The DoD cyber landscape is ever-changing with more remote users, greatly expanding IoT, mobile devices and innovative new applications. Zero Trust Architecture (ZTA) begins with the premise that all networks, internal and external, should be treated as untrusted. Users connecting to the network have to prove valid authorization before being allowed access. It defines a model for providing granular access to applications based not only on the user, but also the device they are using.
Architecture
What does Zero Trust look like in practice? As the Air Force expands its use of Cloud and Software as a Service (SaaS), security measures have to equal (or even exceed) what existed with on-premises solutions. The attack surface grows as more people access systems from outside a base, yet remote to SIPR access is now a requirement for getting work done. Making sure that the right user with the right device is accessing data is key to a mature and reliable security posture.
Access must be denied to resources as quickly as possible. From a device perspective, the authorization may change based on security posture of the device. If a device is reported to be vulnerable to a known attack vector, access from that device should be limited to mitigate potential attacks using the vulnerability. This same level of granularity can be applied to access within the base helping mitigate insider threat and unauthorized access.
With a zero trust model the organization relies on:
- Data Protection – ZTA is a way to make the practice of microsegmentation operationally feasible. Authenticated and authorized access is encrypted from the end user computer to the application. This provides protection for both internal and external access to applications. For external access it removes the need for remote access VPNs. ZTA is actually more secure than a remote access VPN because the encrypted access is permitted on an application basis rather than a network basis like remote access VPNs. For internal access, the encryption provides a layer of protection from sniffing for clear text traffic on the wire.
- Policy Validation – In a perfect world, we would trust the security solutions to enforce the ZTA policy and only allow authorized users and devices to approved applications. In practice, we need to validate that the ZTA policy is being followed using solutions that can map network and application flows in the network and provide alerts for potentially unauthorized flows.
- Updating Inventory – The maintenance of the device and user databases is difficult. A ZTA solution is needed that is transparent to the end users and system administrators by automating the user and device inventory addition and deletion to limit the burden on administrators and ensure accurate policy enforcement.
Getting Started
To begin operating with a zero trust model, there are some key steps that need to be taken:
- Complete Asset Inventory – The asset inventory falls in line with the Center for Internet Security (CIS) Critical Security Controls. In the ZTA context, a continuously updated inventory of the types of devices that are allowed to access the network along with privileges is essential. This could be enterprise-owned devices as well as personally owned BYOD devices.
- Complete User Inventory – A continuously updated user inventory is required to validate access to applications and workloads. With this in mind, the users should also be grouped according to the rights that will be given based on their organizational roles.
- Access Requirements – The access requirements provide the decision tree to allow authenticated users access to their authorized applications if they are on approved devices. If this information is not documented and automated, it will be difficult to provide the granular limited access rights at the right time.
The Iron Bow Way
Iron Bow’s approach to ZTA is designed around using a DevSecOps environment, reducing latency to cloud-based apps, need for threat visibility, encrypting data in transit among others. Our solution encompasses:
- Strong User and Device Authentication – We utilize multi-factor authentication (MFA) to ensure strong user authentication, tying MFA with device security posture assessment to provide a single agent to validate the user and device prior to allowing application access.
- The Perimeter at the Endpoint – Authentication, authorization and encryption to only authorized applications begins at the endpoint. We use a cloud-based controller that has the strong user and device authentication defined above.
- The Perimeter at the Network Boundary – Next Generation Firewall (NGFW) solutions provide similar user and device validation.
- ZTA Policy Validation – On premises, this involves traffic and threat visibility using packet sniffing and Netflow analysis to alert when a policy is violated. For cloud, it involves API access to monitor and validate access to cloud-based applications.
- ZTA Policy Violation Policing – The automated enforcement based on the alerts is the final piece. The policing tools can ingest that information and quarantine a device if it is shown to violate the ZTA policy.
As ZTA matures further, solutions will become more prevalent and integrate more seamlessly with applications. Iron Bow stands ready to aid in the transition from current security best practices to an entirely new way of balancing security and risk. For more information, visit our website.
COMMENTS