Slashdot Mirror
Is It Time For Zero-Trust Corporate Networks? (csoonline.com)
An anonymous reader quotes CSO:
"The strategy around Zero Trust boils down to don't trust anyone. We're talking about, 'Let's cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized,'" says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass... The Zero Trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn't pose a threat and therefore was cleared for access. Security and technology experts say the castle-and-moat approach isn't working. They point to the fact that some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance...
Experts say that today's enterprise IT departments require a new way of thinking because, for the most part, the castle itself no longer exists in isolation as it once did. Companies don't have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users -- employees, partners, customers -- accessing applications from a range of devices from multiple locations and even potentially from around the globe... The Zero Trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment. It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise... Zero Trust draws on technologies such as multifactor authentication, Identity and Access Management (IAM), orchestration, analytics, encryption, scoring and file system permissions. Zero Trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task.
"Most organizational IT experts have been trained, unfortunately, to implicitly trust their environments," says the chief product officer at an IAM/PIM solutions supplier.
"Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment."
Experts say that today's enterprise IT departments require a new way of thinking because, for the most part, the castle itself no longer exists in isolation as it once did. Companies don't have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users -- employees, partners, customers -- accessing applications from a range of devices from multiple locations and even potentially from around the globe... The Zero Trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment. It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise... Zero Trust draws on technologies such as multifactor authentication, Identity and Access Management (IAM), orchestration, analytics, encryption, scoring and file system permissions. Zero Trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task.
"Most organizational IT experts have been trained, unfortunately, to implicitly trust their environments," says the chief product officer at an IAM/PIM solutions supplier.
"Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment."
Defense in depth is a very valuable concept, but "zero trust" seems like it is taking things too far. Do you not trust a printer to print your document unless you, as the end user (or executive officer) have verified its firmware is authorized by the manufacturer and has not been subverted? What if it prints your document but injects errors or sends a copy to a foreign espionage organization? How does a server decide whether to trust a request from a computer where a known user is logged in, rather than rejecting it as a web browser that got subverted by malware or a new-fangled kind of attack ad?
Zero-trust corporate networks limits exposure to risk, which can cause you to not be able to reap the rewards of taking the risk. It is important to always take calculated risks in order to progress. If a person is afraid of the sun and they do not step into it, this can cause them to also not feel the warm sunlight. People want to preserve themselves and stand in the shade, but this will not allow them to prosper. An essay writer [myessaywriter.net] will always recognize this when they are writing. A writer needs to take chances to improve, and then they will reap the rewards of improving themselves.
I never trusted corporate networks anyway in the past, so why now?
It is a no-brainer that any input to a system is suspicious and should be hold up against filters and cleared before entering og data returned.
Why are we talking about this now? IT has been truth since forever.
Neither is server/client. What we need is ad-hoc P2P. You can include zero-trust in that.
Until the network gets in the way of an executive doing something executive-y or costs too much. Then it's right back to status quo.
The question "Is It Time For Zero-Trust Corporate Networks?" has been faced for decades, so how is Zero Trust any different? It seems to be based on two well known concepts: authentication (are you who you say you are?) and authorization (now that I know who you are, are allowed to do what you are trying to do?). The authentication and authorization model has been used to varying degrees for decades in Federated Naming systems, LDAP, Active Directory, NIS+. etc. etc. So, the question should be "How is Zero Trust new?" when we already understand the basics?
I deny that I have not avoided attaining the opposite of that which I do not want.
How the hell are you going to do business like that? Do you have any idea how many companies don't have IT staff who understand TCP/IP networking but somehow are in charge of it? How much do you think it would cost when your network constantly has to be reconfigured to allow connectivity by IP and/or expiring certs rather than passwords?
Unless highly skilled IT workers get a hell of a lot cheaper then this is pie in the sky. The cost of a breach is still less than the cost of wages needed to keep a scheme like this working _and_ have a functional network.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The truth is that almost any organization that isn't heavily regulated against doing so is putting at least _some_ data outside the corporate firewall in public clouds. Even if the official IT department doesn't realize it, it's definitely happening. It's rare these days to see companies with a defined perimeter that nothing leaks out of. Anyone who's doing Office 365 is doing Azure AD and logging in from remote. The days of securing a fixed boundary and trusting everything that makes it in are numbered.
Almost every corporate environment I've been in assumes that once something is behind the firewall, either VPNed in or connecting directly, it's trusted. That's a very bad assumption, and I think that's where "zero trust" networks come in. Even if it's degrees, like "I'm not going to implicitly trust every device that plugs into an internal switchport," it's better than nothing. Doing it right is hard though...and there are a lot of companies that just don't want to re-architect their networks to accomodate a posture of limited trust.
The Zero Trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment. It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement
Sounds like somebody with something to sell me. Fuck off.
Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized,'" says Charlie Gero, ...
How about: "Treat your internal wiring like it's the wild-and-wooly Internet. Have both the the boxes and the applications/services - encrypt everything and authenticate each other before exchanging information."? (Apps authenticate both the other app and the box it runs on because a corrupted box can get into the app.)
Then you don't have to trust all the other boxes or the wiring between them.
It also means that it's not such a big deal if somebody manages to hang an extra box on your net or inserts it in a cable. The most it can do is use your bandwidth to talk to the outside rather than use its own radio, listen to its surroundings with its own sensors, or DoS what ever is going through the cable into which it's inserted. That means you can let your employees bring in their own equipment without compromising your firewall (or compromise your operation more than a tape recorder, camera, or box with sensors would do without the netk access).
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"Trust no one, not even your self."
Words to live by.
The only novel idea here is location. Provide a library to re-entrust across PAM, LDAP/AD, and OAuth Etc and we can properly authorize.
I can't believe that nobody ever had this idea before, especially since it would obviously be incredibly easy to do and has no downsides or consequences on productivity!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Oh great, Zero Tolerance from the 90's all over again.
I'll bring my disposable plastic picnic knife to spread butter on my muffins, and go to prison as if I menacingly brandished a bowie knife.
The point of a network is communication.
If you block all network traffic, you block communication.
If you require permission to communicate:
1) you discourage communication (it takes effort to ask for permission, especially if it's always considered suspicious).
2) you block people's ability to do anything unforeseen for the *benefit* of the company (it works both ways).
3) you attract and keep low performing people that simply don't communicate or really do anything well.
4) If the only way I can get permission is through this committee, and they're not here right now. Oh well~ I guess it can wait.
5) Why bother, my boss will just get annoyed by me asking. Better let my boss fail.
6) Great idea, but can't do that because "the system" won't let me.
7) I'll just find other ways to sneak info in and out of the building.
8) I'll build my own communication network, because f*ck IT, and just get fired if "they" find out, but they won't because they're too busy scrambling around trying to figure out why our business is failing. But they won't ask, because IT's heads are too far up their analytics.
Once you have the technology locked down there are still some things that will open it up.
Big boss forgot his token, can you get him in?
We need to allow our customer access to a development environment for a demo.
I know the document is reporting a virus but it's from the association of chief police officers, they must be trustworthy, release it.
We can't figure out how to get this firewall rule going, set it to Any, Any, Any, Allow.
This is just a sample of this shit I've seen in 10 years doing IT support, networks and firewalls. If you can get people to stop doing things like this, then techie methods for security might work.
What we need to do is build networks using the same philosophy that was used when creating the Rust programming language. Rust is the safest and most secure programming language around. It has been designed to use move semantics instead of garbage collection, to have guaranteed memory safety, to have threads without data races, and no segfaults. Although Rust is a programming language we can apply the same design process and philosophies when creating other systems like computer networks and IT infrastructure. This way we could build hyper-secure networks without losing functionality. Just like Rust revolutionized programming, applying Rust's design philosophy to networking would be revolutionary in its own right.
and no mention of Blockchain. waaaaa???!!
These U.S. machines are untrusted, you know it.
I hope to buy a russian PC or a chinese PC that are supposed to be backdoor-free.
However, security must also acknowledge reality. The reality is that so long as you empower your employees to do, well, much of anything, they will become potential vectors of an attack. Lock them down to be harmless, they will often also be unable to be productive.
It is worth noting that many of these attacks that happen still do happen because someone dangled part of the information outside the defenses. An improperly set up cloud storage or service has become a frequent source of compromise. These attacks would be rarer in the 'castle and moat' because they happened inside a more protected network. Sure, they shouldn't have been configured that way even internally, but reality is *someone* is going to do something like this, and better for it to be mitigated than in the open.
So the lesson is sure, be as vigiliant as you already *should* have been, but also that going out of the moat is part of the problem, not that the moat is losing efficacy compared to before.
XML is like violence. If it doesn't solve the problem, use more.
This stuff was part & parcel of the ITU/ISO standards developed in the 80s & 90s but by then TCP/IP was conquering the world and only a few fragments of that endeavour (X.400, X.500, IS-IS) have survived.
It's time for Zero Trust Operating Systems. Gone are the days when one could assume that a program would work as designed, and tolerate the odd bug. Until the software that defines our computing experience grows up and stops trusting everything put into it, we're going to be deep in shit.
well with hp cloud print from $6.99 mo user all docs are protected and the printer can not print unless you put in your local printer code for each job (windows and mac only)
This is tantamount to goal post moving.
If you don't trust a person or device, then people will move to compromising things in a way that just moves the effort to compromise AFTER the trust has been established take for example firewalls at a basic level. now that we have firewall ports closed except for say 80 to get to the internet means that they create vulnerabilities that worked over port 80. Then they decided that only http protocol would be allowed over port 80, so they just programmed their malware to just use http protocols for payload. Then they started using blocklists, then they said lets use already established and trusted techonologies like getting HR to open a Word document loaded with malware that will get through all of this security because the user is trusted to run things so they came up with automatically blocking scripts and macro's in those programs, and this is not even scratching the surface of vulnerabilities that are out there, just simple examples.
Zero Trust is not possible, it is a pipe dream that works along the law of diminishing returns of risk aversion progression.
If at first 50% of the population dies a year we take steps to reduce it to 30% and claim victory, soon we are no longer okay with 30% and work to reduce it to 15%, soon even 15% is just too much and work to reduce it to 5%, soon 5% is still just too ridiculous and determine that 100% must be save no matter what the cost is. Before we realize it we spend effort and expense stuck in a never ending spiral down the drain trying to reduce all risk to 0%. It cannot be done. The mechanism you use to mitigate this risk often changes behavior in such a way that makes another risk more pronounced.
So my work set up OTP authentication to get in remotely.
First time around, hadware tokens. Problem: people kept losing them.
Eventually, migrate to OTP for phone use. Problem, people would forget their phones.
Ultimate solution, a website to generate the token that's publicly accessible, that just accepts the same single username/password that they were trying to get away from in the first place.
Anyone in the industry knows *exactly* what'll happen when you inconvenience people with onerous security, they bypass it. Have no viable way to exchange large files? Those files *will* end up publicly shared on google drive. Refuse to set up an internet facing service for some department in a timely fashion? Someone in that department will buy an AWS instance and just do it themself, even if they use a few dollars of their personal money.
Security is about more than locking down access to stuff, it's about facilitating work to be done securely, but within reason. Sometimes that means doing something that isn't perhaps *as* locked down as you would like, but it is better than the alternative.
XML is like violence. If it doesn't solve the problem, use more.
The only reason I can see for this (old, bad) idea to be pushed again is that some people need to create the next hype to keep their own business-model alive.
On the actual subject, if you really want every system to be individually administrated and fully secured, then go ahead and run this model. For a small network, with, say, less than ten computers this may even work. But even there it can be excessively expensive. In actual reality, any network where people think about a perimeter does need that perimeter. It needs to be implemented right, of course. For example, the only network access must be via that trusted network (enforced VPN if you are not on-site) and software must come from that trusted network as well. Also, any user active anywhere must be identified reliably (password _plus_ chipcard, e.g.) and the trusted network must, of course, be divided into zones with effective firewalling between them. Data import must go via secured channels, no just plugging in an USB stick. So not only do you need that perimeter urgently, it is by far not enough. It is just one element.
Now, this is very expensive to run and maintain. I know that. But unless you have no secrets and no IT-based business processes to protect, this is your only chance to avoid a hugely expensive disaster in the long run.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If a firewall/moat around the castle won't work, why will a firewall/moat around each room work?
That is, if you can't defend the enterprise, what makes you think using the same technologies on individual hosts is going to work?
The summary sucks, so I can see how you might get that idea. It's very much NOT talking about jump boxes, though.
It's more about until you log in to your computer (via Active Directory / LDAP), you can't access sensitive internal resources. Once you're logged in, the DBA gets access to the database, while the UI developer doesn't. It's the idea that just because you have an internal IP address doesn't mean you should have access to every internal resource.
why are corporations having to "settle" out of court...IT budgets suck due to CEO's salaries going up because they dont understand IT security and getting hacked but that CEO will get replaced tomorrow and IT will have to again...explain.
Nobody cares about networks, wires, strings, smoke signals or carrier pigeon.
What people actually care about is shit running and stored in their systems.
Systems need to be capable of standing on their own. Some just now may be waking up this reality. Most of us know better.
The single biggest mistake is wasting massive amounts of resources on common practice of deploying layers upon layers of bullshit (AV, IDS, DLP, Firewalls) (see "defense in depth") while ignoring core architectural issues that promote insanity in the first place.
I have never in my life walked into a shop using secure authentication protocols. Not once... EVER. It's almost always some form of Kerberos bullshit or worse. People are not even trying... I don't know if they just don't care, have no choice or don't even have a clue how the underlying shit they rely on works. Right off the bat everyone is screwed.
The summary sucks, so I understand why it was unclear.
A printer is a great example. This is about networking. The idea is to get away from the "security happens at the firewall" model, the idea if anything that has an internal IP address should automatically get access to every internal resource. In the firewall model, the printer can connect to your databases, and can send data out to the internet. Does that make sense to allow that?
The Zero Trust model is about WHO, a logged in user, rather an IP addresses. In other words, *logging in* to the network gets you access to the stuff you have access to. It's the idea that just because you have an internal IP address doesn't mean you should have access to every internal resource. The printer is inside the network, but it doesn't get access to the databases, or HR system, or anything else. Also the printer doesn't have access to the internet. Inside the network or not, access is allowed based on who is logged in, not just anyone with a local IP.
Regarding a logged-in user with a malware infested PC, the network itself can't prevent ALL damage from that, but the Zero Trust model limits the damage because the malware can only access the things that specific user accesses for their job. The marketing manager can't even ping the database, so if his PC is infected only marketing material is at risk, not the database, code repos, etc.
In the firewall model, the printer can connect to your databases, and can send data out to the internet. Does that make sense to allow that?
I take it you've never worked with SAP.............
I tried to get IT to get some switches that would let us partition off traffic so individual PCs could get to a) the internet, and b) The print and file servers, and nothing else (i.e. not each other). Seems sensible to me. Is this not what they are talking about?
So how is that different than the "defense in depth" idea that had been around for decades?
No itâ(TM)s not time. You can continue to take all cocks into your ass without verification. This is Antifa and Black Lies Matter standard right?
Well I tried my Safeway club card number and it didnâ(TM)t work. Itâ(TM)s not ready yet.
Zero trust is an obvious BOYD consequence. The only unexpected point is how long it took between the two concepts landing in corporate networks.
I agree, Zero Trust is the wrong approach.
We need Negative One Trust!
Every program has to run in separate container.
Once you get into a user's system you can do Active Directory attacks and legitimately escalate all the way to Domain Admin using tools such as BloodHound. There's also Kerberoasting and of course hash cracking once you've escalated on a system and run Mimikatz on it. Often you can just pass the hash and not even bother cracking them. All of this using legitimate credentials and "allowed" accesses within the scope of the users.
Sure this will keep a guy from plugging into an open ethernet jack and running all over the place, useful as part of defense in depth, but it's not a magic bullet.
Cwm, fjord-bank glyphs vext quiz
My employers network works on that model ... and guess what it takes an eternity to do anything. There are days it takes over an hour to get fully up and running just because of everything we do requires an additional authentication of some sort. Not to mention as a developer I often need elevated rights to do my fucking job and it takes an act of congress to get the additional permissions.
I can't remember how many times I heard people sit in staff meetings and argue against employing simple security practices when developing application using this excuse. You know what changed their minds? The time when some admin powered up a WinNT box sitting in an unused cubicle--inside the firewall--not realizing that it had been infected with Code Red and it DoSed several critical servers during month-end processing. Now their application design would likely have not had anything to do with protecting against Code Red, when they saw first-hand what can happen when the attacker is on the (supposedly) "clean" side of the firewall they finally figured it out.
CUR ALLOC 20195.....5804M
https://cloud.google.com/beyondcorp/
But it's hard to bolt onto an existing infrastructure without restricting it.
I've ran all my networks as zero trust systems, usually because the castle and moat system they call is managed by absolute morons.
Zero trust models were proposed decades ago. About 15 years ago the NSA/DoD security recommendations (When they started releasing SELinux) were all about securing your hosts from whatever was already running on it.
Custom electronics and digital signage for your business: www.evcircuits.com
Use more Tor's Onion service. See WeSupportTor for an example.
And stop using centralized services such as Cloudflare.
802.1x is not new, and corporate NAC's / Radius / etc. are I thought pretty standard operating procedure to make sure some moron with a home PC doesn't wonder in and introduce crytolocker to the environment.
Did someone say cake?
It's got a cool new name.
Please die in a fire. Fire optional.
Il n'y a pas de Planet B.
Honestly. I can't believe that this can be "a thing" as of 2018.
First, I don't think most large corporate environments these days are castle & moat systems. If it is, it usually means that the company doesn't have more than one production facility, never did an M&A, no joint ventures, has no testing or R&D labs, hasn't been around for long, etc. Fragmentation naturally happens and it takes a lot of investment to keep things standardized.
So the largest security hole in these systems has always been the methane production units. Most corporations have all the latest jargon, policies, and governance document repositories. The problem is that almost none of them follow the spirit of the policy or even read said documents.
Examples: User access reviews are done but its basically a checklist of 1. Is this user with company. 2. Did they appear on last list. 3. Do I recognize it as someone who shouldn't be on this list. There is no validation of if person needs the access or have they been using it recently, etc.
Many times, rather than take the 2 hours extra in onboarding,companies just copy a co-workers security profile; giving the new hire access to random stuff that they know nothing about.
How many companies do security minded training for employees? Most appear to just explain their policies, enforcement rules, and repercussions.
How many companies have a process to patch a distributed information system (ie: laptops) against something like WannaCry (and no patch management isn't the solution)?
Why is the HR tech running around with real confidential information on his encrypted laptop?
Most of the above is the human component taking the easy road to compensate for the poorly funded tech component (lack of training, proper network bandwidth, lack of documentation, lack of testing info etc). But its not about lack of money, because we spend tons of money on all this technology with new labels. We spends tons of money on repairing and rebuilding stuff that got lost or hosed. We spend tons on writing the legal contracts and policy documents.
The problem is that no one really cares about security. Or else we would invest in hardening the weakest link: the human. The game is about passing the dice around and making it easier & quicker. Eventually someone has to roll and eventually one of them will roll bad. At which point the rest of us feel good because it was THEIR fault, not ours. We remove the unlucky one and start the game again.
Betteredge be damned.
Take off every 'sig' !!
Zero Trust already exists out among the peers on many corporate networks. Unless you trust the motherfuckers who run the IT in your organization, in which case you are making a grave mistake, you make efforts to secure your group's workspace against the IT goons.
"This is about networking. The idea is to get away from the "security happens at the firewall" model, the idea if anything that has an internal IP address should automatically get access to every internal resource. "
That is not a "firewall model", it's a perimeter model. It hasn't been best practice firewall architecture in nearly 2 decades.
That's a great question.
Defense in depth is one part of Zero Trust. ZT has defense in depth built from the inside out, though. We start by securing the critical resource with the assumption that the attacker has control of a local computer. We then try to keep attackers out of our networks and an auxiliary measure. This is related to the principle of least privilege.*
Most crucially, perhaps, Zero Trust is about getting rid of the idea of "trusted networks" and focusing on WHO wants access to WHICH specific resource. WHERE isn't a significant consideration (or only an auxiliary control).
* Least privilege does NOT mean people don't have access to the things they need access to. It means they DO have access what they need access to, and don't have access to things they don't have any need for.
Now I understand why the big corporates work so hard to entice the youth and push out the old guys. It's because the old guys have seen this before. The new guys think is *amazing*.
https://en.wikipedia.org/wiki/IEEE_802.1X
This is a solved problem. The only reason to re-solve it is for some new companies to make money.
What's old is new again. UNIX had a lot of security in the 1980s that Windows is just adding now. Partly that's the Disk Operating System legacy of Windows - Microsoft started out differentiating their product by making an OS for a PERSONAL computer, the opposite of the time-SHARING mainframe systems, and it was designed to run completely from the local disk as opposed to the network operating systems of the day. It was a smart move that made them billions. Then the internet happened and turned everything back to network-based again.
The article states: "The Zero Trust approach relies on various existing technologies and governance". Let me fill this in: Active Directory + Radius + Competent Administration. Was that so hard?
Once upon a time, if you described the concepts of hypertext to someone, they'd say "oh you mean HyperCard". After that, Hypertext Markup Language was created (HTML) and hypertext has gone way beyond HyperCard.
Today when most people read about Zero Trust they think "network access control", because NAC is a tool we currently use to implement some key Zero Trust concepts. However, just as hypertext wasn't limited to just HyperCard, Zero Trust is bigger than Network Access Control.
NAC is one of the earliest (aka most primitive) tools that one can use when implementing a Zero Trust philosophy. An important tool, but the early tools aren't the entire philosophy or concepts.
Go to a 'key signing party' and rub elbows with people you actually trust.
People in the same city, yes. But in the face of increasing "safety" and "security" restrictions on international travel, domestic air travel, and even getting a driver's license for the first time, how well does this scale beyond a city?