John D'Arcy - June 2023
(Inspired by John Kindervags authentic zero trust talks)
John D'Arcy - June 2023
(Inspired by John Kindervags authentic zero trust talks)
With the cyberwar ongoing at full speed and attacks on Danish and European public and private companies at a peak, you have to ask yourself, how can we really protect ourselves from these breaches and attacks. Too many enterprises today haven't started their Zero Trust journey yet and they are, or will soon be breached. As John Kindervag, the founder of Zero Trust says, the world is flat !! Ethernet has made it that way. We all live in the same bad neighbourhood. There are no nice suburbs with well-kept gardens and neighbourhood watch. So, we need to start protecting ourselves in this world.
Cyber missiles are being sent to hit enterprises everyday in the cyber world. We are looking at this backwards and are using 20th century techniques to challenge 21st century attacks. We have to change our thinking about cyber attacks. We cant stop them from getting in, but we can stop them from being successful. So, imagine that the attacker is already inside your network and defend yourself accordingly. Its all about securing your critical assets. You have to stop them from getting your data out. There is something liberating about not having to focus on the traditional border, but instead focusing on protecting your critical assets, no matter where they reside.
There is a subtle but very important difference between being compromised and getting breached. Being compromised, means that attackers are inside your network and have compromised a component on your infrastructure. They managed to get into some of your critical components. However, getting breached means that they steal your data. They send it out of your network. This is what we need to protect against. Are you monitoring your outbound traffic?
There are really only three types of breach, when you break it all down:
Data theft or disclosure, aka data breaches
Attacks on other sites using resources in your infrastructure
Destruction of company data (deletion or ransomware)
So, we need to defend accordingly.
"Let your security counter measures follow your assets that need protection, not a location or perimeter"
If you are in the security business you are a cyber warrior
For those of you who have been in the business as long as I have, you'll remember Internet 1.0, where we had static servers and static endpoints. You had to go to a computer room to work with "the computer". Remember those "green terminals" :-)
Then came Internet 2.0 where we still had static servers but the endpoints started to be mobile. Big clunky PCs at first and then laptops and later mobile phones.
Now we have Internet 3.0 where we have mobile servers (containers, serverless, etc) and also mobile endpoints (laptops, mobile phones, tablets, IoT, etc). However, our security architecture is still somewhere between Internet 2.0 and Internet 3.0, if we're lucky. We need to start protecting our critical assets in the environment that they are in, starting today.
Today our data resides everywhere and our workforce, partners, etc can access it from anywhere. Especially after the pandemic, we are accessing our corporate data from our homes, the airport, from cafes and many other places and this all places a greater importance on our counter measures for cyber security. Also, our data does not only reside inside our corporate network, its stored in SaaS services, cloud suppliers, email suppliers etc. So, security of our data needs to reside in front of our data. Thats why, data is the new border.
We need to stop talking about data centres, cloud, branch offices or remote workers and start talking about access
We need to stop connecting machines to networks and start connecting users to applications.
So, what is Zero Trust and why do we need it. The word Trust defines a human emotion. Why, on earth, have we put a human emotion into our digital systems. How much trust should there be in a system? The answer is zero. We have to verify every single access to an asset. We also, have to keep authenticating. Its not sufficient to authenticate and then assume all subsequent calls are "auto-authenticated". Some say Zero Trust is all about identities. But this is only part of the story. Zero Trust consumes identities.
There are many definitions of Zero Trust, but the important thing is to realise that its a strategy for securing your critical assets and it needs to be implemented together with the business. Zero trust is, therefore is:
...A business enabler
...An architectural state of mind.
...When there is no difference between Internet and Intranet
...A combination of processes and technology
...Reduced complexity
...A unified experience – greater flexibility and productivity for employees and partners.
It’s a strategy that stops data breaches and other cyber attacks. It leverages design principles proven to work for over a decade. It uses a 5-step methodology for implementing a zero trust architecture and provides demonstrable, positive security outcomes for organisations who adopt zero trust.
Zero Trust is a journey you need to be on to continually be able to make breaches unsuccessful. We've all heard of Least Privilege, but not many enterprises enforce it. You need to assume that you are already breached and act accordingly. You should not trust someone just because they are inside your border firewall. You should verify every single request, device, network flow and packet and monitor the data that is leaving your network.
Some other characteristics of Zero Trust networks are:
The network is always assumed to be hostile
Assume the attackers are already inside your network
Network segmentation is not sufficient for deciding trust in a network
Every device, user and network flow is authenticated and authorised
Policies must be dynamic and calculated from as many data sources as possible
As above, the device is no longer the border. A users identity/data pair is the new border
Containers, serverless and cloud computing are the new disruptors of security architecture.
Everything is mobile. Applications are in one place one day and somewhere else the next day.
Treat all your hosts inside your network as Internet addressable. This makes the people who own those machines much more vigilant. Living in a "gated community" (border firewalls) where you think that all things bad come only from the outside (Internet), makes your users get sloppy. They would leave windows open, doors unlocked etc. But, if they know they are living "outside the wire", then they get more vigilant and are more aware of security threats, and thats what we want.
Forget inbound traffic, its outbound traffic that counts
Its not a breach until it leaves the network
Can you answer the below questions?
Well, Its really quite simple. There are 4 design principles that need to be adhered to and a 5-step methodology for implementing Zero Trust. Everything is based on what's called a Protect Surface. The Protect Surface is the granular component that you need to protect.
The overall attack surface can be reduced by an order of magnitude to something very small and easily known, that is a number of protect surfaces. Each protect surface contains a single DAAS (Data, Application, Assets, Services) element. A DAAS element is the unit of critical infrastructure/data that needs protection. Identifying these protect surfaces and designing protection for them is what Zero Trust is all about. Implementation of a Zero Trust strategy can not be done by the IT department alone. It needs to be done together with the business.
The 4 design principles of Zero Trust are:
Focus on business outcomes
Its imperative that the business is involved. After all, they are the ones who can tell what is most important for them, also going forward. Ask the question “What is the business trying to achieve?” Align on these outcomes with the business first, so you can prioritise and plan the protection of the protect surfaces defined. IT must get to the business level and not the other way around. Focus needs to be on business outcomes like increasing revenue, increasing profitability, stopping data breaches. This is what IT needs to help with.
Design from the inside out
What we need to protect is not at the edge or the perimeter of our infrastructure, protect surfaces are typically at the centre of our infrastructure. Start with the protect surfaces that need protection and design outward from there. Each protect surface will need to be taken into account individually and protected differently. For example, it could be a legacy system that needs a segmentation gateway and very specific policies. A segmentation gateway is any technology that has a layer 7 capability in it. Having a Layer 7 capability means been able to analyse and make decisions based on the application layer protocols and data.
Determine who/what needs access
Implement and enforce Least Privilege. That is, make only the access specific users need to get their job done, available. This can be a difficult part as we are so used to giving users way more access than they need. Create a system that can manage access and roles and use the "Who, What, When, Where, Why, How" method (see below) to define access.
Inspect and log traffic
Inspect and log traffic going to and from each protect surface for malicious content and unauthorised activity all the way up to layer 7 of the OSI model. We want to get to a policy statement that allows traffic in or out under certain well defined conditions and deny all other traffic. To do this we need to continually inspect and log traffic.
By focussing on one protect surface at a time we can plan our Zero Trust journey and gain momentum as we move forward. Many enterprises have already installed the tools they need to protect themselves. We have spent billions on security tools for many years. One could dare ask the question if we have got the protection we paid for, but that's s topic for another day :)
Implementing Zero Trust will be a continuous journey, where more and more protect surfaces will be protected by micro-perimeters as we move forward.
By following the below 5 step methodology, you can iteratively make your environment more and more secure, one protect surface at a time:
Define the protect surface
You need to find and classify what you need to protect. This includes all your Data, Assets, Applications and Services elements. In most cases, the analysis of data starts to reveal patterns of which assets, applications and services form natural segments. Finding and cataloguing these DAAS elements helps you plan and prioritise your Zero Trust journey.
Map the transaction flows
Understanding how the DAAS element is accessed and how the transactions flow to and from the protect surface shows how various DAAS components interact with other resources on your network. This helps you know where to place the proper controls. The way traffic moves across the network, specific to the data in the protect surface, determines the design. Especially looking at how the data is accessed will give you a good idea as to how the protect surface can be secured. Are there APIs accessing the data?, GUI frontends? Integrations to other systems? etc.
Architect a Zero Trust environment
Each protect surface will need to be protected specific to the protect surface itself. There is no detailed reference architecture for zero trust, other than having a segmentation gateway that can have a set of allow rules allowing access and forming a micro-perimeter around the protect surface. Although, on AWS cloud there are configuration options and it is the applications responsibility to check and validate every call. Every protect surface needs to have a tailor made architecture that protects that particular protect surface in the most optimal way.
Create Zero Trust policy
The policy is created that specifies particularly what the allow rules are. See the Kipling Method of Zero Trust policy writing (see below) to determine who or what can access your protect surface. This makes it easier to understand the policies as they are written in a prescriptive language. Also, auditors love this as it makes their job easier too.
Monitor & Maintain
The telemetry provided by logging and monitoring will not just help prevent breaches, but will provide valuable security improvement insights. This means that each protect surface can become more robust and better protected over time. Telemetry from cloud, network, and endpoint controls can be analysed using advances in behavioural analytics, machine learning, and artificial intelligence to stop attacks in real-time and improve security posture long term.
When writing policies defining access to your protect surfaces, you can use the layer 7 Kipling method of Zero Trust policy writing. This was devised again by John Kindervag to simplify the writing of policies. This method is easy to understand and determines what traffic is allowed to cross the micro-perimeter. This prevents unauthorised access to your protect surface and defines the rules that are checked with every access to your DAAS element. They are:
Who - Who or what asserted identity is allowed to access a resource. On a traditional firewall this would be an IP address but here its an identity. Authentication type can also be added here.
What - What application is the "who" allowed to use to access the resource. This needs to be validated at layer 7 to stop impersonating the application at the port and protocol level.
When - At what time is access allowed. 24x7 or at specific times. This is not used often enough today. Access should only be allowed when the "who" needs it. Attackers alway try when there is nobody on the system so the "when" should reflect this. Just in time rules.
Where - Where is the resource located? The location of the protect surface could be anywhere data is stored or assets are deployed.
Why - Metadata of the data itself. In most cases, the reason for putting data or an asset into a protect surface is because of its sensitivity. The sensitivity may be defined by a compliance rule or by some business driver. There are often ways of tagging a packet to identify those sensitive data or systems. This tagging creates metadata that various controls can use to inform or automate policy statements.
How - By what criteria should we allow this to happen, is what is put in the "how" part. This is where e.g. threat detection, URL filtering, Data Loss Protection etc can be put. This part answers the question "How should the traffic be processed as it accesses the resource?"
Each of the boxes in the above diagram is a protect surface that you have found on your infrastructure that needs protection. These protect surfaces can be taken one by one in an iterative fashion, and made more secure, so as not to disrupt your ongoing business.
On this curve the X axis defines the time you are on the Zero Trust journey and the Y axis defines the criticality or sensitivity of the protect surface or the single DAAS element.
Starting with the learning protect surfaces, that is those elements that are not so critical but will give you the possibility of learning how to do this. Then you can move on to more critical elements and protect them before you start working on the "crown jewels" of your organisation. Once they are protected you can take the secondary and then the teritary elements. You can even leave identified surfaces to continue to be protected by whatever measures are there today. This is decided by you and the business.
By doing this you can put project management around this also. This protect surface takes 3 months, this one 1 year, this one 6 months etc and then assign a budget to each protect surface, allowing you to plan and manage the journey.
With the increase in the number of attacks and data breaches over the past year, enterprises need to be much more vigilant when protecting thier assets (their "crown jewels"). As our society is relying more and more on digital systems, we are also more open to critical attacks that can seriously damage our infrastructure or at best have serious financial implications.
The US government has "seen the light". President Biden has decreed that all federal agencies must adopt security best practices and advance towards a Zero Trust architecture, back in 2021. Its mandated by law.
Why are we behind the curve here in Europe? It is time to take a long look at the measures we have in place to protect our assets be they in the public or private sector.