The National Security Agency (NSA) and Microsoft are advocating for the Zero Trust security model as a more effective way for businesses to defend against the increasingly sophisticated threats of today.
The concept has been around for some time and focuses on the assumption that an intruder may already be on the network, and therefore local devices and connections should never be implicitly trusted, and verification is always necessary.
Cyber security companies have been pushing the zero-trust network model for years as a transition from the traditional security design that only considers external threats.
The model was created in 2010 by John Kindervag, who at the time also coined the term ‘zero trust’, then chief analyst at Forrester Research, but discussions about it began in the early 2000s. Google implemented a zero-trust security concept following Operation Aurora in 2009 for an internal project that became BeyondCorp.
Zero Trust Critical Network Defense
The recent attack on the SolarWinds supply chain, which is also attributed to a national state actor, has renewed the discussion about the benefits of the zero trust security architecture for sensitive networks.
Microsoft President Brad Smith advocates the zero-trust model in his testimony from the US Senate regarding the SolarWinds cyber attack and says that this concept is the best approach for an organization or agency to ensure the security of identity in their networks.
Smith spoke about the security of U.S. government networks targeted by the attack:
‘Basic cyber hygiene and security practices did not apply to the regularity and discipline we would expect from federal customers with the security profiles of the agencies. In most cases, multifactor authentication, the least privileged access and the other requirements for a “Zero trust” environment were not in place. Our experience and data strongly suggest that if these steps were in place, the attacker would have had only limited success in compromising valuable data, even after gaining access to agency environments “- Brad Smith, Microsoft President
Now the NSA and Microsoft are recommending the zero-trust security model for critical networks (National Security Systems, Department of Defense, Defense Industrial Base) and large enterprises.
Zero Trust is a long-term project
The guiding principles for this concept are constant verification of user authentication or authorization, the least privileged access and segmented access based on network, user, device and app.
The above diagram from Microsoft shows how Zero Trust can evaluate security with a real-time security policy engine. The model provides access to data, applications, infrastructure and networks after the identity has been verified and verified and the devices have been verified.
The NSA explains that understanding and controlling how users, processes and devices handle the data is the fundamental goal of Zero Trust.
Multiple data points are needed to sketch an accurate picture of the activity on the network, evaluate its legitimacy and prevent the lateral movement of an actor.
The combination of user and device data with security-relevant information such as location, time, recorded behavior can be used by the system to allow or deny access to specific assets, and the decision is recorded for use in future analyzes of suspicious activity. This process applies to each individual access request to a sensitive resource.
However, building a mature zero-trust environment is not a task that is done overnight, but a gradual transition that often requires additional capabilities, as it does not address new resistance tools, tactics or techniques.
“Zero Trust carries out comprehensive security monitoring; granular risk-based access control; and system security automation in a coordinated manner through all aspects of the infrastructure, in order to focus on the protection of critical assets (data) in real-time within a dynamic threat environment. “- National Security Agency
The good news is that the transition can be incremental and reduce the risk at every step, which can drastically improve visibility and automated responses over time.
Zero Trust network benefits
To demonstrate the benefits of a Zero Trust network, the NSA gives three examples based on actual cyber security incidents where the threat actor would have been unsuccessful if the concept had been implemented.
In the first one, the actor gained access to the network of a victim organization from an unauthorized device using legitimate credentials stolen from an employee – a level of verification sufficient in a traditional security environment.
The second example contains a malicious party who is either an inside threat or an actor who endangers a user’s device through an internet based mobile code exploitation. ‘
In a typical environment, the actor can summarize the network, elevate privileges, and move laterally on the network to achieve perseverance or find valuable data and systems.
The third example of the NSA is an attack on the supply chain, where the actor adds malicious code to a popular enterprise network device or application that maintains the victim organization and updates regularly according to best practices.
Under a Zero Trust architecture, the compromised device or app can not communicate with the threat actor because it will not be trusted by default.
“The privileges and access to data are strictly controlled, minimized and monitored; segmentation (macro and micro) would be applied by policy; and analysis will be used to monitor for deviant activity. In addition, while the device may download signed application updates (maliciously or not), the device’s permitted network connections under a Zero Trust design will use a denial of security policy, hence any attempt to connect to other remote command and control addresses will likely be blocked National Security Agency (NSA)
The agency recognizes that in addition to the technical challenges resulting from the redevelopment of an existing information system based on the Zero Trust model, resistance throughout the organization can be another obstacle that reduces the efficiency of the system.
Users, administrators and top management must all adopt the same mindset to make Zero Trust work. That is, leaders must spend the means to build and maintain it, network administrators and defenders must have the necessary expertise, and users must not be able to circumvent the policy.
“Once even basic or intermediate Zero Trust features are integrated into a network, it is necessary to perfect the implementation and achieve full benefits,” the NSA said.
The agency works closely with DoD clients to set up Zero Trust systems and coordinate activities with current NSC and DoD programs.
Additional guidance is being prepared to facilitate the principles of Zero Trust in the industry networks. Organizations wishing to apply the concept can also find documentation and methodology from NIST as well as from various cyber security companies, some of which offer solutions for easier implementation.