I believe Zero Trust (ZT) architecture is the next generation security model for on-premise as well as hybrid and cloud-based systems. In my research of this relatively new topic, I found only a handful of resources available. To share what I know and to provide a baseline for your own exploration of ZT architecture, I created a simple website at www.zerotrust.info. Please feel free to visit and check out the list I compiled. Also please share with me any notable information sources that I might have not included in my modest catalog. Thank you very much!
I presented a paper at RSA 2002 on the topic and it was written up in Information Security magazine. Here are a few links.
Perimeter Defense in a World Without Walls:
"Beyond network perimeter defense: A 'submarine warfare' strategy", Information Security Magazine, Aug, 2002. Last accessed 1-Dec-2017 at: http://searchsecurity.techtarget.com/feature/Beyond-network-perimeter-defense-A-submarine-warfare-st...
I think the essential mindshift is something I told my CISO at Cardinal Health around 2012 that pissed him off a little bit - "The internal corporate network is just the part of the Internet that we own, and it's a little less safe than Starbucks."
If you stop thinking about your corporate network as trusted (because, truly, it shouldn't be trusted) then you arrive at the zero trust model. Anywhere you have users clicking on things in their email and browser, that's not a trusted zone.
What I think is more viable is what you can find in the Information Security Management article, which is an enclave model, a locked down fortress internal in the network where the crown jewels are stored. To actually achieve this, however, you need to break credentials at the firewall to that enclave, and treat it like a different company. If the backup, monitoring, patch management, orchestration, security monitoring, and change control accounts are the same in the unsecured zone and the enclave, then you're kidding yourself.
Thank you very much for such a detailed response and for all the links that you provided! I sincerely appreciate it. I also love your assessment of what corporate network really is today. What a wonderful way to put it! May I quote you on the homepage of my new knowledge sharing portal www.zerotrust.info?
One of the most potent business strategic thinking ideas I have found in my research and practice is to imagine that one's products are free. Such "preposterous" idea makes one think really hard about how to deliver new value to one's customers. I think, your message to the CISO is right on the money in the very same way--it forces the "now what?" approach to making a corporate infrastructure significantly more secure. Unpleasant as it might be, this is akin the muscle pain we feel after a good physical exercise. No pain, no gain. Thanks again!
Aleksandr Zhuk, DM, CISSP, BRMP, ITIL Expert
Sure. Just to clarify, don't quote Cardinal's name. I said the quote while I worked there but it wasn't because Cardinal Health had insecure networks. In fact, they have a robust security program. I think this is true of any firm. Wherever you have users clicking on links in email & browsers, you have an attack surface. Most organizations have flat networks, and you have an (N)^2 problem with that attack profile.
Your typical Starbucks public WiFi network has maybe 30 nodes, with hugely variant security, but most are likely not terrible, and auto-patch is quite common now on consumer desktops. It's a low-utility network that really only does a few things - legal opt-in to T&Cs, metering, DHCP, DNS resolution, IP gateway services, content filtering, and some traffic isolation. That's about it. It's not uber high-security, but it's low-utility and low-volume, so small attack surface. (N)^2 where nodes are 30 = 900.
Compare this small, relatively secure network with 50,000 or 100,000 endpoints on a typical large corporate network grown organically over 20+ years. (N)^2 where nodes are 50,000 = 2,500,000,000
Worse, you'll typically find one or more of these to be true:
That creates quite a mosh pit. While much of it is armored, in the aggregate, it's like a flotilla of mixed battleships, destroyers, tankers, cruise ships, bass boats and leaky sailboats. LOTS of surface area, lots of targets.
Thank you for your permission to use your words (no company names--of course) and for further explanation of your Starbucks metaphor! Very well done! Thank you!
Why should I trust you website then?:P
One of the deep down fundamental problems of the 'Zero Trust' model(and just for clarity I think it's one of the best paradigms around is keeping everything operating while moving on to it, nothing kills an initiative like stopping services eve if borking 'The old expensive thing that sits in the corner and Spoils Everything if it isn't kept fed with copious unsigned PE files and access databases via NetBEUI...TM' might be a blessing in disguise.
Google's BeyondCorp framework is probably the most talked about vendor neutral effort, and as a model I think makes a lot of sense https://cloud.google.com/beyondcorp/. It's also a pretty good antidote for the Zero (Rabid) Trust Person who will soundbite it in meetings and then build layers of evermore tenuous argument on top of knowing the buzzword and trying to panic someone into buying/committing/etc into making something 'Secure' but really failing to understand what they are doing.
"And, now by the power of Opsware's global root access I shall now put all the HP-UX boxen into trusted mode, It is done, we are impregnable!"
"Impressive... could you just connect to one of them so we can take a look?"
Thank you for your great comments and the jolly tone! You are right--don't trust my website at least at the offset! Thank you for the Google's BeyondCorp link! The portal is a treasure trove of great research information. Have a great weekend!
All the best!