What is Zero Trust and Is It Worth It?
The concept of Zero Trust is nothing new and has been around for almost a decade. Zero Trust, at its core, is a security policy for your organization that removes traditional boundaries such as firewalls, routers and switches from being the only factor used to determine if a device is trusted or not. With this model, you are no longer trusting devices just because they are connected to your network. Zero Trust expects that malicious users are able to gain access to your internal network, but provides a framework to prevent their effectiveness.
I have seen several industry colleagues claim that if you cannot build a greenfield environment then Zero Trust is not a valid option. I do not agree with this mindset and believe while building a Zero Trust architecture may be easier if done from greenfield, it does allow brownfield operators to adopt the principles and add additional layers to their existing security models.
Practical Beginnings
In many senses, what I explain in this blog are simple best practices that everyone should use in their everyday infrastructure. Take these steps into consideration as you begin to build that Zero Trust architecture.
Implement 802.1X and Segmentation
Do not trust devices just because they can access your facility and connect to a switch port in a staff member’s office. Even further, you should not give a device unconditional access just because it connects to a switch port in the office of the CEO. Using 802.1X in both your wired and wireless deployments allows you to apply policies that limit a device or user to only the resources they should access.
You can even take this a step further and implement Dynamic Segmentation to apply centralized policies from Aruba ClearPass. You have the flexibility to have wired traffic use to the local switch or tunnel it back through a controller for firewalling and deep packet inspection. This is particularly useful for unknown and IoT devices.
Stop Trusting Outbound Traffic
I have been guilty of this and I know the amount of work that goes into fixing it. Stop allowing traffic from inside your network to leave unchecked and unfiltered. I have seen plenty of networks that only have rule sets based on inbound traffic and they are missing the larger part of the picture. If your domain controllers should never reach the Internet, apply a rule to prevent that. Time and time again, we see data exfiltration occur because it is assumed that devices inside the network should be trusted.
Start Using Multi-factor Authentication
A Zero Trust deployment does not only consist of network and firewall policies. Your applications must be a part of the architecture. Electronic medical records, Microsoft Office 365, Google G Suite, and other applications should all utilize multi-factor authentication (MFA).
Begin by building application permissions—who has access, what do they have access to, how much access they have, etc. Drive MFA into your application vetting process for both internal and external apps. Don’t let systems that have critical information into your environment if they can’t support a tiered-level approach to security.
End Poor Credential Management
Before Windows 10, it was fairly common to see applications require the user to have full local administrator credentials. Over the past four years, Windows 10 has made this requirement essentially a relic, and so should system administrators. If you truly need local administrator credentials, use a separate account that is only used for specific tasks. Also, put policies in place to prevent credential sharing. Lock out accounts you see logging in from multiple places simultaneously even if it does ruffle the feathers of a few managers and their assistants.
Log, Monitor and Automate
Use SPAN ports or TAPs to send data to analyze user and device behavior and to watch for signs of known compromises. Also, keep and analyze system logs. Since we are working in a Zero Trust framework, we can’t trust anything. When a teammate in accounting starts to use PowerShell to run system commands, that behavior should trigger an alert. Based on that alert information, we should be able to automate a response, whether we decide to kick a user from the network or place them into a walled garden with a splash page to contact security.
After an attack, successful or not, you’ll be glad you have this information during your post-mortem review.
Zero Trust is Worth the Effort
I hope you and your organization can see the value of losing trust in a traditional security model. Zero Trust will definitely not be an overnight transition, but the goal is worth the effort. Considering that research from IBM Security places the average cost of a breach at $3.92 million in 2019, it may be more than worth it to prevent a breach.
To learn more about Zero Trust, I encourage you to listen to Aruba Unplugged - Episode 26: Trust No One: Zero Trust in the Real World. Afterward, drop into the Airheads Security Forum to discuss how you’re changing the way you operate in a Zero Trust environment.
Read My Other Blogs
Getting off the Ground with Python and APIs
Intelligent Networks Require Intelligent Solutions
