Zero Trust is the intention to move defenses from static perimeters (the concept of de-perimeters), based on the network, to focus on users, assets, and resources (data and service protection).
This idea of de-perimetering arises because, traditionally, everything seems to be focused on perimeter defense and authenticated subjects have access to a certain level of authorization to a more or less wide collection of resources once they are in the internal network.
As a result, unauthorized lateral movement in the environment attracted a significant amount of problems, and thus the imperative of zero trust appeared.
Therefore, such an architecture, zero trust (ZTA – Zero Trust Architecture) will use zero-trust principles to plan infrastructure and workflows, the basic intention being to prevent data breaches and to limit internal lateral movement, and, consequently, to prevent unauthorized access to data and services, together with the most minimal access. That is, approved and authorized subjects (combinations of users, applications, and or services as well as devices that can access the data to the exclusion of all other topics, that is, attackers).
Added to all this is the impossibility of ICTs (ICT – Trusted Internet Connection) and perimeter firewalls to block and detect attacks from within the network and cannot protect subjects outside the perimeter (e.g. remote workers, cloud-based services, edge devices, etc.), without taking into account the possibility that the attacker is already inside (through an exploit or other method).
Zero Trust assumes that there is no default trust in the user assets or accounts based solely on their physical or network location (e.g., local area networks to the Internet) or on the basis of ownership of assets (enterprise or personal property), which are permanently valued.
So, these security models assume that an attacker is present in the environment and the owner/user environment does not have to assume any implicit trust and continuously analyze and assess the risks to his/her personal and/or business assets and functions and then adopt protective measures to mitigate those risks.
So, everything focuses on protecting resources (assets, services, workflows, network accounts, etc.) and not on network segments, because the network location is no longer seen as the main component of the resource's security posture, the basic intention being to minimize access to resources (such as data, computing resources, applications/services, etc.) only for those subjects and assets identified as needing access, as well as the continuous authentication and authorization of the identity and security position of each access request.
Authentication and authorization (both subject and device) are discrete functions performed before setting a session at a resource with the reduction of the default trust zones to the maximum, zero trust being especially a response to the tendencies of a network to respond to remote users, with their own BYOD (Bring Your Own Device) and cloud-based assets that are not within a user-owned network boundary (individual, enterprise, corporation, etc.).
So it's an end-to-end approach to resources and data security that encompasses identity (person and non-person), credentials, access management, operations, endpoints, hosting environments, and interconnection infrastructure, maintaining availability and minimizing time losses in authentication mechanisms.
Thus, access is granted only through a Policy Decision Point (PDP) (Policy Decision Point) and a PEP (Policy Enforcement Point) application point that will allow the link between access and the resource (system, data, or applications).
The system must ensure that the subject is authentic and the application is valid, with the PDP/PEP adopting an appropriate decision to allow the subject to access the resource.
This implies that zero trust is applied in two basic areas: authentication and authorization. That will involve the emergence of legitimate questions such as:
- What is the level of trust regarding the identity of the subject for this unique application?
- Is access to the resource allowed given the level of trust in the identity of the subject?
- Does the device used for the request have the appropriate security posture?
- There are other factors there that should be taken into account and that change the level of trust (for example, time, location of the subject, the security posture of the subject)
There are many elements to consider, depending on the complexity of the system/ network that will be taken into account, but the basic idea is that anyone should not rely on the default trust in which the subject has met a certain level of basic authentication (e.g. logging in to an asset, resource, etc.), all subsequent resource requests being considered to be equally valid.
From here, any form of creation of a "default trust zone", which is the area where all entities are trusted at least at the level of the last PDP/PEP point, will be considered.
As an example, we can consider the screening model of passengers in an airport. All passengers passing the airport security checkpoint (PDP/PEP) do so similarly to accessing the boarding gates. Once this point is passed, the PDP/PEP can no longer apply additional policies beyond its location in the traffic flow.
And so after this point, anything can happen. This is why it is mandatory for PDP/PEP to be as specific as possible, with the default trust area being as small as possible.
Finally, the idea of explicitly authenticating and authorizing all topics, assets, and workflows are the key elements addressed based on zero trust principles and concepts.
Zero Trust Architecture - Zero Trust Architecture | NIST.
Publication "NIST Special Publication 800-207" – Zero Trust Architecture.
Dorin M - January 04, 2022.
Thank you for your visit!
Whenever you consider that it "worth", I expect you with feedback, comments or donations in
the account RO95BRDE090SV31723640900 opened at "BRD-Groupe Société Générale" S.A. Romania or
Paypal donation (using the button below)
or on Patreon (using the button below).