Information security is a field that has received a lot of attention in recent years from theoreticians and practitioners alike. Coming from an IT network security practitioner background over the last 15 years, I am always on the hunt for new ideas, particularly when it comes to innovating in the ever-changing world of information technologies. As a CTO of a company that works directly with Zero Trust access security, whenever there are changes to strategies, trends and solutions, it's vital that I keep up with what is happening, as is the responsibility of others who also work in this space. As more experience is gained by the industry in implementing it in practice, I am examining various aspects of it very closely in order to understand whether the expectations are aligned with reality.
Zero Trust approach was pioneered by John Kindervag of Forrester Research, back in 2010. It is an approach used by IT network security teams that departs from a traditional notion of establishing trust with either user or device and then provides them access to IT resources. Instead, Zero Trust treats each connection as untrusted and performs in-depth validation. The network location becomes completely irrelevant for access authorization decisions.
Zero Trust approach has received a lot of publicity lately and many organizations are now in process of implementing in their IT networks. However, it is those who work with Zero Trust and other security solutions such as myself and my peers to monitor trends and updates so our products stay as efficient as possible.
In August, Mattias Brutti, director of research and exploitation at Okta, has published a blog describing a vulnerability in a protocol between Microsoft Active Directory Federation Services and Multi-Factor Authentication (MFA) solutions, allowing certain malicious actors to bypass the MFA, compromising all other users in the organization. While the vulnerability was fixed, the perception of MFA being a solid layer of verifying the user identity has been cracked in the eyes of many practitioners.
In other news, at the BlackHat Conference, David Weston, Security Researcher at Microsoft, has presented his analysis of possible challenges with attestation of Device Security Posture, as well as challenging effectiveness of MFA in a number of scenarios. (Full Disclosure: My company partners with Microsoft.)
Both these findings raise concerns among practitioners implementing Zero Trust access in their environments. After all, in the eyes of many, strong user identity (heavily relying on MFA) and the ability to assess the security posture of the accessing device are cornerstone principles in the identity-centric, rather than network-centric access model. As a result, the inability to rely on them makes the model unacceptable or insecure.
Zero Trust Defense-In-Depth
In the past, a principle of defense-in-depth, envisioned by the National Security Agency (NSA), has stipulated that a strong protection of one’s IT systems requires multiple layers of protection, rather than a single one -- no matter how advanced -- since the assumption should be that any single layer could fail, leaving the systems protected by other layers.
In traditional network-centric IT security models, many security layers are related to network topology and segmentation. These include tools such as VLANs, subnets, DMZs, IPS, firewalls, VPNs, etc. While the identity-centric IT security models aim at making some of these layers less important and even unnecessary, they don’t imply that the principle of protecting your resources with multiple layers is ceasing being a necessity.
Identity-centric security models should consist of multiple layers just as much as other models. The layers, of course, should focus on the real assets being verified or protected and should not focus on the network topology. For example, consider the following layered approach:
- Multifactor authentication
- Enterprise mobility management, device security posture verification and endpoint threat detection
- Data tagging/filtering
- Contextual detection/protection
- Behavior profiling/anomalies detection
- Data security, adaptive authentication, break-glass procedures and privileged access management
The mechanisms deployed by different layers are providing the ability to prevent or to contain an exposure to information security problems in case some layers are not functioning.
For example, if an MFA would not “deliver” upon its promise to guarantee the identity of a certain user, the contextual detection mechanisms or a break-glass procedure layer would serve as a containing measure.
Risk-Reward Based Approach
In general, whenever dealing with access to sensitive IT systems or resources, a risk-reward approach is the only one that can work. Otherwise, we can always claim that the safety of our information will be at its all-time high if we deny any access to it.
This is a model allowing to provide business with effective IT tools while maintaining control over important information assets. It is something that each and every organization that has IT could (or should) implement. It is not a product you buy or a service that you rent. It is a policy that you adopt towards your IT assets. This is something that my company works with, and I recommend other IT security companies to do the same, as it brings a new level of effectiveness to your products.
As all IT experts know, no single tool or technology can ever be treated as a silver bullet that will make all our risks associated with information security disappear. Zero Trust philosophy is defining the new defense-in-depth strategies, that will maintain the integrity of corporate information and services, even under the threat of one -- or more -- layers of defense failing.
A holistic risk-reward based approach defining which information we would like to make accessible for which business role-players and under what conditions puts the recent findings of security research teams into a correct perspective. While the surfaced deficiencies of the tested mechanisms should be addressed, making them more robust and secure, the overall attitude should not change. Zero Trust's application should not contradict fundamental principles, such as the necessity in multiple layers of defense and, when it doesn’t, it can deliver the promised benefits without exposing the practitioners implementing it to any additional security risks.