Zero Trust and protection of resources

Traditional security models take for granted the reliability of everything within an organization’s network. Yet it is now very clear that extending trust to any device or user means that the entire organization risks being involved if one of these is compromised.

For this reason, we are moving towards a “Never trust, always verify” approach.

These days, the corporate perimeter has so many points of entry that security managers have to start working on the assumption that intruders have already gained access to the network. Once inside, “trust" is an easily exploitable vulnerability in the absence of a Zero Trust strategy. That’s why identifying, authenticating and monitoring devices and users, both inside and outside the corporate network, is considered a requirement by many.

The digital transformation and numerous technological innovations are improving productivity, but at the same time creating new risks for IT security.

Hackers, malware and compromised devices which evade the perimeter security controls often have free access to everything within the network.

Adding all of this together, the natural conclusion is that organizations can no longer trust users or devices either within or outside their network. Those responsible for security must assume that each device is potentially compromised and that all users are likely to put critical resources at risk. Inflexible network access controls are at the basis of the Zero Trust strategy.

The main problem with this distinction is that it highlights a lack of awareness that would-be attackers are already inside the network. Once they have entered the perimeter, in the absence of a Zero Trust strategy, intruders have unlimited access to the resources.

It is therefore necessary to make a paradigm shift and treat all network traffic as being unreliable.

To do so, organizations must segment the network perimeter in such a way as to control access to sensitive resources, limit user privileges and improve risk detection and response with the appropriate analysis, putting all possible automations into action. Preventing hackers from using unapproved connections and moving freely from one compromised system to another. In removing the possibility to exploit lateral movements through segmentation, Zero Trust also reduces the risk present when an ill-intentioned user manages to illegally gain access to a cloud environment or resource.

This resource undoubtedly improves an organization’s network security and minimizes – and almost eliminates – the dependence on perimeter-based protection.

As previously mentioned, one of the most effective ways to achieve Zero Trust and protect sensitive resources is segmentation. Segmentation will limit the impact of attacks, making it more difficult to move around inside the network. It is necessary to aim for segmentation which is managed automatically on the basis of policy, in order to create self-protected environments and maintain the minimum privileges principle, controlling the incoming and outgoing communication flows, isolating risky resources and preventing the spread of security incidents.

Effective segmentation can potentially have an influence on corporate operations, and is divided into the following phases: design, implementation, maintenance.

Zero Trust is not just technology – quite the contrary. The approach is based on various technologies, combined with governance processes to carry out the mission of protecting the corporate IT environment.

It is essential to ‘understand who the user is’ (employee, consultant, guest etc.). We must ensure that they are actually the user they say they are, and check which endpoint they are using: is it a secure and known endpoint? The second fundamental verification consists in checking which resources this user can have access to.

To do so, Zero Trust uses technology such as multi-factor authentication (essential in establishing the user’s identity), IAM (Identity and access management), encryption, assignment of scores and file system authorizations, but also governance policies, such as providing users with the minimum access they require to perform a specific activity, and only expanding the access perimeter when required.

The recognized benefits of the Zero Trust solution include:

• Better network visibility, detection of violations and management of vulnerabilities: the systems are continually inspected, the greater network visibility means that the damage caused by violations is limited, continuous implementation of network security allows a proactive approach to patch management
• Reduced costs: consolidation of different control systems centralizes management and, as a consequence, reduces its costs
• Reduction of the perimeter of conformity checks
• Prevention of malware propagation thanks to segmentation.

Companies are choosing federated systems with increasing frequency to apply access control. The traditional federated identity protocols allow the ‘Identity providers’ to confirm the validity of the access at the moment the user actually logs in. Modern environments allow users to maintain their access sessions for long periods of time, even days. It is possible for the properties declared upon login to change during this period (geographical position, password etc.). Logins based on out-of-date information create security problems.

The Continuous Access Evaluation Protocol (CAEP) is an approach based on standards for communicating modifications to access properties. This protocol provides Identity Providers or ad-hoc services (also known as relying parties or resource providers) with a standard way to communicate that a valid token is no longer recognized and reauthentication is required. With this mechanism, the duration of a token is no longer important, as long as we can reassess a user whenever their circumstances change, without having to wait for their token to expire.

This is an opportunity for organizations which have not distributed conditional access criteria on their tenants. Even those still using legacy authorization and authentication methods can decide to start along the path towards native cloud authentication and move away from federated identity systems.

In summary, the traditional network no longer exists: multi-cloud platforms, the need to monitor numerous types of endpoints, IoT, Apps, LANs progressively expanding with the implementation of SD-WANs, users requiring access to the network from any location. This complexity of networks significantly increases the attack surface, and this represents the biggest challenge for network and security administrators, who must implement segmentation criteria which are sufficiently granular and easy to manage, without putting business continuity at risk.