Zero Trust Network: should you (really) trust nothing?

StormShield

The Zero Trust model is in vogue right now. And it’s based on a simple premise: to secure your IT system against cyber threats, you must doubt everything and trust nothing. But rather than abolishing trust, could the issue be more one of moving it elsewhere?

The corporate network perimeter is dead, long live… the Zero Trust Network? Promoted by Forrester in the late 2000s, the Zero Trust Network Access security model (shortened to “Zero Trust Network” or just “Zero Trust”) is now regularly advanced as a response to cyber threats and the predicted disappearance of the corporate network perimeter. But it is vitally important to remember that ZTN is not a technology, but rather an approach – indeed, almost a philosophy – that questions our relationship of trust and builds a security model using different technological building blocks. Let’s take a look behind the scenes of the Zero Trust approach.

The network perimeter is disappearing

A long time ago, there was a red line between things that were inside the perimeter of the company’s network (and therefore deemed trustworthy), and things that were outside (and therefore perceived as a potential threat). This approach offered a form of physical security, in which the network could only be accessed by people actually on the company’s premises. No access to the premises meant no access to the network – except via VPN. Simple, and easy to understand.

But digital transformation has brought profound change to systems architecture. From the widespread use of VPN access for secure teleworking to cloud applications and infrastructures, the perimeter of the corporate network has now been literally fragmented. So much so, in fact, that confining the protection of the company to its network perimeter no longer makes any real sense.

The headache of providing secure remote access

In addition to the rise of the cloud and the widespread use of teleworking, the “Bring Your Own Device” practice is driving nails into the coffin of the company network perimeter, and presenting new security constraints. There are two traditional priorities for securing remote access: authenticating and authorising users.

The first point can be (partially) addressed with the VPN. By creating a secure, encrypted access tunnel, the company provides a means for employees to access the company’s resources  – regardless of where they are physically located – and to move data securely. In so doing, it delegates its trust to the VPN, which has many advantages: a well-controlled protocol; known encryption algorithms and key sizes; and clearly-identified capacities and limits. Identification and authentication issues therefore seem to be addressed by means of remote login tools and 2FA solutions. But this still leaves the problem of controlling access to a mixed bag of applications and uncontrolled equipment – hence the rise of the Zero Trust approach in recent years.

Zero Trust, or the central question of trust

In contrast to the VPN, which establishes a certain level of trust for a secure connection between two entities, the Zero Trust approach consists of trusting… nothing. This approach will therefore challenge the network in an attempt to control who accesses what, and when. In other words, the Zero Trust approach is based on verifying logins, identities and privileges upon every access – including within the corporate network. “ZTN is based on the premise of zero trust,” explains Stéphane Prévost, Product Marketing Manager at Stormshield. “But that’s impossible! When you’re providing access to sensitive assets, you need something tangible to hold onto.” In short, how much trust should be awarded according to the sensitivity of the information or the environment to be protected?

ZTN is based on the premise of zero trust, but that’s impossible! When you’re providing access to sensitive assets, you need something tangible to hold on to.

Stéphane Prévost, Product Marketing Manager at Stormshield

Rather than abolishing trust, the ZTN approach is about moving it elsewhere. But where? Firstly, to the user. In line with a simple principle: if a user has been authenticated, they can be trusted. But is that really enough? What about the location or device they connect from?

A security foundation built on three pillars: identity, machine and access

In addition to the two traditional priorities mentioned earlier, there is in fact a third. The user may be central, but the machine they use is also important. “What really matters in the Zero Trust approach is the user/machine combination,” Prévost explains. Even if a user has been authenticated, the device they’re using is still a potential vulnerability. For example, it may have been infected by a virus which will be able to access sensitive content and encrypt data. We therefore also need a way of trusting the machine.” And a way of managing access according to the nature of the workstation (business or personal), the software used, the update status of its security solutions, and even the physical place where it is located (at home, in the office, on the move, etc.). To achieve this, asset protection solutions must factor in issues of context-sensitive policies and dynamic adaptability. And as a result, ensure that security is tailored to the specific environment.

What really matters in the Zero Trust approach is the user/machine combination

Stéphane Prévost, Product Marketing Manager at Stormshield

 The Zero Trust approach is therefore not just about logging into the corporate network, but providing holistic security that focuses on the individual and the device, and includes user and machine identification, multi-factor authentication, and access management.

This last point assumes a certain degree of corporate maturity in this respect, especially when it comes to clearly defining the access rights of each employee. And therein – in some cases – lies the problem. That’s because Identity and Access Management (IAM) is not just a matter for the IT department: Human Resources, and the managers of each department or business unit, also need to have a clear idea of what access has been granted. Each manager must be able to determine who in his or her team has access to what, and for what purpose. It sounds simple, but considering the increasing number of solutions that can be found in a company, fluidly managing everyone’s privileges – and keeping them up to date – can quickly turn into a major task. However, it is a task that contributes to the company’s safety. The good news: once the work has been done, implementation is quick. The bad news: if companies are to retain control and keep full track of access, they must deal with a policy that evolves over time and a wide range of disparate control tools, especially if their applications are hosted in the cloud.

Special considerations for Cloud models

Across IaaS, PaaS, SaaS applications or hybrid infrastructure alike, corporate use of the cloud is skyrocketing. 51% of surveyed French organisations and companies outsource all or part of their information system to a third party, and 7% in total, as noted by the Clusif information security French association in the 2020 edition of its MIPS study (Computer threats and security practices).

Companies are migrating their own custom applications to the cloud and/or subscribing to enterprise SaaS applications such as Office 365, Salesforce, Google and others. However, a recent ESG survey indicates that the assignment of excessively lax permissions to accounts and roles was the number one configuration error in cloud services. Defining a least-privilege access policy is therefore a vitally important task in a cloud environment… and a complex one too. “The company needs to be able to identify the individuals logging in to these different applications,” Prévost explains. The company then finds itself with various different technical components and a very fragmented access policy to manage: the policy for the datacenter, the policy for remote sites, the policy for SaaS, for PaaS applications, etc.

What makes it so complex to handle is the sheer range of access types,” says Prévost. “One single policy that can assign privileges for who accesses what and when, everywhere… companies are still some way off that goal yet! But any solution will surely be based on the corporate directory.”

A directory as a central point for identity management in a company… this is a subject that raises the issue of a certain dependence on its publisher. And that remains true even if it can be supported by IAM solutions. The roles assigned to users require many permissions that are best limited to the lowest level of privilege required to operate a particular service. Another area for caution is outdated authorisations, which continue to provide access to people who are no longer working on the project. The easiest approach is a staged one: start with the minimum level of permissions, and then grant more if necessary. This method is safer than starting with permissions that grant too much freedom, and then trying to restrict them later (it’s easy to overlook something).

In summary, a Zero Trust approach requires several prerequisites:

  • Control the security level of workstations and application access equipment;
  • Define who accesses what and how (and ask this question regularly);
  • Deploy this access policy uniformly across all applications, which are sometimes very varied in nature.

A change of philosophy

By shifting the focus of trust to identifying and authenticating the user, their access and their machine, the Zero Trust approach turns identity into a new security perimeter. This requires the implementation of verification mechanisms at a very early stage, starting at the business application level, which had previously relied solely on network access control. “This does not preclude the implementation of best practice around the ZTN, such as segmenting the company network according to the degree of trust granted to its employees,” Prévost points out.

It would indeed be an illusion to think that Zero Trust is some sort of magical approach that replaces all other security approaches. In actual fact, it relies on existing technologies to establish the appropriate level of trust: multi-factor authentication to trust the user, VPN to encrypt communications and trust their transfers, behavioural analysis to trust the machine being used, etc. The emphasis is on continuously re-evaluating the degree of trust to be granted. This confirms an immutable principle: cybersecurity is not a rigid system, but a continuous training exercise.