Recently the National Institute of Standards and Technologies (NIST) has published the final version of Zero Trust Architecture (ZTA) https://doi.org/10.6028/NIST.SP.800-207.
Zero Trust is a novel approach for network security that overcomes former perimeter concept and VPN approach. Both concepts, in fact, fail when dealing with insider threats or BYOD or public/multi cloud environment, since they both assume a black and white world, where company equipment and personnel is trusted and the external world is not trusted.
Over the years this model has been threatened by many different factors:
- It is not possible to build an impenetrable fortress
- Insider threats are more dangerous than external attacks
- BYOD and cloud loose concept of network perimeter
To overcome these issues, Zero Trust approach has been defined.
Zero Trust approach is based on a very simple concept: always verify the action being performed. This means that no user (or application) is trusted by default, but every request for operation has to be measured.
How it works
Zero Trust approach focuses on two different aspects: authentication and authorization.
When a user inserts some credentials, the system identifies her with some kind of confidence interval. In ZT one can define a different confidence interval depending on the level of operation to be performed, for example to read a confidential document the system can require 2 Factor Authentication, while to read a Top Secret document the system can require a 4-Factor Authentication plus continuous behavioral monitoring.
On Authorization perspective ZT defines a centralized policy management which is in charge of storing policies to be used. When a new request arrives, it will be evaluated against applicable policies. In ZT in fact, each specific request needs to be explicitly authorized, hence the trust realm is very small, thus easier to protect. In ZT, the trust realm consists of policy manager, policy decision point (the component in charge of evaluating the policy) and the enforcer.
ZT leverages continuous monitoring in order to have feedback about granted authorization. Monitoring a user’s behavior can, in fact, have an impact on her overall trust.
Zero Trust is a different way of enforcing least privilege of users and devices inside a network. It can also enable BYOD, multi-cloud approach and other technology which usage is currently discouraged in enterprise due to lack of trust.
To obtain a secure Zero Trust approach it is fundamental to have full network monitoring and authorization enforcement, otherwise this approach will give a false sense of security which is worse than no security.