deepagopi2011 - Fotolia

Zero trust is about more than products

The zero trust security model is more than just products and network segmentation, it’s an architectural design principle with identity at its core that needs to be applied enterprise-wide, says KuppingerCole

Identity, and not the network, is at the centre of the zero-trust security model, according to John Tolbert, lead analyst at KuppingerCole.

“Many people associate this approach with the network, but zero trust is really an architectural design principle,” he told Computer Weekly.

“While a zero-trust security model is definitely applicable at the network level, it is about applying a notion of identity – specifically authentication and authorisation.”

This ensures that all traffic within an enterprise is properly authenticated and authorised, whether that is someone coming in from the outside on a virtual private network (VPN) connection, an application talking to another application on the network, or a user trying to use an application on the network.

“All of these scenarios should include identity context and the ability to allow or block that connection based on policies, which is why identity is essentially at the centre of the zero trust principle, which is about knowing who is requesting a connection and what connections they should be allowed to make,” said Tolbert.

“You want to be able to look at the traffic and say ‘should this user be able to perform this operation on this service or move this file’, and so all traffic has to be authenticated and authorised.

“If you start by combining the core concepts of identity management at the network level, then that is where you begin to see zero trust really coming into being,” he said, cautioning against focusing on the network alone and considering zero trust “done” simply by completing a network segmentation project.

Read more about zero-trust security approach

“There is a lot more to [zero trust security] than moving your financial data into a separate VLAN [virtual local area network] and putting that behind a firewall, but you have got to go deeper than that, and I’m afraid that sometimes organisations lose sight of the bigger picture.

“So while network segmentation and VPN modernisation are both a good start – because you can put the most sensitive data in separate segments and put VPN or IPsec tunnels between them and authenticate the traffic on either side – you can’t stop there.

“You have to be able to monitor all the traffic, understand what is normal and should be allowed by policy within your enterprise based on what you want to be able to happen to enable the business, and then be able to block everything else.”

Tolbert said the principle of least privilege is also at the core of zero trust. “Applying this principle is about allowing a user to do only what they need to do to get their job done, but in the past, when many corporate IT networks were built, a firewall was put up at the perimeter, but all of the servers and users were on a single, flat LAN [local area network].

“The problem is that no one was stopping to think about the kinds of traffic that moves between servers, so if users had full access to a server on a network, they were able to do just about anything because there was not much in the way of access controls.”

Blocking malicious actors

Since then, organisations have increasingly understood the need to put more controls in place to identify and block malicious actors on networks, said Tolbert, adding that anyone still operating on a flat network without network and server-level access controls is far more at risk of both insider and external attacks.

“Applying the principle of least privilege ensures that only people who need access to sensitive information are allowed any access to the server that contains it so that to all other users, that server is inaccessible and even invisible, and this can be extrapolated out to cloud services.”

Applying the principle of least privilege as part of a zero trust approach to security, said Tolbert, also helps to reduce the likelihood of opportunistic attacks by disgruntled insiders as well as external attackers, pointing out that the lines between insiders and outsiders are continuing to blur as corporate networks necessarily become more accessible to remote workers, partners, suppliers and even customers.

“If an internal or external attacker is browsing a network, but can’t see what data stores are connected to the network, there is less likelihood that they will target that information and find a way of accessing it.”

While a zero-trust approach will not stop cyber criminals from stealing legitimate credentials to move around networks once they have breached the perimeter defences to get inside the network, Tolbert said zero trust means attackers will have to steal a much greater number of credentials before they are able to move around a network without restriction.

“This will slow them down and force them to make many more attempts at stealing credentials to access data – particularly the most sensitive types of data, which will typically require higher levels of authentication that do not rely on usernames and passwords alone.”

Zero trust a design principle

Observing that a growing number of security technology suppliers are claiming their products are based on zero trust principles, Tolbert reiterated that zero trust is a design principle, and that it cannot be achieved or implemented simply by buying products labelled as such.

“Implementing a zero-trust model typically involves several different security-related projects and deploying a combination of things such as network segmentation, network detection and response, and network traffic analysis to ascertain if network sessions are authenticated and authorised, and shut down those that aren’t.

“You can't buy a specific product to make your enterprise zero trust. It is about improving security by decreasing trust in all those entities seeking to make connections and requiring them to authenticate properly before granting appropriate authorisation based on policy.”

Tolbert is to discuss these topics in more detail in a session entitled Identity is at the centre of zero trust, not the network at the European Identity and Cloud Conference 2019 from 14 to 17 May in Munich.

He is to be joined in a panel discussion on placing identity at the centre of security designs and models by Richard Bird, chief customer information offer at Ping Identity, and David Lee, senior identity strategist at Sailpoint. 

Read more on Hackers and cybercrime prevention