly, Sean. "Zero Trust Architecture" (PDF). nvlpubs.nist.gov. NIST. Archived (PDF) from the original on 2021-04-21. Retrieved 2020-10-17.
  12. "Network architectures". www.ncsc.gov.uk. Archived from the original on 2021-01-21. Retrieved 2020-08-25.