adam's notes

Zero Trust Architecture (ZTA)

Zero trust architecture (ZTA) is a security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.

  • assumes that all devices, users, and services are not inherently trusted
    • regardless of whether inside or outside a network’s perimeter
  • requires all users and devices to be authenticated and authorized before accessing network resources
  • NIST SP 800-207 Zero Trust Architecture defines Zero Trust as:
    • “cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
  • Trends driving deperimeterization and zero trust
    • cloud
    • remote work
    • mobile
    • outsourcing and contracting
    • wireless networks (Wi-Fi)

Info

CISA’s Zero Trust Maturity Model - https://www.cisa.gov/zero-trust-maturity-model

Key Benefits

  • Greater security
    • Requires all users, devices, and applications to be authenticated and verified before network access.
  • Better access controls
    • Include more stringent limits regarding who or what can access resources and from what locations.
  • Improved governance and compliance
    • Limit data access and provide greater operational visibility on user and device activity.
  • Increased granularity
    • Grants users access to what they need when they need it.

Essential Components of ZTA

  • Network and endpoint security
    • Controls access to applications, data, and networks.
  • Identity and access management (IAM)
    • Ensures only verified users can access systems and data.
  • Policy-based enforcement
    • Restricts network traffic to only legitimate requests.
  • Cloud security
    • Manages access to cloud-based applications, services, and data.
  • Network visibility
    • Analyzes network traffic and devices for suspicious activity.
  • Network segmentation
    • Controls access to sensitive data and capabilities from trusted locations.
  • Data protection
    • Controls and secures access to sensitive data, including encryption and auditing.
  • Threat detection and prevention
    • Identifies and prevents attacks against the network and the systems connected to it.

Concepts

  • fundamental concepts:
    • policy-based authentication / adaptive identity
      • recognizes that
        • user identities are not static
        • identity verification must be continuous and based on a user’s current context and the resources they are attempting to access
    • threat scope reduction and least privilege access
      • access to network resources is granted on a need-to-know basis
      • access is limited to only those resources required to complete a specific task
      • reduces the network’s attack surface
      • limits the damage that a successful attack can cause
    • policy-driven authorization
      • describes how least privilege access control policies are used to enforce permissions and restrictions based on:
        • user identity
        • device posture
        • and network context

Info

Device posture refers to the security status of a device, including its security configurations, software versions, and patch levels.

  • device posture assessment involves evaluating the security status of a device
    • to determine whether it meets certain security requirements or poses a risk to the network

Control and Data Planes

In a zero trust architecture, the control and data planes are implemented separately and have different functions.

  • allows for a more flexible and scalable network architecture
  • centralized control plane ensures consistency for access request handling across both:
    • managed enterprise network
    • unmanaged Internet or third-party networks

Control Plane

Control plane manages policies that dictate how users and devices are authorized to access network resources.

  • defines policies and makes access decisions
  • implemented through a centralized policy decision point
    • responsible for:
      • defining policies that limit access to resources on a least privilege basis
      • monitoring network activity for suspicious behavior
      • updating policies to reflect changing network conditions and security threats
    • comprised of two subsystems:
      • policy engine
        • configured with:
          • subject and host identities and credentials
          • access control policies
          • up-to-date threat intelligence
          • behavioral analytics
          • other results of host and network security scanning and monitoring
        • this state data allows it to define an algorithm and metrics for making dynamic authentication and authorization decisions on a per-request basis
      • policy administrator
        • responsible for managing the process of issuing access tokens and establishing or tearing down sessions
          • based on the decisions made by the policy engine
        • implements an interface between the control plane and the data plane

Data Plane

In the data plane, a subject (user or service) uses a system (e.g., a client host PC, laptop, or smartphone) to make requests for a given resource.

  • systems establish sessions for secure information transfers
  • A resource is typically an enterprise app running on a server or cloud
  • Each request is mediated by a policy enforcement point
    • might be implemented as a software agent running on the client host that communicates with an app gateway
    • interfaces with the policy administrator to:
      • set up a secure data pathway if access is approved
      • or tear down a session if access is denied or revoked

Info

  • The processes implementing the policy enforcement point are the only ones permitted to interface with the policy administrator
  • critical to establish a root of trust for these processes so that policy decisions cannot be tampered with

Implicit trust zone is the data pathway established between the policy enforcement point and the resource.

  • e.g.,
    • outcome of a successful access request might be
      • an IPSec tunnel established between
        • a digitally signed agent process running on the client
        • a trusted web application gateway
        • and the resource server
    • because the data is protected by IPSec,
      • no tampering by anyone with access to the underlying network infrastructure is possible

Goal

  • goal of zero trust design is to make this implicit trust zone as small as possible, and as transient as possible
  • Trusted sessions might only be established for individual transactions
    • this micro-segmented approach is in contrast with perimeter-based models
      • where trust is assumed once a user is authenticated and joined the network
    • place in the network is not a sufficient reason to trust a subject request
    • even if a user is nominally authenticated,
      • behavioral analytics might cause a request to be blocked or a session to be terminated

Zero Trust Examples

ExampleDescription
Google BeyondCorp- widely recognized example of a zero trust security architecture

- uses a system of multiple security layers, including identity verification, device verification, and access control policies, to secure Google’s internal network

- has enabled Google to provide its employees with remote access to company resources while maintaining high security
Cisco Zero Trust Architecture- Cisco has developed a comprehensive zero trust security architecture incorporating network segmentation, access control policies, and threat detection and response capabilities

- architecture is designed to protect against a wide range of cyber threats, including insider threats and external attacks.
Palo Alto Networks Prisma Access- Prisma Access is a cloud-delivered security service that uses a zero trust architecture to secure network traffic

- provides secure access to cloud and Internet resources while also preventing data exfiltration and other cyber threats

Graph View

Backlinks