We hope you’ve been learning a lot both about networking and securing networks from the Rocket Yard’s network and security series. So far, that series includes:
Today we’re talking about a new IT security model that is changing the way that companies look at securing their networks: Zero Trust Security. To explain how it works and how it is different from traditional network security models, we need to look at how the current models work.
The Castle-and-Moat Security Concept
For most companies, network security is currently based on what is called the “castle-and-moat concept“. In the physical analogy, think of a castle that is surrounded by a deep moat, preferably filled with alligators. There’s only one way in and out of the castle, over a drawbridge that is heavily guarded. Anyone attempting to enter the castle must pass a rigorous security check by some wary guards who look for weapons, check the identity of the person, and so on.
Once that person is trusted, they’re allowed free access to the castle and everything in it. In fact, everyone inside the castle is trusted by default. There’s a problem with this, of course — if a person that gains access is actually an attacker, they have free reign to wreak havoc on everything inside the castle.
Applying this to network security, think of the castle as an internal network of a company and the drawbridge and guards as a traditional firewall and password challenge/response system. If a hacker happens to gain access to the network by breaking a password through brute force methods, he’s trusted to the network and can start taking down internal systems one by one…
Making this vulnerability even worse is that companies no longer store their data or have their system in just one place — they are distributed amongst a variety of cloud vendors, so control of security becomes more difficult.
The traditional concept can also be thought of as “trust, but verify“. In other words, you can pretty much trust that the vast majority of people attempting to gain access to your network are not hackers, but you need to verify that they have the proper credentials to get that access.
The Zero Trust Security Model
Zero Trust security means that no one is trusted by default either inside or outside a corporate network, so verification is required from everyone who wants access to resources on the network. During a conference I attended a few weeks ago, a speaker used a line from the great 1990’s sci-fi classic series “The X-Files” to describe Zero Trust Security — “Trust No One“.
Enabling zero trust security requires strict identity verification for every person and device attempting to access resources on a private network, whether they’re inside or outside the corporate network perimeter. There’s not one specific technology associated with the zero trust model; instead, it can be thought of as a holistic approach to network security incorporating different principles and technologies.
The term “zero trust” first appeared in 2010 when a Forrester Research Inc. analyst first presented the concept. Just a few years later, Google announced that they had implemented zero trust security in their network, leading to increased interest in adopting the model by the tech community.
Principles and Technologies Behind The Zero Trust Security Model
The image at the top of this article shows the basic tenets behind the zero trust security model. The network verifies who the user is, validates that the device being used actually has the authority to enter the network, and then the user is limited in what he or she can access. The zero trust model is paranoid by design — you assume that attackers are everywhere, inside and outside of the network, so no devices or users are automatically trusted. Let’s look at some of these principles in detail.
One principle of the zero trust model is least-privilege access. This means that users are only given as much access as they need to resources on the network. Each user’s exposure to sensitive parts of the network is minimized by giving them no access to systems they don’t need access to and then providing them with only enough access to do their job. In another analogy, think of this as a navy admiral giving officers and sailors information on a need-to-know basis.
Microsegmentation is also used by zero trust networks. This is the practice of breaking up security perimeters into small zones, maintaining separate access for different parts of the network. As an example, a network with files stored in a single data center that uses micro-segmentation might have a dozen of separate secure zones. A person or a program with access to one of those zones won’t have access to any of the other zones without obtaining authorization first.
Another core piece of zero trust security is one that many Rocket Yard readers may be familiar with: Multi-Factor Authentication (MFA). MFA means that more than just a simple password is required to authenticate a user and gain access to a network — two or more pieces of evidence are required.
MFA is most widely seen in 2-factor authentication (2FA) systems that can be used on many popular online platforms, including iCloud, Facebook, Amazon and Google. A user requesting access first enters a password, but then must also enter a code that is sent to another device like a smartphone. By doing this, the user has provided two pieces of evidence that they are who they claim to be.
Finally, not only is user access controlled, but zero trust also requires strict controls on access by devices. A well-designed zero trust system monitors how many devices are attempting to access the network and ensures that every device is authorized. This can be done several ways, by including a digital key on each device or matching MAC (media access control) addresses for each approved device when they attempt to connect to the network.
Next week, we’ll be discussing Virtual Private Networks (VPNs), which are the current “castle-and-moat” way of attempting to provide encrypted access to networks. VPNs don’t take user access policies into account, authenticating users by identity is difficult, and they can also slow down system access. Zero trust networks enforce access rules at the edge of the network rather than at the source, so latency isn’t an issue and users find that their system access is speedy. Despite the issues of VPNs, it may be years before all companies adopt zero trust security, so VPNs are an easy and cost-effective interim solution.