12 Steps to Zero Trust Success

A Google search for “zero trust” returns ~ 195Million results.  Pretty sure some are not necessarily related to access management and cyber security, but a few probably are.  Zero Trust was a term coined by analyst group Forrester back in 2010 and has gained popularity since Google started using the concept with their employee management project called BeyondCorp.

It was originally focused on network segmentation but has now come to include other aspects of user focused security management.

Below is a hybrid set of concepts that tries to cover all the current approaches.  Please comment below so we can iterate and add more to this over time.

1. Assign unique, non-reusable identifiers to all subjects [1], objects [2] and network devices [3]
2. Authenticate every subject
3. Authenticate every device
4. Inspect, verify and validate every object access request
5. Log every object access request
6. Authentication should contain 2 of something you have, something you are, something you know
7. Successful authentication should result in a revocable credential [4]
8. Credentials should be scoped and follow least privilege [5]
9. Credentials should be bound to a user, device, transaction tuple [6]
10. Network communications should be encrypted [7]
11. Assume all services, API’s and applications are accessible from the Internet [8]
12. Segment processes and network traffic in logical and operational groups

[1] – Users of systems, including employees, partners, customers and other user-interactive service accounts
[2] – API’s, services, web applications and unique data sources
[3] – User devices (such as laptops, mobiles, tablets, virtual machines), service devices (such as printers, faxes) and network management devices (such as switches, routers)
[4] – Such as a cookie, tokenId or access token which is cryptographically secure.  Revocable shouldn’t necessarily be limited to being time bound. Eg revocation/black lists etc.
[5] – Credential exchange may be required where access traverses network or object segmentation.  For example an issued credential for subject 1 to access object 1, may require object 1 to contact object 2 to fulfil the request.  The credential presented to object 2 may differ to that presented to object 1.
[6] – Token binding approach such as signature based access tokens or TLS binding
[7] – Using for example standards based protocols such as TLS 1.3 or similar. Eg Google’s ALTS.
[8] – Assume perimeter based networking (either software defined or network defined) is incomplete and trust cannot be placed simply on the origin of a request

The below is a list of companies referencing “zero trust” public documentation:

• Akamai – https://www.akamai.com/uk/en/solutions/zero-trust-security-model.jsp
• Palo Alto – https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
• Centrify – https://www.centrify.com/zero-trust-security/
• Cisco – https://blogs.cisco.com/security/why-has-forresters-zero-trust-cybersecurity-framework-become-such-a-hot-topic
• Microsoft – https://cloudblogs.microsoft.com/microsoftsecure/2018/06/14/building-zero-trust-networks-with-microsoft-365/
• ScaleFT – https://www.scaleft.com/zero-trust-security/
• zscaler – https://www.zscaler.com/blogs/corporate/google-leveraging-zero-trust-security-model-and-so-can-you
• Okta – https://www.okta.com/resources/whitepaper-zero-trust-with-okta-modern-approach-to-secure-access/
• ForgeRock  – https://www.forgerock.com/blog/zero-trust-importance-identity-centered-security-program
• Duo Security – https://duo.com/blog/to-trust-or-zero-trust
• Google’s Beyond Corp – https://beyondcorp.com/
• Fortinet – https://www.fortinet.com/demand/gated/Forrester-Market-Overview-NetworkSegmentation-Gateways.html

*** This is a Security Bloggers Network syndicated blog from Infosec Pro authored by Simon Moffatt. Read the original post at: http://feedproxy.google.com/~r/InfosecProfessional/~3/viB6Z7IxVWM/a-zero-trust-manifesto.html