Zero Trust Networking -Effects on Cyber Risk & Challenges

Zero Trust Networking – Effects on Cyber Risk & Challenges Shan SendhilVelan George Washington University PSCS – 6247: Cyber Defense Strategy, Prof. Kevin Dulany Author Note [email protected] Abstract The entirety of business, commerce, and the economy is now online, if not, moving to convert to online quickly. The new trend with business, from banks to libraries and from educational institutions to government is Cloud technologies. Governments are coming up with multitude of regulations like GDPR which places burden on institution and hold them liable, rightly so, for any sort of breach. This article details the Zero-Trust networks importance in securing the data. Keywords: Zero-Trust, Network, Information, Data, Security  Contents Abstract 2 Zero Trust Networking – Effects on Cyber Risk & Challenges 4 Introduction: 4 Network Perimeter Model 4 Elements in Perimeter Network 4 Zero-Trust Network 5 Four pillars of zero-trust security. 7 Microsoft: Zero-Trust, story. 8 Micro-Perimeters / Micro-Segmentation 9 Challenges 9 Internet of Things (IoT) 9 Productivity and Cost 9 Malicious Actors are one-step ahead 9 Internal threat 9 References 10 Appendix 11 Zero Trust Networking – Effects on Cyber Risk & Challenges Introduction: “Network security is any activity designed to protect the usability and integrity of your network and data. It includes both hardware and software technologies. Effective network security manages access to the network. It targets a variety of threats and stops them from entering or spreading on your network. Network security combines multiple layers of defenses at the edge and in the network. Each network security layer implements policies and controls. Authorized users gain access to network resources, but malicious actors are blocked from carrying out exploits and threats (CISCO, 2019)”. Network Perimeter Model A network perimeter is the secured boundary between the private and locally managed side of a network, often a company’s intranet, and the public facing side of a network, often the Internet (Barracuda networks, 2019). This “moat and castle” approach is not only ancient; it is also losing its effectiveness in today's mobile and cloud first world. The evolution of enterprises, applications, and the threat landscape is seeing a shift to a newer model. Elements in Perimeter Network Firewalls sits on the proverbial perimeter wall of the computer network which monitors and control the incoming traffic based on some pre-determined rules. Firewall is sort of a barrier between the home network and public internet. Anti-Virus & Anti-Malware Software installed in the computer to prevent any unintended foreign malicious program from causing harm in the computer and prevent from spreading to other connected computers or devices in the network. Access Control and Application Security are authorization and authentication controls to execute a function or application. Wireless, E-mail and Web Security are all enforced by identification and authentication. Virtual Private Network (VPN) are Private networks that are accessible across the public internet. “In network security a screened subnet refers to the use of one or more logical screening routers as a firewall to define three separate subnets: an external router (sometimes called an access router), that separates the external network from a perimeter network, and an internal router (sometimes called a choke router) that separates the perimeter network from the internal network. The perimeter network, also called a border network or demilitarized zone (DMZ), is intended for hosting servers (sometimes called bastion hosts) that are accessible from or have access to both the internal and external networks (NIST, 1994)”. “Intrusion Deduction (IDS) and Intrusion Prevention (IPS) systems are part of the network. IDS analyze network traffic for signatures that match known cyberattacks. IPS also analyzes packets, but can also stop the packet from being delivered based on what kind of attacks it detects — helping stop the attack (Petters, J. 2018)”. Zero-Trust Network This Zero Trust Network, or Zero Trust Architecture, model was created in 2010 by John Kindervag, when he was Principal Analyst at Forrester Research Incorporated. Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. The network that is always considered to be vulnerable from external and internal threats and all users, devices, and network flow must be authenticated and authorized. Further the policies cannot be set in stone, in other words fluid and that policies must be formulated from data derived from as many sources as possible. Thus, Zero-Trust network is a network that is completely untrusted. “The Zero-Trust model dictates that all hosts be treated as if they’re internet-facing. The networks they reside in must be considered compromised and hostile. Only with this consideration can you begin to build secure communication. With most operators having built or maintained internet-facing systems in the past, we have at least some idea of how to secure IP in a way that is difficult to intercept or tamper with (and, of course, how to secure those hosts). Automation enables us to extend this level of security to all the systems in our infrastructure (Gilman and Barth, 2017)”. There are three key components in a zero-trust network: 1. user/application authentication, 2. device authentication, and 3. trust. The first component has some duality in it since not all actions are taken by users. So, in the case of automated action (inside the datacenter, for instance), we look at qualities of the application in the same way that we would normally look at qualities of the user.  Authenticating and authorizing the device is just as important as doing so for the user/application. This is a feature rarely seen in services and resources protected by perimeter networks. It is often deployed using VPN or NAC technology, especially in more mature networks, but finding it between endpoints (as opposed to network intermediaries) is uncommon. A “trust score” is computed, and the application, device, and score are bonded to form an agent. Policy is then applied against the agent in order to authorize the request. The richness of information contained within the agent allows very flexible yet fine-grained access control, which can adapt to varying conditions by including the score component in your policies (Gilman and Barth, 2017). Zero Trust draws on technologies such as multifactor authentication, Identity and Access Management (IAM), orchestration, analytics, encryption, scoring and file system permissions. Zero Trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task. Thus, in general, Zero Trust: Provides a consistent security strategy of users accessing data that resides anywhere, from anywhere in any way; Assumes a “‘never trust and always verify” stance when accessing services and/or data; Requires continuous authorization no matter what the originating request location; Increases visibility and analytics across the network. Google was one of the first large enterprises that ditched the traditional perimeter of the datacenters and moved their entire application workloads to the cloud by implementing what they called the BeyondCorp concept. BeyondCorp is a Zero Trust security framework modeled by Google that shifts access controls from the perimeter to individual devices and users. The result allows employees to work securely from any location without the need for a traditional VPN. (Ashford, 2018). Four pillars of zero-trust security. 1. Verifying users, 2. Validating devices, 3. Limiting access of privileged users wherever possible, and 4. Applying machine learning to all these factors to step up the authentication processes wherever necessary. Microsoft: Zero-Trust, story. Microsoft has also recently taken a full charge into supporting the Zero Trust concept, outlining a comprehensive approach to building Zero Trust environments using Microsoft technologies. Microsoft has a story and strategy around Zero Trust networking. Azure Active Directory conditional access is the foundational building block of how customers can implement a Zero Trust network approach. Conditional access and Azure Active Directory Identity Protection make dynamic access control decisions based on user, device, location, and session risk for every resource request. They combine (1) attested runtime signals about the security state of a Windows device and (2) the trustworthiness of the user session and identity to arrive at the strongest possible security posture (Microsoft, 2019). Conditional access provides a set of policies that can be configured to control the circumstances in which users can access corporate resources. Considerations for access include user role, group membership, device health and compliance, mobile applications, location, and sign-in risk. These considerations are used to decide whether to (1) allow access, (2) deny access, or (3) control access with additional authentication challenges (e.g., multi-factor authentication), Terms of Use, or access restrictions. Conditional access works robustly with any application configured for access with Azure Active Directory (Microsoft, 2019). To accomplish the Zero Trust model, Microsoft integrates several components and capabilities in Microsoft 365: Windows Defender Advanced Threat Protection, Azure Active Directory, Windows Defender System Guard, and Microsoft Intune (Microsoft, 2019). Micro-Perimeters / Micro-Segmentation The Zero-Trust architecture is a risk and data-centric network design approach which uses micro-perimeters/segments and controls around assets using granular rules and policy enforcement to gain continuous visibility in a manner which enable the organization to proactively identify, detect, protect, react and contain threats or attacks. The use of micro-segmentation mitigates against lateral threat movement within the network based on user, data, device, service and location by enforcing the “never trust, always verify” principle. Zero-Trust helps organization to shift away from the weaknesses associated with the traditional flat networks which use specific set of rules, each using context around user, application traffic direction, etc. (Kaitano, 2018). Challenges Internet of Things (IoT) IoT has become ubiquitous both in home and business. Not only servers but almost all devices such has printers, vending machines in cafeteria, security cameras, scanners etc., all connect directly to internet for service updates, patches and for their intended functionalities. Productivity and Cost Productivity comes down and cost goes up when every unit is segmented and monitored continuously. Malicious Actors are one-step ahead Malicious actors use Artificial intelligence and Machine learning for their clandestine activities. Internal threat There is only limited controls to protect against disgruntled employees. References CISCO. (2019). What Is Network Security? Retrieved June 3, 2019, from https://www.cisco.com/c/en/us/products/security/what-is-network-security.html Barracuda networks. (2019). Network Perimeter | Barracuda Networks. Retrieved June 3, 2019, from https://www.barracuda.com/glossary/network-perimeter Gilman, E., & Barth, D. (2017). Zero Trust Fundamentals. In Zero Trust Networks: Building Secure Systems in Untrusted Networks. Sebastopol, CA: O'Reilly Media. Ashford, W. (2018, October 16). Zero-trust security model gaining traction. Retrieved June 4, 2019, from https://www.computerweekly.com/news/252450675/Zero-trust-security-model-gaining-traction Microsoft. (2019, May 8). Building Zero Trust networks with Microsoft 365. Retrieved June 4, 2019, from https://www.microsoft.com/security/blog/2018/06/14/building-zero-trust-networks-with-microsoft-365/ Kaitano, F. (2018, July 27). Taking steps towards a ZT enabled organization. Retrieved June 4, 2019, from https://www.fusionnetworks.co.nz/cyber-security-blog/2018/07/the-old-meets-the-new-zero-trust-vs-the-castle-and-moat-approach/ National institute of standards and technology (NIST). (1994, December). Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-10.pdf Petters, J. (2018, October 23). IDS vs. IPS: What is the Difference? Retrieved from https://www.varonis.com/blog/ids-vs-ips/ Appendix Castle & Moat Design ZT network Zero Trust Networking – Effects on Cyber Risk & Challenges10 Running head: Zero Trust Networking – Effects on Cyber Risk & Challenges1