topic Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge in Industry News

Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

azhuk — Mon, 09 Oct 2023 08:22:23 GMT

Dear Colleagues,

I believe Zero Trust (ZT) architecture is the next generation security model for on-premise as well as hybrid and cloud-based systems. In my research of this relatively new topic, I found only a handful of resources available. To share what I know and to provide a baseline for your own exploration of ZT architecture, I created a simple website at www.zerotrust.info. Please feel free to visit and check out the list I compiled. Also please share with me any notable information sources that I might have not included in my modest catalog. Thank you very much!

Best regards,
Aleksandr

Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

dhouser — Fri, 08 Dec 2017 04:37:56 GMT

I presented a paper at RSA 2002 on the topic and it was written up in Information Security magazine. Here are a few links.

Perimeter Defense in a World Without Walls:

https://www.slideshare.net/DanHouser/perimeter-defense-in-a-world-without-walls

"Beyond network perimeter defense: A 'submarine warfare' strategy", Information Security Magazine, Aug, 2002. Last accessed 1-Dec-2017 at: http://searchsecurity.techtarget.com/feature/Beyond-network-perimeter-defense-A-submarine-warfare-strategy

http://slideplayer.com/slide/4565710/ + https://media.techtarget.com/searchSecurity/downloads/ISDF04_HouserPerimeter.ppt

I think the essential mindshift is something I told my CISO at Cardinal Health around 2012 that pissed him off a little bit - "The internal corporate network is just the part of the Internet that we own, and it's a little less safe than Starbucks."

If you stop thinking about your corporate network as trusted (because, truly, it shouldn't be trusted) then you arrive at the zero trust model. Anywhere you have users clicking on things in their email and browser, that's not a trusted zone.

What I think is more viable is what you can find in the Information Security Management article, which is an enclave model, a locked down fortress internal in the network where the crown jewels are stored. To actually achieve this, however, you need to break credentials at the firewall to that enclave, and treat it like a different company. If the backup, monitoring, patch management, orchestration, security monitoring, and change control accounts are the same in the unsecured zone and the enclave, then you're kidding yourself.

-ddh

___________________

Daniel D. Houser, CISSP-ISSAP-ISSMP CISA CISM CSSLP CGEIT

Sr. Consultant, Security Strategy & Architecture

InfoSec Innovations

+1 614.805.4289

dan.houser@infosecinnovations.com

@Secwonk

Better Information Security Through: Science, Creativity, and Caring

Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

azhuk — Fri, 08 Dec 2017 05:22:08 GMT

Hello Daniel,

Thank you very much for such a detailed response and for all the links that you provided! I sincerely appreciate it. I also love your assessment of what corporate network really is today. What a wonderful way to put it! May I quote you on the homepage of my new knowledge sharing portal www.zerotrust.info?

One of the most potent business strategic thinking ideas I have found in my research and practice is to imagine that one's products are free. Such "preposterous" idea makes one think really hard about how to deliver new value to one's customers. I think, your message to the CISO is right on the money in the very same way--it forces the "now what?" approach to making a corporate infrastructure significantly more secure. Unpleasant as it might be, this is akin the muscle pain we feel after a good physical exercise. No pain, no gain. Thanks again!

AZ

Aleksandr Zhuk, DM, CISSP, BRMP, ITIL Expert
+1.212.380.8544

azhuk@azhuk.com

Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

dhouser — Fri, 08 Dec 2017 07:00:25 GMT

Sure. Just to clarify, don't quote Cardinal's name. I said the quote while I worked there but it wasn't because Cardinal Health had insecure networks. In fact, they have a robust security program. I think this is true of any firm. Wherever you have users clicking on links in email & browsers, you have an attack surface. Most organizations have flat networks, and you have an (N)^2 problem with that attack profile.

Your typical Starbucks public WiFi network has maybe 30 nodes, with hugely variant security, but most are likely not terrible, and auto-patch is quite common now on consumer desktops. It's a low-utility network that really only does a few things - legal opt-in to T&Cs, metering, DHCP, DNS resolution, IP gateway services, content filtering, and some traffic isolation. That's about it. It's not uber high-security, but it's low-utility and low-volume, so small attack surface. (N)^2 where nodes are 30 = 900.

Compare this small, relatively secure network with 50,000 or 100,000 endpoints on a typical large corporate network grown organically over 20+ years. (N)^2 where nodes are 50,000 = 2,500,000,000

Worse, you'll typically find one or more of these to be true:

500 consultants using Goodness-only-knows-what as their compute platform
10 vendors a day connecting in
rogue switches & access points
VPN accounts that got handed out from time-to-time to non-employees
test/dev/QA parked in production network (yes, the _CODE_ is Dev, but the server & network are prod)
Shadow IT
IoT that walks in the door
Modems for fax support
a huge stack of firewall "open" requests, with an empty box of "close" requests
likely no tracking of ownership of firewall rules, or governance
rules that folks are afraid to turn off/ turn on
that one firewall where the last command is PERMIT ANY ANY
- (I've found 2 in my career. Yup, they tried to blacklist the Internet)
BYOC - Bring Your Own Computer
(likely unsecured) printers
those guys that installed a hypervisor and are running a few rogue operating systems on their desktop
the secret wink-wink-nudge-nudge proxy server that bypasses content controls
remote satellite offices where Jimmy has installed an extra connection on the network to (local ISP / hotel where they like to have meetings / shared conference room down the hall)
other remote satellite offices where the wiring closet is also used to store mops, lightbulbs, holiday decorations and cleaning supplies, and 18 people access it a month
pockets of desktop admin use
pockets of resistance to upgrade, using old crap
- that one mission critical app that runs on Windows 2000/ RedHat 6.2/ Oracle 8i-Rel 3/ Microsoft Bob
patching exclusion lists
endpoint compliance reporting exclusion lists/errors in reporting
that special laptop/server/switch/router/tablet for the CFO or COO that isn't really locked down
PCs that 40 executives have installed in their homes that remote VPN from their home network
likely huge holes in firewalls internally
facilities & physical security devices
- you know, the ones where they periodically install DHCP services and start handing out addresses?
SCADA milling machines, robots, conveyors, pumps, actuators, valves, etc.
ATMs & POS vending machines
cafeteria point-of-sale
third party devices hosted on your network
hundreds of third parties that connect into your infrastructure to perform support & maintenance
DevOps teams likely able to download & install as needed
broad use of collaboration sharing technologies where the user clicks "Share my Desktop"
likely pockets of internet-facing test

That creates quite a mosh pit. While much of it is armored, in the aggregate, it's like a flotilla of mixed battleships, destroyers, tankers, cruise ships, bass boats and leaky sailboats. LOTS of surface area, lots of targets.

-ddh

Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

azhuk — Fri, 08 Dec 2017 15:07:42 GMT

Hello Daniel,

Thank you for your permission to use your words (no company names--of course) and for further explanation of your Starbucks metaphor! Very well done! Thank you!

Best,

Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

Early_Adopter — Sat, 09 Dec 2017 16:17:12 GMT

Great posts.

Why should I trust you website then?:P

One of the deep down fundamental problems of the 'Zero Trust' model(and just for clarity I think it's one of the best paradigms around is keeping everything operating while moving on to it, nothing kills an initiative like stopping services eve if borking 'The old expensive thing that sits in the corner and Spoils Everything if it isn't kept fed with copious unsigned PE files and access databases via NetBEUI...TM' might be a blessing in disguise.

Google's BeyondCorp framework is probably the most talked about vendor neutral effort, and as a model I think makes a lot of sense https://cloud.google.com/beyondcorp/. It's also a pretty good antidote for the Zero (Rabid) Trust Person who will soundbite it in meetings and then build layers of evermore tenuous argument on top of knowing the buzzword and trying to panic someone into buying/committing/etc into making something 'Secure' but really failing to understand what they are doing.

"And, now by the power of Opsware's global root access I shall now put all the HP-UX boxen into trusted mode, It is done, we are impregnable!"

"Impressive... could you just connect to one of them so we can take a look?"

"..."

Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

azhuk — Sat, 09 Dec 2017 19:33:49 GMT

Hello @Early_Adopter,

Thank you for your great comments and the jolly tone! You are right--don't trust my website at least at the offset! Thank you for the Google's BeyondCorp link! The portal is a treasure trove of great research information. Have a great weekend!

All the best!

-Aleksandr

Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

Caute_cautim — Mon, 24 Aug 2020 20:42:01 GMT

@azhukDoes your web site still exist?

Regards

Caute_cautim

Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

CraginS — Mon, 24 Aug 2020 21:42:13 GMT

John @Caute_cautim

August 2020, NIST has just published Special Publication, SP 800-207, Zero Trust Architecture

and the National Cybersecurtiy Center of Excellence (NCCOE) has released a public draft of the in-development Implementing a Zero Trust Architecture.

Craig

Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

azhuk — Mon, 24 Aug 2020 22:18:07 GMT

Thanks a lot for the tip CraginS! I really appreciate it.

Re: Zero Trust (ZT) Security Architecture Model - Looking for and Sharing Sources of Knowledge

Caute_cautim — Tue, 25 Aug 2020 00:27:33 GMT

@Craig Thanks very much, yes, I have downloaded the ZT NIST SP.800-209 latest version. It is provides a good baseline and some good use cases. I am current researching the subject, and comparing various vendors Points of View (PoV) in terms what they can assist organisations on their journey.

The Good BeyondCorp is a proprietary one.

When you think now that Digital Transformation has transformed many organisations into the hybrid cloud situation, but in doing so, the attack surface has increased, and the associated risks have risen along with the fact the data is distributed all over the place. Traditional methods cannot cope with this type of situation, these days. Most organisations are thinking about ZT, apparently 78% of them are thinking along those lines statistically.

The second paper looks very good too.

Thank you

Regards

Caute_cautim