Is It Time For Zero-Trust Corporate Networks?

An anonymous reader quotes CSO: "The strategy around Zero Trust boils down to don't trust anyone. We're talking about, 'Let's cut off all access until the network knows who you are. Don't allow access to IP addresses, machines, etc. until you know who that user is and whether they're authorized,'" says Charlie Gero, CTO of Enterprise and Advanced Projects Group at Akamai Technologies in Cambridge, Mass... The Zero Trust model of information security basically kicks to the curb the old castle-and-moat mentality that had organizations focused on defending their perimeters while assuming everything already inside didn't pose a threat and therefore was cleared for access. Security and technology experts say the castle-and-moat approach isn't working. They point to the fact that some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance...

Experts say that today's enterprise IT departments require a new way of thinking because, for the most part, the castle itself no longer exists in isolation as it once did. Companies don't have corporate data centers serving a contained network of systems but instead today typically have some applications on-premises and some in the cloud with users -- employees, partners, customers -- accessing applications from a range of devices from multiple locations and even potentially from around the globe... The Zero Trust approach relies on various existing technologies and governance processes to accomplish its mission of securing the enterprise IT environment. It calls for enterprises to leverage micro-segmentation and granular perimeter enforcement based on users, their locations and other data to determine whether to trust a user, machine or application seeking access to a particular part of the enterprise... Zero Trust draws on technologies such as multifactor authentication, Identity and Access Management (IAM), orchestration, analytics, encryption, scoring and file system permissions. Zero Trust also calls for governance policies such as giving users the least amount of access they need to accomplish a specific task.
"Most organizational IT experts have been trained, unfortunately, to implicitly trust their environments," says the chief product officer at an IAM/PIM solutions supplier.

"Everybody has been [taught] to think that the firewall is keeping the bad guys out. People need to adjust their mindset and understand that the bad actors are already in their environment."

How is that supposed to work?

[Entrope]

Defense in depth is a very valuable concept, but "zero trust" seems like it is taking things too far. Do you not trust a printer to print your document unless you, as the end user (or executive officer) have verified its firmware is authorized by the manufacturer and has not been subverted? What if it prints your document but injects errors or sends a copy to a foreign espionage organization? How does a server decide whether to trust a request from a computer where a known user is logged in, rather than rejecting it as a web browser that got subverted by malware or a new-fangled kind of attack ad?

Re:How is that supposed to work?

[Junta]

IPSec doesn't add anything if the peer is the thing to be compromised. That's pretty much the challenge. If things *do* get into your precious internal network, it's malware running on legitimately authenticated systems.

Physical attacks against ethernet ports are nothing compared to how often remote exploits occur.

Re:How is that supposed to work?

[RightwingNutjob]

It depends on what your organization does. If the workflow is that (for lack of a better word) trained button-pushers sit at fixed workstations and use software that someone else has written for them, then you can go pretty far with security at next to no human cost. You can have smart card readers and short timeouts on locking screensavers and a whitelist of software with per-instance authentication tied to that 2FA token and it won't disrupt the work.

If, on the other hand, people move around between workstations, or need to be able to run arbitrary software (for example stuff sent by a client or vendor, or stuff they wrote themselves, or the software they run is a programmable environment like MATLAB that you can do nasty stuff with if you put your mind to it), then you can't have that without incurring a real penalty on productivity and encouraging your employees to work around the security infrastructure. You pretty much guarantee the latter if any portion of your workforce does R&D work that requires moving equipment between network jacks or needing to be able to send arbitrary packets from one gizmo to another or from a gizmo in the lab to their workstation. Or if several people on the same team need to be able to unlock the screen on the same machine and get at the same instance of the user session.

There is no silver bullet. Tiered access is good, sales clerks don't need to be able to get at the HR database or the preparatory documents for a patent filing, but there is no silver bullet.

More like AD, no database passwords needed

[raymorris]

The summary sucks, so I can see how you might get that idea. It's very much NOT talking about jump boxes, though.

It's more about until you log in to your computer (via Active Directory / LDAP), you can't access sensitive internal resources. Once you're logged in, the DBA gets access to the database, while the UI developer doesn't. It's the idea that just because you have an internal IP address doesn't mean you should have access to every internal resource.

Backwards example. Printers don't access databases

[raymorris]

The summary sucks, so I understand why it was unclear.

A printer is a great example. This is about networking. The idea is to get away from the "security happens at the firewall" model, the idea if anything that has an internal IP address should automatically get access to every internal resource. In the firewall model, the printer can connect to your databases, and can send data out to the internet. Does that make sense to allow that?

The Zero Trust model is about WHO, a logged in user, rather an IP addresses. In other words, *logging in* to the network gets you access to the stuff you have access to. It's the idea that just because you have an internal IP address doesn't mean you should have access to every internal resource. The printer is inside the network, but it doesn't get access to the databases, or HR system, or anything else. Also the printer doesn't have access to the internet. Inside the network or not, access is allowed based on who is logged in, not just anyone with a local IP.

Regarding a logged-in user with a malware infested PC, the network itself can't prevent ALL damage from that, but the Zero Trust model limits the damage because the malware can only access the things that specific user accesses for their job. The marketing manager can't even ping the database, so if his PC is infected only marketing material is at risk, not the database, code repos, etc.

I'm surprised this hasn't been a thing

[guruevi]

I've ran all my networks as zero trust systems, usually because the castle and moat system they call is managed by absolute morons.

Zero trust models were proposed decades ago. About 15 years ago the NSA/DoD security recommendations (When they started releasing SELinux) were all about securing your hosts from whatever was already running on it.