Understanding and Implementing a Zero Trust Security Framework

An Alternative Idea for Ensuring Complete Protection for your Valuable Information Assets

by: Terri Rue-Woods, Information Assurance/Executive Strategy Officer, e-End

DreamPort is a cyber innovation, collaboration, and prototyping facility located in Columbia, MD.

DreamPort is a cyber innovation, collaboration, and prototyping facility located in Columbia, MD.

Recently, Representatives from e-End visited the Dreamport cyber tech demonstration center in Columbia, MD to participate in one of their ‘Tech Talk’ events. The event, entitled, “The Importance of Building Your Zero Trust Program on a Solid Platform” focused on ways organizations can improve their infrastructure security.

The guest speaker, Mr. Kevin McPeak is an employee of Symantec. McPeak, who serves as a Principal Cyber Architect for the US Federal Government, discussed how through his company’s server-access cloud methodology systems, businesses can gain significant levels of security and protection from the ever-growing sophistication of cyber attacks. Symantec offers enterprise network security services that incorporate the Zero Trust Security Framework model for both on-premises and cloud based networks.

What is a Zero Trust Model?

First, to understand the benefit of their programs, one must first understand the design and concepts they are based on. A Zero Trust Model or Zero Trust Architecture is a concept comprised of security/threat analysis methods. These methods operate based on the assumption that the end-users, systems and/or services that work within a company’s network structure should NOT be automatically trusted. The ZT Model requires total verification of anything and everything that tries to connect to the system before access is granted. In other words, be paranoid, be very, very paranoid.

“The strategy around Zero Trust boils down to don’t trust anyone. We’re talking about, ‘Let’s cut off all access until the network knows who you are.’” says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass.  He states, “Don’t allow access to IP addresses, machines, etc. until you know who that user is and whether they’re authorized.”

Where Did It Begin?

 
An Example of The Zero Trust Framework

An Example of The Zero Trust Framework

 

The Zero Trust network model was developed in 2010 by a Principal Security Analyst at Forrester Research, John Kindervag. It took roughly 7-years for the concept to gain popularity as more and more enterprise-level technologies were manufactured offering the support levels for Zero Trust security implementation.

How to Use the Zero Trust Approach

Micro-segmentation allows security policies to be defined by workload, applications, VM, OS, or other characteristics. Source: VMware

Micro-segmentation allows security policies to be defined by workload, applications, VM, OS, or other characteristics.
Source: VMware

According to McPeak, a Zero Trust Privilege approach is designed to assist the network infrastructure with the ability to grant least privilege access based on verifying the user or system that is requesting access; the context of the request; and the risk of the access environment. Zero Trust is a general approach that calls for enterprises to maximize the advantages of ‘micro-segmentation’, a way of creating mini secure zones within their on-premises and cloud-based networks to allow for isolated work areas.

This segregation system is aimed at implementing individually secure spaces for granular perimeter enforcement. So if a system is attacked, the threat can remain quarantined in a small area and not affect the entire network.

Implementing a Zero Trust model for your company can be extremely beneficial in its own right.   However, McPeak urges companies to not stop there. Symantec developed an Integrated Cyber Security Platform as a business solution that joins together several of its security products in an effort to provide coverage for key areas. Through Symantec’s ICSP product integration, they plan to offer protection over customer data in (Software as a Service) SaaS applications, enhanced endpoint security to defend against targeted cyber attacks, and security for infrastructures from the endpoint to cloud. McPeak noted that Symantec’s Integrated Cyber Security Platform exists as part of their Global Intelligence Network, one of the world’s largest civilian threat intelligence networks to date.  

Of course, McPeak’s discussion points were essentially geared towards marketing his company’s products. Yet, he did mention that businesses can seek to deploy their own Zero Trust Architecture system however they need. Applying the principles of Zero Trust in conjunction with Symantec-modeled support seems like the best way to go, however, it does not have to be the only way.  

Is there a downside?

One notable question from an audience member circled around Zero Trust and its position in the CIA model? CIA, not to be confused with the Central Intelligence Agency, stands for Confidentiality, Integrity, and Availability. Also known as the CIA triad, it is a set of governing principles to guide policies for information security within an organization. Due to the high-security application of Zero Trust, it was questioned if it would interfere with the availability principle of the Triad. Availability in the model refers to the guarantee of reliable and constant access to a company’s sensitive data by authorized people.  

The potential answer to that seems to exist in each company’s ZT framework. As much as the availability of data is an important security concept, the ZT model is only requiring that the principle of least privilege and extensive verification exist. Rather than the old standards of allowing for sys-admins to become ‘iGods’ of the network.

Also, due to the fact that most of the application of Zero Trust lies heavily on the setup and possible automation of systems to become the verifying sources, a big question exists with what should be done with older (legacy) model systems that have no concept or ability to modify themselves to the practice? Since Zero Trust is a some-what newer idea, there are several systems that lack the capacity to authenticate users to the requirements of ZT.

How this Could Helps Companies

Regardless of probable achievement obstacles, the Zero Trust model is still considered one of the best data breach protection solutions. The old/current approach to perimeter security is problematic. Many cyber security experts have come to agree that the method is no longer working. Once hackers breach a company’s main corporate firewall, they are then easily able to move throughout the internal infrastructure without much resistance. And since the main focus is on the protection of the network’s front-line, internal systems are left vulnerable and neglected. In addition, due to the introduction of atypical network topologies and hybrid cloud data stores, infrastructure perimeters lack clear definition. In other words, with end users accessing a company network from multiple devices and locations, once the system is breached, it could be virtually impossible to control the damage.

Finally, it seems that many business executives fail to notice that the biggest risk facing the protection of their data comes from within.

Spencer Coursen, President of the Coursen Security Group, and an expert adviser in the field of threat assessment and protective intelligence strategies noted that “According to a recent report [by Clearswift Cyber Security], 58% of all security incidents can be attributed to insider threats.”

Today, there are several Cloud service providers that are implementing a Zero Trust model as a security feature. Companies like Okta, Microsoft, and Google all have their own ZT framework in place. Corporate owners are finding that with the increase in cyber criminal activity coupled with the complexity of network infrastructure designs, the only way to ensure data protection is to enlist maximum security techniques. It may not be a practice for everyone, however, the implementation of a Zero Trust model is considered a good way to follow the saying, “Better EXTRA Safe than Sorry.”