Loading

Part 2 – Zero Trust. What to do & which way to go?

We need some Zero Trust in our life. What next?

Smarter people than me were talking about this way back when I was still nurturing Armadillos.

The Jericho Forum was founded in 2003 specifically to tackle issues around de-perimeterisation and they issued their list of commandments a few years later.

 

If I’m entirely honest, even in 2010 when Google started work on BeyondCorp which is their vision of Zero Trust, I was still knee deep in Armadillo dung. (Note: Do they call it dung? Not sure, must look up before publishing this. 2nd Note: It’s called scat which is quite possible a security acronym AND can spread leprosy!)

Zero Trust isn’t a big bang project nor is it a ‘product’. It’s holistic, it’s all-encompassing, it’s strategic.

That said, don’t try and boil the ocean on your first pass. To create support and positivity which can then gather momentum and become a driver for cultural change to how things are done in the technology organisation, start small and set a sensible & realistic scope… and map it well.

By that I mean asset mapping the data locations & flows, devices, networks, workloads and identities. With all of these you will need to have a single source of the truth.

As Zero Trust represents significant change to the organisation you may well need to form a small team for the initial product with representation from each of the other areas such as Operations, Applications, Infrastructure, Cloud (if separate) and Development.

Getting documented & communicated buy-in from the business owner of each of these areas will also help greatly. Remember this IS an enabler for the business, reducing technology complexity resulting in greater agility and productivity.

Why? Because the ease and speed to develop, build and deploy new applications & services will be transformed – giving the business a competitive advantage.

New applications built on a microservices architecture will inherit the Zero Trust model, evaluating every request based on:

Assuming the initial request is authenticated and authorised that doesn’t mean the subject is now ‘in’. With Zero Trust you are essentially flattening the internet and your managed network so every request needs to be verified against the criteria your business sets above.

A microservices/micro-segmented architecture reduces the risk of a wide-ranging impact further still with different workloads, stacks, components and other containerised services separated and access between them requiring continuous evaluation at their own edge (known as the Micro-Perimeter (Gartner/Forrester derived terminology)).

Think of this as a Distributed Edge, again shifting from the concept of a single point of failure or infrastructure to attack, to a resilient model of distributed components.

Instead of one big Armadillo (did you think I’d forgotten about them?) we are now hundreds of little ones, each ready to challenge and verify every request made of them – and deny by default.  

As I write this, the fallout from CVE-2020-5902, a remote code execution issue on BIG-IP devices and CVE-2020-2021, an authentication bypass problem on Palo Alto systems running PAN-OS will have colleagues in the security industry stressed and scrambling to apply patches for these 10/10 rated vulnerabilities. It’s a familiar story and one that shines a light on the flaws of having single points of security enforcement.

Although as ever it’s not that simple as some of these systems could be used as part of a Zero Trust Architecture so my security comrades do have my sympathies.

The CIA (for Confidentiality, Integrity & Availability) triad is well known by security professionals as the primary data attributes you seek to protect but now is perhaps time to consider if it lends itself to a continuous and integrated security posture?

The DIE (Distributed, Immutable, Ephemeral) model proposes new principles upon which to build the next evolution of security. Zero Trust lends itself well to the Distributed principle. The full DIE model is perhaps beyond the scope of this article but you can read more about it here.

Some organisations may look to use a SASE (Secure Access Service Edge – pronounced “sassy”) to deliver that continuous verification capability although again I reiterate the point that Zero Trust isn’t only a product you buy.

Interested on starting the journey yet?

1.  Senior Management/Tower Owner Buy-In. Remember it’s about enabling the business to move quicker, be more flexible and agile, and to be more resilient.

2. Set the Project Scope, start small and identify a quick win. If your business is building new products in the cloud then these greenfield environments make the ideal place to start. When it’s delivered then it’s time to get your PR hat on and ensure momentum is built!

3. Write the User Stories. It’s all about your customers. One of the aspects that keep cropping up here is a frictionless (or at least very well lubricated) experience for your users/customers so SSO (Single Sign-On) should feature here for example.

4. Document the technology stack in scope:

a. Data, Applications, Operating Systems, Containers, Virtualisation layers, Storage and everything else.

b. Identity. Set up your database documenting users, groups, roles, titles and status. Endpoint devices & certificates asserting identity will also form a part of this.

c. Telemetry or other Criteria that will feed the Identity and Access layer.

 

5. Document your Rationale & Principles, you may update this as the programme evolves.

6. Design

a. You’re starting with a blank page so use it. The term paradigm shift is used a lot but feels very appropriate here, you have the opportunity to tear it up and start again.

b. You’re conceptually levelling the internet with your internal infrastructure and moving to a micro-segmentation architecture; it will challenge traditional ways of thinking!

 

NIST now have a (Draft) Zero Trust Architecture which goes into a lot more depth than I have and is definitely recommended reading if you’re looking to kickstart your programme here.

Next week we’ll be calling out the security benefits of going down the path towards a Zero Trust Architecture.

More Posts:

CloudKubed Digital Transformation & Cloud Experts

GET IN TOUCH