Sunday, April 30, 2023

Getting to "Zero Trust" architecture and philosophy

In PMO school, they teach you that trust is everything when building a successful project team.
Fair enough.

But now comes "Zero Trust", and the "Zero Trust Architecture" which is more like a philosophy than an architecture. And, of course, the acronyms: ZT and ZTA.

I don't know if NIST (*) coined this phrase, 'zero trust', but they have a proposed zero trust architecture you can read about here. 

The motive for developing ZTA was a realization that security threats to an enterprise's intellectual property (IP), whether corporate proprietary or government classified, are more often now inside the perimeter of a security firewall. Indeed, with the proliferation of remote working, the 'cloud, and 'bring-your-own-device (BYOD), the very idea of a perimeter is somewhat bye-the-bye. And so IP protection can no longer just be a matter of a security firewall around the enterprise.

So if you are philosophically in touch with 'zero trust', the idea is that every element of IP is subject to an enforced need-to-know, and an enforced limitation on copy and dissemination. The perimeter really no longer exists; a pass through the perimeter, even if existent, is relatively unproductive because of ZT gates on the IP.

The idea is to move from protecting a perimeter or a network segment to protecting the actual resource that is the IP of the enterprise. In effect, it is realized that there will be persistent active threats in the network; the security objective is to block them from accessing the actual IP.

ZT according to NIST
NIST says this: "Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network- based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows.

ZT is not a single architecture but a set of guiding principles for workflow, system design and operations that can be used to improve the security posture of any classification or sensitivity level. Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.  

Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. 

Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud- based assets that are not located within an enterprise-owned network boundary. Zero trust focus on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource."

NIST continues: 
"In this new paradigm, an enterprise must assume no implicit trust and continually analyze and evaluate the risks to its assets and business functions and then enact protections to mitigate these risks. In zero trust, these protections usually involve minimizing access to resources (such as data and compute resources and applications/services) to only those subjects and assets identified as needing access as well as continually authenticating and authorizing the identity and security posture of each access request."

Their conclusion:
"When balanced with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and best practices, a ZTA can protect against common threats and improve an organization’s security posture by using a managed risk approach.

(*) NIST: National Institute for Standards and Technology

Like this blog? You'll like my books also! Buy them at any online book retailer!