With the evolution of traditional corporate networks over the recent decades, a security paradigm has developed that no longer meets today’s requirements of corporate modern networks. Cloud services, remote users and personally-owned devices are ubiquitous. The increasing number of successful attacks on corporate networks is a clear indication of this. As an alternative, the Zero Trust concept has evolved and is being successfully deployed and propagated by big IT corporations. The description of the weaknesses of the traditional approach and the presentation of the basic features of the Zero Trust concept are the subject of this blog post.
For many years, the cybersecurity paradigm has emulated a familiar form of physical security from the middle ages: the castle with a wall, a gate and sometimes a moat around.
The basic idea is that the friend is inside and the foe is outside. Thus, protecting the inside against attacks from outside is the focus of this security model. In this classic defence model, multiple layers of protection with tightly secured checkpoints and gateways surround and protect the assets. All access is controlled and verified at the gate where authentication and authorisation are granted. However, once verified, people are assumed to be trusted and are free to act inside the protected object.
This principle is too used for the classic defence model for IT networks. In its original form, a firewall protects the entire network as an access mechanism. Also, here, getting access through the firewall is associated with the assumption of trustworthiness. Any entity can be accessed in principle if it is not further protected.
The more services companies have provided to the outside world over time, such as the company’s website, the greater the need to separate them from internal systems. Consequently, the next step in the evolution of security models was the introduction of demilitarized zones (DMZ). With a DMZ, an extra layer is added to separate the internal network from untrusted traffic. Any service provided to users on the public internet is placed here in the DMZ.
The model has shortcomings, mainly with granting excessive access from inadequate authentication and authorisation. Attackers can try to bypass the gateways using hacking tools. The more common way nowadays is to trick the users of the network via phishing so that malware enters the internal network using their account and the respective user rights. Once the infection, e.g. with ransomware, has taken place, all the security mechanisms are of no use anymore, as the malware has free access to the internal systems. The problem with this security model is the implied or implicit trust which is granted to people or services within the walls of the network.
The next step in the evolution of security models was to separate the internal network into segments which are secured according to their protection requirements. If an infection occurs in one segment, the other segments are still protected by their security mechanisms. Despite the rather good idea, reality shows that malware nevertheless often gets into sensitive segments via the appropriate user access permissions.
In today’s digital world, the assumption that the friends are inside and the foe is outside is no longer valid. Since COVID at the latest, considerable numbers of users have been working outside the physical internal network boundaries and are thus in “enemy territory”.
In addition, with the transition to the cloud era, the sensitive parts of the formerly internal segments, i.e. applications and data, are now increasingly being moved to the cloud provider’s data centres. This also puts them in “enemy territory” in terms of traditional philosophy.
The traditional way used to connect users and systems, if they are outside of corporate locations, to the internal network is the so-called VPN. A VPN (virtual private network) is a service that creates a safe, encrypted online connection. It acts like a gate from the outside to a local network. Again, it is assumed that anything that passes through the VPN can be trusted.
This model has worked for use cases where end users gain access to the corporate network only from approved corporate-managed devices that are cut off from the unsafe outside world. But, today, the VPN model doesn’t adequately meet the needs of the evolving use cases. Apps have been modernised for web-based access and deployed in multi-cloud environments. Employees use their own devices for remote work and in places also within the corporate network. Apps, data and services are not just inside the walls of the data centre. Forcing users independent of their location to use cloud applications not directly but only through a corporate VPN is inefficient. And here, too, there is still the problem that a malware or an attacker who has found his way into the corporate network has access to the corresponding resources as a trusted instance.
Thus, organisations need a framework that allows easy access to all resources without slowing down productivity and where the systems and the access to the systems are protected, taking into account the given circumstances.
Zero Trust is a modern security model based on the design principle “Never trust, always verify.” Consequently, a Zero Trust architecture focuses on protecting resources and not network segments containing groups of resources. The network location of a user, device or resource is no longer the decisive decision criterion of the security concept. There is no implicit trust granted to users or systems based on their physical or network location. Consequently, the trust principle has to move from network segments to the individual instances of a network. Therefore, continuous authorisation is required.
For the Zero Trust model, Microsegmentation is an important concept. Microsegmentation divides networks into smaller zones. It can create segments down to the workload level. On each of the microsegments, granular access policies are applied. All devices and users, regardless of whether they are inside or outside an organisation’s network, are required to be authenticated, authorised and regularly validated before being granted access. Thus, the resources of a network are isolated from each other regardless of where they are located, and the flow of information between them can be monitored and controlled. Various network security tools, like firewalls, intrusion detection and prevention systems, sandboxing etc., can be used for this.
In analogy to our opening example, the focus of granting access is no longer on the gate of the castle but on the objects inside the castle. Even if all access attempts are initially considered untrusted, this does not mean that there are no longer different trust levels. However, these are now decided not only on the objects that want to access the network but also on the situation they are in at the time of access. This is to be illustrated by the example of a user access.
When users try to access corporate resources, their devices may not be located within the corporate network and/or managed by the company. At this point, Conditional Access comes into play. In the traditional world, the users have different privileges to access different resources. After logging in, one can access the resources according to the privileges one has, regardless of where one is or which device one is currently using. This is the reason why the ability to log in is often limited to company-managed devices and access to the corporate network via VPN.
Conditional Access additionally differentiates privileges according to the situation the user is currently in. In the case of access from vacation with a private laptop, for example, certain privileges are withdrawn depending on the circumstances. In such a two-tier privilege system, first, the essential condition for access to be granted is the access privilege assigned to the user, and second, factors like the utilised device, its location and other environmental aspects determine whether no access, partial or full access to a resource is permitted.
This can be realised via a scoring concept. To access the systems to which the user basically has privileges, he or she must reach certain system-specific score levels. If this is not the case, access is denied. In the case of the figure above, for example, the user’s situation only allows access to the HR-App.
A Zero Trust architecture is formed by different pillars to meet the needs of today’s complex IT structures:
The Zero Trust concept is thus a response to the changing digital world in order to ensure the necessary security under today’s conditions. The fact that this no longer works sufficiently with the old concepts can be seen in the number of successful attacks on companies in which data is stolen and/or ransomware is installed. Companies that still manage their security according to the “old world” concepts have no choice but to wall themselves in further and further, thus exposing users to more and more restrictions. On the one hand, this is to the disadvantage of user satisfaction and provokes undermining reactions. On the other hand, it leads corporate IT into a dead end, as dynamics and flexibility are increasingly restricted. However, this is the opposite of what companies need in today’s world in order to be fit for the future.