“Zero Trust” is becoming a buzzword in security, with the fact that traditional perimeter-centric strategies fail in defending advanced threats. We now see a bunch of companies, from current market leaders to start-ups, promoting various “Zero Trust” solutions, but when looking into technical details, some will be confused as those solutions may have very little in common. For sure, “Zero Trust” is not another jargon just for marketing, but an alternative or even a revolution to traditional security model, and here we are going to summarize and clarify what it is about, from the perspective of applying the concept and building new products or solutions.
To start with, we should understand that the “Zero Trust” concept actually has two different origins. The “Zero Trust” model was introduced by Forrester Analyst John Kindervag in 2010, asking for change of mind in network security so as to address threats inside the network. The Forrester model is to dynamically build and secure network segmentations in a company network, each for a specific functionality and with central management.Meanwhile, Google launched the BeyondCorp project in 2011 to solve problems with the adoption of mobile and cloud technologies, which may give an attacker relatively easy access to a company’s privileged intranet. With the idea of dispensing with a privileged corporate network, the Google BeyondCorp project moves all corporate applications to the Internet, and enforces fine-grained access control based solely on device state and user credentials. As a company’s privileged intranet is traditionally considered as secure and trusted, the BeyondCorp approach also gets the name of “Zero Trust” when it attracts more attentions.
While the two origins of “Zero Trust” are quite different and lead to products and solutions that are not even close, they share the same concept fundamentally: the perimeter we used to trust is no longer reliable. Perimeter-based security is based on a proven model from the physical world, and the line between trusted internal network and untrusted external network is usually quite clear–the edge as Forrester Research indicated. Although some technologies like VPN may blur the line, we believe it is mostly under control, until recently when we have to acknowledge the reality: there is no longer a clear line between the internal network and the external, which is the BeyondCorp case where we see challenges in cooperate applications from new trends of mobile and cloud, and the internal network is insecure thus should no longer be trusted, which is the Forrester case focusing on network architecture.
The two “Zero Trust” scenarios are complimentary, and both are necessary for a complete enterprise solution in the future, thus should be combined.
Let’s talk about Google BeyondCorp first.
In “good old days”, there were no such thing as mobile workforce that a company had all employees working inside the office, with devices installed and managed by the IT department; neither were there cloud services, which are provided by third-party vendors and from the Internet. With both of the employees and valuable resources located inside the company’s local network, it was reasonable and efficient to use perimeter security, assuming anything located outside the perimeter was dangerous while everything inside could be trusted. However, with more and more people working from home or on the move, using mobile devices that are not necessarily owned by the company, and empowered with cloud services from different vendors, it is clear that the company can no longer rely on the perimeter security model, and then we have an answer from BeyondCorp, to removethe requirement for a privileged intranet.
BeyondCorp promotes a new approach for secure access, and diving deeper, we can see there are actually two use cases: remote access and privileged access.
By moving all corporate applications to the Internet, a company will enforce strong security controls for access to each and every application, no matter it is from a cloud vendor or built in-house; on the other side, users each has his/her devices connected to the Internet directly, and there is no longer such thing as local or remote. As a result, the Internet becomes a borderless intranet. Obviously, VPN will be first to be obsolete for remote access, and network administration will be much easier with simplified topology.
Meanwhile, a unified portal for all cooperate applications is presented to the Internet, and access privilege can be granted and supervised for each connection or even action, based on the state of user device and account. The centralized and fine-grained access control will not only make it more efficient to manage the usage of each cooperate application, but also enable the company to identify and respond to malicious or suspicious activities more effectively. Moreover, privileged accounts used to be a big management challenge as assets and applications in the intranet are managed and accessed dispersively, and now they will be in good control.
Overall, the BeyondCorp solution can be taken as an implementation of Software Defined Perimeter (SDP), and we can see the following products playing important roles and, apparently, cloud-based solutions are preferred:
- Enterprise Mobility Management (EMM) for device inventory and state
- Identity Management (IdM) for user account and state
- Resource Management for housekeeping of enterprise applications and servers
- Access Management to provide a unified portal and grant authority properly/dynamically
- Behavior Analysis for continuous monitoring on users and devices
Access Management is at the core, and for privileged access/resources, we can bring in another category of products, Privileged Access/Account Management (PAM) . Moreover, when thinking about some corporate applications are cloud-based (SaaS), we can also find some clue of Cloud Access Security Broker (CASB).
Now let’s move to the Forrester case.
Traditionally, connectivity and performance drove the deployment and evolvement of enterprise network, and now we get a hierarchical three-tiered architecture. This hierarchical network architecture does not put much thought on security, and we cannot see how a company is organized and how different parts of the company are interconnected and function. As a result, it is practically impossible for security professionals to architect and enforce security controls that can fit into and change along with business practices. “By the time they identified a security issue and brought in security professionals, network professionals had already built the network; we then had to bolt on security controls after the fact”, as Forrester Research mentioned.
However, deficiency in security is not taken as a big issue of the hierarchical network architecture, just as we have been doing for thousands of years in physical word. Thinking about a medieval castle, we used to believe local network as a whole is secure and trusted. To protect a local network, what we need to do is to first identify the perimeter and then enforce all kinds of security controls on it. Moreover, we highlight the concept of defense in depth, which is to deploy multiple layers of perimeters to protect assets for different usage and classified as with different security levels and in different security zones. For example, we set up DMZ (De-militarized Zone) for Internet facing applications that need to communicate with both internal and external network, while datacenter network where core business systems are located gets another layer of security controls with additional firewalls, IPS, etc.
But now we know that the internal network is not secure. Not only malicious employees will harm the company through theft or sabotage, but also hackers can take advantage of negligent employees or partners, penetrate into a company’s internal network, and reside there for a long time before being noticed. In fact, the reality we have to admit today is not whether a company’s internal network can be compromised, but when a breach will be detected.
Assuming bad guys are in a company’s internal network, we have the Forrester Zero-Trust network architecture. Further examining this new concept, you may be surprised that “perimeter” is still there, although with a new term from Forrester Research, microcore and perimeter (MCAP); however, diving deeper we will find out that what inside the perimeter, the old term, is completely different, or we should say the perimeter is no longer what it used to be. Rather than the frontier where a company deploys all kinds of security controls, the perimeter now just marks the boundary of a trust zone, which has functions that are clearly identified and operates at a trust level that is constantly verified. The result is, rather than a unified space free to explore, the local network now comes with many segments that do not share trust on users or entities.
Moreover, central management is carried out as trust zones interface only with the segmentation gateway. While the segmentation gateway embeds all kinds of security technologies such as access control, traffic inspection, anti-malware, content filtering, etc., all entities need to be clearly identified, with sufficient authentication and authorization, and then placed into different trust zones according to functions it performs. Meanwhile, each trust zone is for its own functionality, and will be persistent even when there are changes in network infrastructure like IP address. Apparently, it is also the segmentation gateway that creates and manages trust zones, and grants access across different trust zones.
Examining the Forrester case, we can summarize the adoption of the following technologies and solutions:
- Network Access Control (NAC) to verify all entities accessing the network
- Micro-segmentation for creating and managing trust zones, with software-defined network (SDN) technologies to promote centralization of network management
- Security gateway with extensive threat-defending capabilities for active inspection and security controls on all network traffic
- Network Logging and Monitoring for auditing and forensics, as well as proactively adjusting security policies and controls according to changes in threat landscape
As we mentioned earlier, the BeyondCorp case is for secure access, while the Forrester case is to segment the network. Both share the same idea of “Zero Trust”, and mean to address different challenges; however, taking one step forward, we can see that what we are going to segment in the Forrester case is exactly the resource we would have secure access to in the BeyondCorp case. Actually, we can combine the Access Proxy in the Google BeyondCorp Project and the Segmentation Gateway in the Forrester Zero Trust Network Architecture, and get a complete “Zero Trust” solution, from the outside to the inside of a company network.
While there have been many “Zero Trust” products and solutions in the market, I would like to say that the evolution is still in early stage, and I personally believe the security world would be significantly different in 5-10 years, with “Zero Trust” solutions finally dominating the market. As for now, as far as I am aware of, solutions from Zscaler, for secure access, and VMware + Palo Alto Networks, for secure segmentation, are quite promising.