Summary of our talk at frOSCon 2020
Once again we were happy to be part of Germany’s biggest free and open-source conference frOSCon. As you can guess it was held virtually. Although we missed the personal chats and discussions we always enjoyed as exhibitors, it was a pleasure to present our thoughts on zero trust to the audience. Read this summary based on the transcript or find the talk on our youtube channel
Security of the Past
Stephan Schwichtenberg, founder of pi-lar enterprise architects in Cologne held the presentation and brought along our dedicated co-worker, Marvin. Marvin is a robot and is very enthusiastic about security, in fact sometimes it feels almost like an obsession. If you keep a look on his face, you’ll see from his expression if he’s pleased with what he sees. Some security aspects that Marvin frowns upon are:
In the past security has not received the attention that it should have. He's convinced that the bilateral aspects of protecting IP connections is tedious and offers little benefit. Looking at the protection of complex API's: they are missing the required granularity and may lead to unwanted access rights. This doesn't enforce security best practices in a company. In fact it is an old and outdated approach to security, completely unsuited for rapid change and for establishing new data channels.
In the past we defined trust perimeters within or around our installed networks, with artificial borderlines, DMZ zones and several domains. This happened in the belief that it is important to protect our enterprises from external threats. And although we were able to protect our enterprise from these external threats, today we know for a fact that most security attacks are caused by internal actors. Sometimes on purpose, but mostly because of some type of malfunctioning, e.g. by clicking on a phishing link in an email or even worse, by following instructions from successful social engineering attacks. The bottom line being that with the old perimeter approach an enterprise is only protected from about 30 % of the attacks, namely those coming from outside, while largely underestimating internal threats.
This outdated approach, based on trust perimeters with artificial defense lines, is too statically designed: you build your defense once and then hope to run with it forever. But what happens if a new requirement approaches the IT department? This will force you to weave small holes into your original protection measures, hence generating security exceptions.
In most cases adding business functionality is given higher priority and greater importance than designing precise security right from the beginning. This may lead to having installed a sophisticated security gateway, which intruders can simply walk around without even having to open a door to get to your data
Security of the Future: Access Policies & Data Objects
From looking at this example we see that the trust perimeter has changed. Security of the future looks at fragmented information flows that need protection for all participating systems and actors.
Securing from end to end, the process behind data exchange is gaining higher importance. One major shift is the ability to authenticate and authorize at each given step of the information flow. Instead of self-invented artificial trust border or perimeters we are now using access policies.
The difference is that access policies can be evaluated in each step and every single component. You may still use external and internal access attributes to differentiate between cloud components or on-premise deployments. With access policies you are able to define new levels of trust for much smaller groups, even enforcing rules for single data objects.
This comes with a double advantage: On the one side it is possible to establish fine-grained success controls, e.g. for an API. On the other side it also means being treated with increased insights into your enterprises IT.
Subsequently, further insights and details into your IT, your data objects and your interactions mean allow us to minimize risk beyond the current status quo.
The standard model of zero trust means to establish a simple rule: never trust - always verify. Of course this includes a high-level of security automation, and requires the ability to exchange and handle digital identities correctly and efficiently.
Zero trust and access policies are important components when looking at the security requirements for ecosystems. The enterprise that you are working in depends on interactions with other players and these interactions are one main driver for your future IT architecture.
Your devices and software consume and produce data at the same time, and for each data object that has been created there may be different data owners. If one of your partners fails to establish a sound security practices, then most likely this will also make your company prone to attacks.
For better illustration consider this example: you would like to exchange digital twin data, or your machines need maintenance from a different company or from a vendor. You need to be able to grant access rights to these external partners on the data objects and machines they are allowed to see. All other components of your IT should remain invisible to them.
Or think of thousands of employees around the globe who are working from home. In a zero trust setting, in line with the concept of new work, an employees may work from home just the same, because their access policies allows them to do so.
Establishing a zero trust approach will allow you to change access policies in days rather than months, rewarding you with increased incident response time. It also enables you to change your data connections, e.g. between two different data providers at any time.
Zero trust is an enabler for your company to adapt and survive.
We want to stress the importance of viewing zero trust architectures not just from a technical perspective, but from a business perspective. It is a model that equips you with reliability, which is valuable as it may have legal, economic, environmental and social repercussions.
For example, a zero trust architecture enables your GDPR compliance: knowing who accesses your customer data is just one side effect. Being able to switch between a service or a product strategy is a business enabler, and it is your enabler to upsell additional services or access to data resources.
In the operational technology it allows access rights and it protects your employees from cyber attacks. With zero trust you're investing into the resilience of your company.
Last but not least, we all live in B2B ecosystems and multi-tenant environments. The time to hide behind a castle wall is long over and will not come back.
In summary, a zero trust security approach pays into many business aspects, giving you a sustainable advantage. Zero trust architecture is an extension of your existing security strategy, not a completely new approach. However, the focus is shifted to data objects and the way they are used, in terms of business value.
To get you started, consider these ten principles for a zero trust architecture:
1) Know your architecture including users, devices, services
2) Create a single strong user identity
3) Create a strong device identity
4) Authenticate everywhere
5) Know the health of your devices and services
6) Focus your monitoring on devices and services
7) Set policies according to value of the service or data
8) Control access to your services and data
9) Don’t trust the network, including the local network
10) Choose services designed for zero trust
The first item refers to ISMS tooling or an enterprise architecture map. Having a user identity refers to using strong authentication for your employees, and you may want to extend this with regard to privacy. Device identities may be a surprise, but it is important that each device has its own digital identity. The fourth principle actually refers to your current infrastructure security: only allow authenticated IP connections. The next two items go along with SIEM measures. Monitoring devices and services and knowing their health status is important. From then on, topics like policies and access control, are new zero trust principles that begin to shape your strategy as you apply them into your company. The last item, choose services designed for zero trust, is defined a bit too wide: from our perspective this refers to the micro services and the granularity that you're offering them. Don't mix too many objects/resources into one interface for a start. This can be done in a later step by aggregating data with extra policies.
What do you need to be clear about?
The importance of Zero Trust will increase.
Although often the maturity of technical zero trust frameworks is not yet given, it is worth incorporating these new aspects into your cyber security measures.
We collected few links that will help you to get started with zero trust architectures:
Especially if you are a startup, embracing the zero trust approach is a no-brainer.
In the discussion that followed this talk we exchanged views, experience and learnings with the audience and used our secure messaging layer, Neuropil, as a hands-on example for zero trust.
We look forward to continuing this dialogue about the future of security and the role of zero trust. Join in with your views!
To check out the talk and corresponding slides, please visit: https://www.youtube.com/watch?v=o6N4uRzTuKc