Zero Trust

What is it?

John Kindervag of Forrester (but currently – July 2019 – at Palo Alto Networks) came up with the
concept of Zero Trust in 2010. Surprisingly however, it has taken almost a decade for it to become a
hot topic. These days just about every security vendor offers us a zero-trust product or a solution
set. Promising risk mitigation, business agility, innovation, ease of cloud migration, and every other
business buzz word (maybe not A.I.), it is hard not to be sold on vendors’ Go to Market stories on
zero trust. But what is this utopian dream, and can you just buy one?

Zero trust came about because traditional perimeter-based security did not address internal threats.
Nor did it address outsider threats compromising an inside resource and moving laterally throughout
the network. This lack of control and visibility over internal resource and their lateral movement, as
well as the blurring lines of a perimeter thanks to all the cloud migrations, are the concerns which
zero trust aims to address. Technically speaking, Zero Trust has three fundamental principles;

1. Trust nothing – this includes devices, users, applications, things and locations

2. Encrypt, authenticate, and authorise everything

3. Inspect, log and monitor everything

In a zero trust environment, nothing is trusted. You may be an employee seated in the head office,
but you first need to be authenticated, then assigned the least required privileges to perform your
job, and all your activity must be logged and monitored. This ensures only authenticated and
authorised users or applications are given the required access, and even then, if this required access
results in strange or compromising behaviour (such as port scans or a reconnaissance type activity),
that this is also logged, monitored, alerted and acted upon.

How do I deploy it?

So how does one go about deploying zero trust in their environment? I suggest a constantly evolving
three-phased three-pronged approach. It sounds complicated, but I promise you it is not. It is just an
iterative deployment model that maps closely to the principals of zero-trust and is designed to ease
your business into this brave new world. Of course, like everything else in Security, this is to be
constantly improved upon. It is not a set-and-forget model.

The prework

Before you dive head first into any new security strategy, architecture or solution, you first need to
understand what it is that you are trying to protect (and why of course; i.e. business impact
analysis). I suggest you start by defining your protect surface. What does that mean? It means
identify what assets (data, applications, services) you wish to protect and classify them according to
their importance to your business. You then need to understand how those assets interact with the
rest of your environment. In other words you need to do an Application Dependency Mapping
(ADM) and understand exactly what or who talks to what services in your environment. There are a
number of vendors that have solution sets assisting with this. Depending on the complexity, size and
security of your environment, you may be able to use a simple packet sniffer to achieve this or – at
the other end of the scale – deploy something like Cisco Tetration or other high end applications and
devices – even a NGFW – to get your ADM.

Phase 1 – the ground work

1. Deploy a Network Access Control (NAC) solution. If you have a corporate wireless network in
place already, chances are you are more than halfway there. Look at integrating your
wireless authentication solution to your corporate AD and deploying it across your wired
network. Cisco ISE, Aruba ClearPass and Forescout Counteract are just three of the products
you can consider. Keep in mind however, that a NAC solution does little for users or devices
that connect across the internet. You can look at other solutions such as zscaler private
access. A more current solution however, is an Identity and Access Management (IAM) tool
with single sign-on (SSO) that is integrated/federated with your cloud providers.

2. Start a small micro-segmentation project in your data centre, or in the cloud. I must note
however, that if you have already migrated some workloads to the cloud and have not
architect-ed your cloud environment right, this could be a little more challenging. The key
here is to identify and classify your most critical asset and then establish a trust boundary
around them to prevent exfiltration of sensitive data (keeping in mind the impact of
deploying new technology/processes in such a critical environment). Perhaps have a look
at Gartner’s Magic Quadrant for Enterprise Network Firewalls and study the vendors in the
Leaders and Challengers quadrants.

3. Deploy – if you have not already – a logging and monitoring capability. This is a vital step
that is often forgotten by smaller businesses. It is however critical to have this capability
deployed and ensuring you have chosen the right vendor in step 2 above, certainly helps. I
would suggest a quick look at the Gartner Magic Quadrant for Security Information and
Event Management and studying the vendors in the Leaders and Challengers quadrants.

Phase 2 – Strengthening the architecture further

Following successful implementation of phase 1, consider this second set of projects;

1. Expand on your NAC solution. If you have not already, integrate your NAC with other key
systems in your environment including Active Directory, DDI (DNS, DHCP and IP Address
Management), and your logging tools. This is also a great time to start experimenting and
then deploying a Posture Assessment (also known as Profiling) capability. This will ensure
not only the devices and the users are authenticated, but they are also checked for
compliance with your security policies, before they are authorised to access your network.

2. Deploy a User and Entity Behaviour Analytics (UEBA) tool. It is now time to get an even clear-
er picture of how your users, devices and applications talk to each other. Only consider
UEBA tools which have advanced Machine Learning capability and those which integrate
nicely with your SIEM application. You could also consider deploying similar tools on your
servers. Preferably those tools should also give you the option to enforce a particular policy
dynamically.

3. Expand on your SIEM solution. Ideally, your SIEM solution should now include the following
capabilities; advanced alerting, automation, big data analytics and threat intelligence.

Phase 3 – become the envy of your competitors

Security is never about competing with your competitors and always about defeating advanced
adversaries, but it sure feels good to know you are doing something better than the
rest Having said that, I personally will only do business with an organisation that I know will
keep my data safe. So what do we need to do during this fina… *caugh* next phase?

1. Deploy 2FA and a least-privileged access strategy. Consider deploying two factor
authentication to counter credential based attacks. It is also time to lock down those NGFW
and NAC rules to ensure users, devices and apps only access other users, devices and apps
that they absolutely need to.

2. Encrypt all your data at rest and in motion, and add more context. This step could prove a
little challenging if you perform encryption in your application. Care should be taken to
ensure your logging, monitoring and EUBA tools can still inspect traffic. You should also look
at other sources of data which can provide more context to your EUBA and SIEM tools to
identify threats, address vulnerabilities, and uncover incidents.

3. Embrace Security Automation And Orchestration (SAOR). By now you should have realised
that managing all these complex and dynamically changing policies is not an easy task. You
also need to be able to detect and respond faster to threats. This is yet another critical step
that is often forgotten – or put into the too hard basket – by many organisations.

As mentioned before, Zero-Trust is not a set-and-forget solution to all your security problems. You
need to constantly improve on it, monitor it and manage all its complexities.

Other considerations and final notes

You do not need to be a security expert to realise that there are many moving parts and integration
points in an architecture based on zero trust. It is this ‘integration’ piece that requires a lot of
thought and care. Ideally, you would like to reduce complexity and choose a vendor that can provide
an ecosystem (pre-integrated) of solutions. Going with a single vendor however, can increase your
other risks, including commercial ones such as vendor lock-in.

My other quick note is regarding the response capability. Prevention is obviously key, however,
being able to detect and then respond to an attack is also an important aspect of the model. This
includes all the changes required to your existing change management processes, especially once
you deploy a SAOR capability.

I am interested to find out your thoughts on this and welcome all your comments.