Don't trust and check seven times: how Zero Trust works

Ruslan Rakhmetov, Security Vision

Zero Trust is a security model developed in 2010 by Forrester analyst John Kindervag. It allows you to build an architecture and access to its elements (applications, files, databases, etc.) securely. More precisely, so that each participant is checked and interacts only when it is allowed. This model can be compared to entering the underground through a turnstile that cannot be jumped over, going to visit friends through a meticulous concierge, or travelling across the border with the involvement of migration service, police, passport checks and other procedures.

Further in the article we will break down the seven main areas of protection, but before that we will tell you about the main pros of this approach. The most important advantage of the model is the reduction of risks for business. A user can see what he needs to see only when he confirms that he has the necessary rights for access; thus, in every case of connection he is considered as a potential threat and hacker. In the second place, the Zero Trust approach allows to improve security in a continuous cycle (we have separately analysed different means of information protection here, here, here and here).

When developing a Zero Trust architecture, IS and IT employees first have to answer two questions: ‘What should be protected?’ and ‘Who should be protected from?’, which form the first two steps of the ‘measure seven times, cut once’ approach.

1 Identification

To understand who is requesting access, it is first determined whether it is a human or a machine. For verification, it is common to use analysis of its behaviour and various capcha that allow it to pass the Turing test . With the help of analytical tasks, selection of pictures from a set of pictures, character recognition for entering into a special field and other methods all robots and programs are eliminated from real people. Most likely, at least once in your life you have faced a situation on the Internet, when out of nine pictures you need to find those that depict cats, or where you need to move a piece of the puzzle to ‘finish’ the picture. This is the captcha - a test that you are not a robot.

If a person or a too smart robot has passed the first check (the officer at the passport control has made sure that the passport is real and its owner is standing next to it), there comes an additional stage - authentication. The user needs to show that he has the right to move on, show all the stamps and tell about the purpose of the trip. From the point of view of IT systems such verification is helped by multi-factor authentication services, which we have already discussed separately.

2. Data

The second step of any verification involves analysing data. What can be entrusted to the user depending on his role in the process and the level of secrecy in general. When we talk about the user's work in some system, even the appearance of the service depends on his role: there is a separate application for drivers in a taxi service, and a separate application for passengers; the platform administrator has access to the functions of checking the database and connectors, while the risk manager has the ability to launch the evaluation and control procedure; the tenants of a building have access to the lifts, while the postman is allowed by the concierge only in the foyer with PO boxes, etc.

In general, all data is subject to classification and labelling, e.g. public material or material for official use only (CPD). Watermarking solutions, special labelling (not only visible) and DLP solutions that parse data on the fly and understand its sensitivity are actively involved in protecting the data itself.

Beyond the basic answers to ‘Who?’ and ‘What?’ questions, other questions need to be answered such as ‘How?’, ‘When?’, ‘Where from?’, etc., so the entire Zero Trust methodology suggests the use of other defences.

3- Location

In IT terms, the location from where access is attempted is called the endpoint. It can be a smartphone, a home computer, a corporate laptop, a server in the company perimeter and other devices. Special solutions allow to detect the source of signals and understand what it is - such IS/IT products help to build the process of asset and inventory management. On the one hand, it is important for a company to see all devices and detect new ones, and then recognise and classify them, and on the other hand, to determine which endpoints are involved in which processes. In addition to Asset Management, a risk management process (e.g. cyber risk, according to the FSTEC methodology) can also be connected.

As a result, the methodology can screen out devices that are simply not safe to access. Additionally, technologies such as Virtual Private Network (VPN) to create a secure tunnel to corporate resources or Remote Desktop Protocol (RDP) to use a secure computer while working remotely are used.

4. infrastructure

Similar to the previous point, this step defines the location, but not where the user works, but where the data itself is located, for example, a virtual machine, a container with a deployed environment, a server or other automated workplace (AWP). Depending on the specifics of the infrastructure, additional security features are selected, such as solutions like IDentity Management (IDM), anti-virus protection, behavioural analysis and others.

If we compare these two steps with everyday business, we can pay attention to the requirements base for arrival in a country. Such a database is used by airlines, some of them also publish instructions for passengers. There you can find requirements for insurance, visa, entry permit and other documents that may be required depending on the departure and destination locations. And from an IT perspective - depending on where the user is trying to connect from and where the data itself is located, the various PPEs described above are activated. And if security cannot be confirmed, access continues to be denied.

5. Network

Additional restrictions are added when organising the connection of one service with another, for example, a database with sensitive information and a web server through which the user wants to purchase a purchase or subscribe to a newsletter. Thus, to protect public servers from mass attacks, anti-DDoS solutions are used, which at the network level filter out real requests from those generated by bots, and try to ‘put’ the site, damaging its availability. If the service is public - for example, an airline ticketing site, an online shop or an online bank - network accessibility should be considered especially carefully. Using a zero-trust approach, access will be as secure as possible, but the user will have to prove their intentions, perhaps by calling a call centre when suspicious activity is detected or entering a code from an SMS when logging into a personal account.

Splitting the network into parts is also necessary in the case of access within the company. In order to organise the process, directory systems (e.g. Active Directory, AD) or micro-segmentation solutions with the help of a firewall (modern proxy servers and NGFW) are used. Such systems link user accounts, apparatuses and IP addresses to each other, providing a network availability channel only when all checks have been passed. At a minimum, solutions can operate not only in ‘burst mode’ but also in ‘monitoring’ mode, capturing all communications for future analysis. In such a case, various ways of visualising detailed data and object relationships are used to quickly find the threat .

6. Security Policies

By policies we usually mean regulations and organisational measures that describe basic rules on paper or in electronic form: how often passwords should be changed, where to look for colleagues' phones, what can be done if you are sick and cannot come to work, where to go in case of a gas leak, etc. For information systems, rules may be established by law, such as the need to report an incident at a critical information infrastructure facility (CIIF) or when using a personal data protection system (PDN). Companies may also establish their own regulations and rules within the company in the form of requirements (sick leave procedure, obtaining a key to access the premises via ACS systems) or recommendations (corporate correspondence, automatic responses during holidays, etc.).

Almost any information system can be configured with its own policies that will automatically apply zero-trust approach rules to all actions. It is automation that reduces time and removes the risks of human error while working. And policies are the decision-making centre of the Zero Trust methodology - they link users, data and technology to ensure security, availability and reliability.

The point-by-point creation of policies, their detailed configuration and the continuity of the update cycle is the key to success in organising any process. These practices can be applied to everyday life as well. We've already described a number of useful habits that can help you improve the security of your online data - use them safely and have peace of mind.

7. Orchestration

Last on our list (but not the least important) step in properly building a Zero Trust architecture is managing an entire orchestra of different security tools. Since there is no single vendor for all services at once, and IS and IT products are diverse and differ in functionality and approach - it's important to be able to make your own ecosystem out of anything. Whatever the solutions for user protection, endpoint protection, infrastructure and network protection, authentication and data analytics - they all need to work together under a zero-trust methodology to ensure security.

In this case, you can use products from the same vendor linked together to build an ecosystem, or you can use integrations to create data pipelines from one system to another.

In the end, step by step, you can build connections between people, processes and technologies so that data can only be transferred once security has been established at each step.