What is Zero-Trust?
The acute lockdown caused by Covid-19 has caused extraordinary changes in companies and for employees and, to put it mildly, significantly increased the importance of teleworking infrastructures. While many companies have managed to provide some kind of teleworking opportunity, some better, some worse, and some even published their success stories about it, security was given very limited, if any, consideration. Many companies underestimate the risks in this context. You could see companies opening holes in their firewalls to allow remote access without working out a security concept or risk assessment first. Few companies had done this in advance in order to be prepared for such cases. For most, there was no time to do this when the lockdown was announced and delays in providing teleworking opportunities would have been expensive, which is why this was either not considered or was deliberately postponed. Since Covid-19 will not disappear anytime soon and home office workplaces will remain at many companies regardless of the pandemic, now is the time to deal with the lack of consideration of IT security, before attackers identify weaknesses and catapult companies into the next crisis.
To this day, companies rely on a decades-old security strategy, namely the isolation of the company network from the Internet (perimeter-based security) and the consideration of the internal network as trustworthy. The isolation is realized by firewalls and other security components. Every user and every device on the internal network is classified as benign and therefore access to internal resources from internal sources allowed. Authentication is implemented in some places, but the level of protection is generally low internally, because this outdated security strategy trusts the protection of the perimeter entirely and believes that it cannot be circumvented.
Years ago, however, it became clear that protecting the perimeter against external attacks is not sufficient on its own, as attackers will always find a way into the internal network. This is where the asymmetry between attackers and defenders comes to the fore: while attackers only need to find a single weakness to get into the internal network, defenders have to secure all systems, plug all gaps and not allow themselves to make any mistakes. This inequality already shows the weaknesses of a security strategy that relies on a strong perimeter only, because the risk of breaching the perimeter can hardly be sufficiently mitigated. There are application vulnerabilities, against which perimeter protection mechanisms are not effective. Often people are the weakest link in the chain, which is exploited by phishing and social engineering attacks. These attacks are old, but still as effective as they were many years ago because, unlike software, humans cannot simply be updated. Even against such attacks, perimeter protection can do little. And then there are holes in the firewalls for intentional access from outside, for example for VPNs, remote desktops, terminal services and partner networks. Once attackers are in the internal network, it is usually easy for these other systems and ultimately the entire domain to be brought under your control. Often sensitive data is stolen and then sold or it is encrypted and only released again for a ransom (although there is no guarantee that the data will actually be decrypted after payment).
In recent years, another problem with perimeter-based security has emerged: cloud computing. Resources in the cloud, whether software, data or infrastructure, are outside the internal network and therefore cannot be protected by the perimeter. The trend towards cloud computing will further exacerbate this aspect.
If perimeter-based security no longer works, what strategy should be used instead?
The term “zero trust” has recently been established, which describes the notion that nobody should be trusted by default, regardless of whether in or outside the network. Instead, controls must be implemented that are effective against attacks within the internal network, as well as monitoring in order to be able to identify abnormalities. The basic principle is to place protective mechanisms as close to resources to be protected and to configure access control granularly. Depending on the use case, the topology and the technology, concepts and their implementation differ.
For client networks and client applications, Zero Trust concepts deal with device health management, user and device authentication and access gateways to protect resources. Both the identity and the security status of devices should be determined and access rules at the access gateways can take these aspects into account. For example: For clients that are not patched and therefore have critical vulnerabilities, access to data can be denied, even if the user would be authorized to see the data. The location of the device could also be taken into account.
For communication within a data center, zero trust concepts deal with the authorization and monitoring of communication relationships. Implementation approaches are micro-segmentation and software-defined networking (SDN). The more granular the segmentation, the more finely the accesses can be controlled and the smaller the attack surface for lateral movement. For microservice architectures, zero trust can be implemented using network policies or service mesh to monitor every access in a granular manner.
So, you can already see that Zero Trust is an opinion instead of a concrete concept. It affects various aspects such as network and device security, application and service security, authentication and security monitoring. Zero Trust has also established itself as a buzz word that manufacturers try to associate with all their products. Organizations should therefore first think about their basic IT and security strategy and how they want to include zero trust aspects in it. Only then should products be selected that are consistent with this strategy. Unfortunately, it is not possible to buy Zero Trust off-the-shelf, but this radical paradigm shift requires a well-planned transition, usually with hybrid approaches for longer periods of time.
This article is in no way intended to downplay the benefits of perimeter-based security, but merely to point out its weaknesses, especially regarding current trends. Good protection of the perimeter can significantly reduce many risks. However, completely relying on the protection of the perimeter is not a good security strategy in most cases and involves high risks. We strongly recommend that attackers within the internal network also be taken into account and to be prepared accordingly, because sooner or later there will be a break-in. An investment that pays off.