Zero Trust
Trust No One With The Keys To Your Data!
by David Wren
The changes forced on companies today by the Covid-19 pandemic have led to greater decentralization of our networks and access points. The people in our network are no longer a function of where they are located (i.e., in an office or a secure environment). Anyone with a virtual private network (VPN) connection can connect directly into your internal systems and access files, applications and services. Our concern and experience is that bad actors can easily slip in through a phishing campaign or capitalize on a VPN misconfiguration to gain access to your internal network. Their VPN traffic would come from a geographically unique location, just like everyone else who may be working from home. That is why adopting zero trust network access (ZTNA) prevents the broad strokes that are often made with security policy and focuses on specific users, their level of access, and the context in which they are connecting. In addition to ZTNA, a product such as Network Technology Partners’ ARGISS can create peace of mind that when your systems are compromised, then bad actors are detected and vulnerabilities are swiftly remediated.
The concept of zero trust assumes attackers are already inside your network and aims to block unauthenticated access or trust. The traffic you receive from an internal network can still be exploited and insecure. That is why zero trust demands that we revoke access and assume the user is malicious, instead of letting your guard down because the user is on the same internal network or domain. Traditionally, if you were in the office and connected using office devices, trust was granted to you because the context was thought to be secure. Zero trust implies that both internal and external traffic must be held to the same security standard: users must be authenticated and verified each time.
Zero trust environments also follow the strategy of least privilege. Every user should have access to what he or she needs and nothing more. If unwarranted access is granted to users, then they or malicious actors may be able to interact with data or services outside of their scope. Least privilege helps promote zero trust environments by reducing the risk and access associated with each point of authentication.
Zero trust environments utilize micro-segmentation to separate the resources granted by your system’s authentication into security zones. Access to these security zones is segmented, thereby preventing the compromise of one section affecting the security of other sections. In practice, this principal would require the user to have authentication specifically enabled for every security section, further promoting least privilege and your security posture.
Zero trust environments need the granular control of micro-segmentation to better follow the principle of least privilege. But this still leaves the user vulnerable to a targeted credential attack. As I have been zealous about before, using multi-factor authentication is the next step in ensuring a zero trust environment. In this case we are not trusting the confidentiality of the user’s credentials. If a user were to be phished for credentials, a bad actor would have everything he or she needs to access what your user can access. One convincing login page and your system is compromised. Multi-factor authentication is the zero trust solution for this vulnerability. The user is required to input data in the form of an SMS code or application token, from an external source, preferably a physically separate device like a phone. This process ensures that bad actors cannot phish credentials and gain full access; they also would have to compromise the phone or security device. Multi-factor authentication is essential in promoting a zero trust environment by questioning the confidentiality of a user’s credentials.
Zero trust network access (ZTNA) is the technology framework that is used to enforce zero trust environments. Access is granted on an “as needed” basis and resources are heavily segmented. ZTNA ensures that only those users authorized by you are granted access to an application or service, in an isolated connection. In addition, ZTNA ensures that this access is one to one between the user and the application, thereby preventing any unauthorized access to other portions of your system. In practice, ZTNA creates a ‘dark net’ for your internal services by allowing only outbound traffic, effectively hiding any sensitive IPs. ZTNA ultimately removes the network-centric security commonly found today and replaces it with a software-defined authentication system that determines access on a one-to-one basis.
Adopting ZTNA would make your VPN service obsolete, allowing your users to no longer require an internal network to authenticate for resource access. ZTNA is cloud friendly and allows secure remote work in our Covid-19 world by implementing strong security controls for over-the-internet access. In addition, we can reduce the layers of firewalls, domain name systems (DNSs), and VPNs found in today’s network and, in turn, reduce the risks associated with third-party vendors and software.
Traditionally, VPNs have been the staple for securing access to internal networks from an external position. By establishing an encrypted tunnel of communication, VPNs are able to shield users’ incoming and outgoing traffic. If one of your users is working from home and needs access to an internal file system, he or she would simply start the VPN program, authenticate, and immediately secure access. VPNs are very convenient but are limited in the control of security once inside your internal network.
How do VPNs and zero trust networks compare? They exist on opposite ends of the security spectrum. VPNs provide easy connectivity and centralize authentication for users. Zero trust networks have decentralized authentication, restricting access on a per case basis. While VPNs may be more convenient than zero trust networks, a VPN can represent a single point of failure, a trap door that (when left open) can invite all kinds of malicious traffic.
Whether you adopt a zero trust environment or a network-centric environment, a robust security environment will always need managed detection and response (MDR) to effectively address security threats in our ever-connecting world. Here at Network Technology Partners, we have developed an excellent MDR solution and have recruited security engineers who provide world-class expertise.
David Wren, CISM is President of Network Technology Partners, a regional Cyber Security Intelligence firm headquartered in St. Louis, MO. He can be reached at dwren@ntp-inc.com.