The National Security Agency (NSA) and Microsoft are defending the Zero Trust security model as a more efficient way for companies to defend themselves against today’s increasingly sophisticated threats.
The concept has been around for some time and is based on the assumption that an attacker may already be on the network, so local devices and connections should never be trusted implicitly and verification is always necessary.
Cybersecurity companies have adopted the zero trust network model for years, as a transition from traditional security design that considered only external threats.
The model was created in 2010 by John Kindervag, who also coined the term “zero trust”, principal analyst at Forrester Research at the time, but comments that it started in the early 2000s. Google implemented zero trust security concepts after the Operation Aurora in 2009 for an internal project that became BeyondCorp.
Zero trust defense for critical networks
The recent attack on SolarWinds’ supply chain, also attributed to a state actor, renewed the discussion about the benefits of zero-trust security architecture for confidential networks.
Microsoft President Brad Smith defended the zero confidence model in his US Senate testimony about the SolarWinds cyber attack, saying that this concept is the best approach for an organization or agency to ensure the security of identity on its networks .
Speaking about the security of the US government networks targeted by the attack, Smith said:
“Basic cyber security and hygiene best practices were not in place with the regularity and discipline that we would expect from federal clients with agency security profiles. In most cases, multi-factor authentication, less privileged access and other requirements to establish a No there was a “zero trust” environment. Our experience and data strongly suggest that if these steps had been in place, the attacker would have had limited success in compromising valuable data, even after gaining access to the agency’s environments “- Brad Smith, President of Microsoft
Now, both NSA and Microsoft are recommending the zero-trust security model for critical networks (National Security Systems, Department of Defense, Defense Industrial Base) and large companies.
Zero Trust is a long-term project
The guiding principles for this concept are the constant verification of user authentication or authorization, less privileged access and segmented access based on the network, user, device and application.
The diagram above from Microsoft shows how Zero Trust security with a security policy enforcement mechanism can be assessed in real time. The model grants access to data, applications, infrastructure and networks after verifying and authenticating identities and verifying that the devices are secure.
Understanding and controlling how users, processes and devices engage with data is the fundamental objective of Zero Trust, explains the NSA.
Several data points are needed to paint an accurate picture of the activity on the network, assess its legitimacy and avoid sideways movement by the threat actor.
Combining user and device data with safety-relevant information, such as location, time, recorded behavior, can be used by the system to allow or deny access to specific assets, and the decision is recorded for use in future analysis of suspicious activity. This process applies to each request for individual access to a confidential resource.
Building a mature environment of zero confidence, however, is not an overnight task, but a gradual transition that usually requires additional resources, as it does not address new adversary tools, tactics or techniques.
“Zero Trust incorporates comprehensive security monitoring; granular risk-based access controls; and automation of system security in a coordinated manner in all aspects of the infrastructure, in order to focus on the protection of critical assets (data) in real time within a dynamic threat environment ”- National Security Agency
The good news is that the transition can be incremental and reduces risk at each step, dramatically improving visibility and automated responses over time.
Benefits of the Zero Trust network
To show the benefits of a Zero Trust network, the NSA gives three examples based on real cybersecurity incidents in which the threat actor would not have been successful if the concept had been implemented.
In the first, the actor accessed the network of an organization victim of an unauthorized device using legitimate credentials stolen from an employee – a level of authentication that is sufficient in a traditional security environment.
The second example presents a malicious part that is an internal threat or an actor who has compromised “a user’s device through an exploitation of mobile code based on the Internet”.
In a typical environment, the actor can enumerate the network, escalate privileges and move laterally on the network to obtain persistence or find valuable data and systems.
The NSA’s third example is an attack on the supply chain, in which the actor adds malicious code to “a popular business network application or device” that the victim organization maintains and regularly updates in accordance with best practices.
In a Zero Trust architecture, the compromised device or application would not be able to communicate with the threat agent because it would not be trusted by default.
“Your privileges and access to data would be tightly controlled, minimized and monitored; segmentation (macro and micro) would be imposed by politics; and analyzes would be used to monitor anomalous activities. In addition, although the device can download updates for signed applications (malicious or not), the device’s allowed network connections under a Zero Trust design would employ a security policy denied by default, so any attempt to connect to other remote addresses for command and control would probably be blocked “National Security Agency (NSA)
The agency recognizes that, in addition to the technical challenges arising from the reengineering of an existing information system based on the Zero Trust model, resistance across the organization can be another obstacle that reduces the system’s effectiveness.
Users, administrators and top management must adopt the same mindset for Zero Trust to work. That is, leaders must spend the resources to build and maintain it, network administrators and advocates must have the necessary experience and users must not be able to circumvent policies.
“Since even the basic or intermediate resources of the Zero Trust are integrated into a network, it is necessary to follow up to mature the implementation and obtain all the benefits”, says the NSA.
The agency is now working with DoD clients to set up Zero Trust systems and coordinate activities with current NSS and DoD programs.
Additional guidance is being prepared to make Zero Trust principles easier to incorporate into corporate networks. Organizations seeking to embrace the concept can also find documentation and methodology from NIST, as well as from various cyber security companies, some of which offer solutions to facilitate implementation.