Zero Trust is actually all about trust

Traditional networks demand a well-configured firewall between the corporate network and the Internet. This is an obvious state of affairs, because who would leave the front door of their house open, so why would you expose the important corporate data to the world? A firewall gives assurances to keep the bad actors out. It stops direct access to the internal systems while letting your users access to the Internet. A hard shell round a soft body so to speak.

But what if the soft body were compromised from within? Once an attacker gains access to an internal system, they can move where ever they want. They are after all on a trusted device within a trusted network. Moving laterally from system to system, the attacker can gather all manner of data, sending it out through the firewall to temporary servers.

A client asked us to come up with a way of introducing the concept of zero trust to solve a particularly urgent issue and we were happy to delve into this modern security framework. 

Start small, design well, migrate steadily

Zero trust is not a panacea to fill the holes of security problems, but a well-defined framework into which applications and data can be access by the people who need it. The first step was to create lists of what is known about the users, devices, applications, and data.

Zero trust can be implemented within the existing infrastructure, but this depends on the network technology. This will cover the first aspect of zero trust, and that is every device must be authenticated. This was a challenge for the client as they had a large and complex user facing network. ensuring the network was up to date with its firmware updates, and changing out switches that could provide the device authentication needed would be considerable. However, the benefits would far outweigh the costs. Technologies such as Software Defined Networks (SDN) would provide the micro segmentation of the network needed to keep data flows apart.

Users, needed multi-factor authentication in the form of a user identity, password, and a smart card, ensured all users could be positively identified at all stages.

Applications would be a challenge. They had already build a robust Continuous Development/Continuous Integration (CI/CD) framework and built into the challenge of COTS products, it was a simple matter to bring into the System Development Lifecycle (SDL) the integration needed into the control plane of the zero trust model. The control plane is the zone which controls identity, authentication, and authorisation.

Data, being accessed either directly or via applications, would be also updated to use the control plane. Decisions were taken around the types of services to be supplied.

Building zero trust

A small application was chosen to be brought into the zero trust framework. This would involve a particular group of users who could be managed carefully. At first, their devices were secured, and smart cards issued. This addressed the user and device question. Once they were authenticated by the control plane, a score is issued against their risk profile. Attribute based access control profile then determined what applications they are allowed to access. Their security policy determined the SDN, allowing access to a single application.

Next, the applications were protected, using calls to the control plane to authenticate the application. When the user tries to connect, the application checks the user is valid and authenticated, before allowing it onto the application. Monitoring systems in the control plane continuously monitor user activity, and build up a user profile. Each time they access a service, it builds the profile. The moment they begin to move out of this profile, signals can be sent to either investigate the change, or to switch off access at the network level, depending on the number of times they caused such a breach.

Applications too are closely monitored to ensure they don’t step out of line. Applications will communicate with other applications, but if suddenly this profile changes, the application can be shut down, as it is now considered hostile.

Carrying on

Over time, more and more applications and users will be moved into the framework. Not forgetting zero trust is built on the same network as the traditional trust network. Boundaries are created around each zero trust application, and users need to be enrolled into the zero trust framework to allow access to the zero trust applications.

We have discovered you can build the zero trust framework on top of the existing infrastructure. Zero trust is a framework, rather than another hard shell round a soft body. The client now has the soft shell round hard bodies. Security management is no longer the realm of a human to make all the decisions, rather it is down to the control plane to make those decisions.