Zero-Trust Security Model
What is Zero-Trust?
Zero trust is a network security philosophy that states no one inside or outside the network should be trusted unless their identification has been thoroughly checked. Zero trust operates on the assumption that threats both outside and inside the network are an omnipresent factor. Zero trust also assumes that every attempt to access the network or an application is a threat. These assumptions inform the thinking of network administrators, compelling them to design stringent, trustless security measures.
How Traditional Protections Created the Need for Zero-trust Models
Traditional security architecture is sometimes referred to as the “castle-and-moat” model. Think of the network as a castle and authorized users "cross the moat" to get inside the network perimeter. Even though this approach was useful to defend against external threats, it failed to address threats that already existed within the network. This traditional perimeter-based security approach only distrusts factors outside the existing network. Once a threat is able to cross the moat and get inside the network, it has free reign to wreak havoc within the castle that is your system. A zero-trust network security model is based on identity authentication instead of trusting users based on their position relative to your network.
How the Zero-trust Model Evolved
The term “zero trust” was first coined by John Kindervag at Forrester Research. In a paper published in 2010, Kindervag explained how traditional network security models fail to provide adequate protection because they all require an element of trust. Administrators have to trust people and devices at various points in the network, and if this trust is violated, the entire network could be put at risk.
To solve the problem, he recommended the use of segmentation gateways (SG), which could be installed in the heart of a network. The SG model involves incorporating several different protection measures and using a packet-forwarding engine to dispatch protections where they are needed in the network.
Within a few years, Google adopted zero-trust security measures. Other companies, eager to follow in Google’s footsteps, also began adopting the zero-trust concept.
How Does a Zero-trust Architecture Work?
Zero-trust implementation involves requiring strict identity verification for every individual or device that attemps to access the network or application. This verification applies whether or not the device or user is already within the network perimeter. User or device identity verification can be triggered by events such as changes in the devices being used, location, log-in frequency, or the number of failed login attempts.
The Protect Surface
Protection begins by identifying your protect surface, which is based on data, applications, assets, or services, commonly referenced by the acronym DAAS:
- Data: Which data do you have to protect?
- Applications: Which applications have sensitive information?
- Assets: What are your most sensitive assets?
- Services: Which services can a bad actor exploit in an attempt to interrupt normal IT operation?
Establishing this protect surface helps you hone in on exactly what needs to be protected. This approach is preferable to trying to guard the attack surface, which constantly increases in size and complexity.
A zero-trust policy involves regulating traffic around critical data and components by forming microperimeters. At the edge of a microperimeter, a zero-trust network employs a segmentation gateway, which monitors the entry of people and data. It applies security measures that are designed to thoroughly vet users and data before to granting access using a Layer 7 firewall and the Kipling method.
A Layer 7 rule involves inspecting the payload of packets to see if they match known types of traffic. If a packet contains data that doesn’t meet the parameters of the Layer 7 rule, access is blocked. The Kipling method challenges the validity of the entry attempt by asking six questions about the entry and who is trying to get in: Who? What? When? Where? Why? How? If the answer to any of the queries raises a flag, access isn’t granted.
Multi-factor authentication (MFA) verifies the identity of a user by requiring them to provide multiple credentials. With traditional password entry methods, a bad actor only has to figure out a username and password, which often are easy for hackers to acquire. With MFA, users must provide multiple methods of identification. For example, a user may need both a USB stick and a password. Without either factor, the person would not be able to gain access.
Multi-factor authentication aids a zero-trust network by increasing the number of user-specific credentials required for access. Using MFA can increase the difficulty for hackers by a factor of two, three, four, or more.
Endpoints need to be verified to make sure each one is being controlled by the right person. Endpoint verification strengthens a zero-trust approach because it requires both the user and the endpoint itself to present credentials to the network. Each endpoint has its own layer of authentication that would necessitate users to prove their credentials before gaining access.
Then, in order for a component or program on the network to allow the endpoint access, it sends a verification out to the endpoint. The user then responds on the device. The data sent from the endpoint is used to check its validity, and a successful receipt and transmission process earns the device the status of “trustworthy.”
Unified endpoint management (UEM) allows administrators to centralize how they manage IT infrastructures by giving them a single set of tools they can use to verify multiple endpoints. Endpoint detection and response (EDR) verifies the safety and security of the endpoint. EDR works like a multifaceted antivirus. It scans the endpoint, identifies threats, and then takes steps to protect the endpoint and by extension, the rest of the network.
Microsegmentation involves creating zones within the network to isolate and secure elements of the network that could contain sensitive information or provide access to malicious actors. A zero-trust security approach benefits from microsegmentation because once the secured area has been microsegmented, it’s protected from threats. The firewall or filter that forms a barrier around the zone can also block threats from exiting the zone, which protects the rest of the network.
Least-privilege access refers to allowing users and devices to access only those resources that are essential to performing their duties. A zero-trust setup benefits from least-privilege access because it limits the number of points of entry to sensitive data or infrastructure. Least-privilege access may also save time and resources because fewer MFA measures have to be employed, which limits the volume of identification credentials that have to be granted and managed.
Zero Trust Network Access
Zero trust network access (ZTNA) is an element of zero trust access that focuses on controlling access to applications. ZTNA extends the principles of ZTA to verify users and devices before every application session to confirm that they meet the organizations policy to access that application. ZTNA supports multi-factor authentication to retain the highest levels of verification.
A key element of the ZTNA concept is the location independence of the user. The application access policy and verification process is the same whether the user is on the network or off the network. Users on the network have no more trust than users that are off the network.
For users off the network, ZTNA includes a secure, encrypted tunnel for connectivity from the user device to the ZTNA application proxy point. The automatic nature of this tunnel makes it easier to use than traditional VPN tunnels. The improved experience for users is leading many organizations to shift to ZTNA to replace VPN access.
The ZTNA application proxy point provides a benefit beyond just the transparent, secure remote access. By putting applications behind a proxy point, ZTNA hides those applications from the Internet. Only those users who have verified can gain access to those applications.
Benefits of a Zero-trust Model
Many enterprises have adopted the zero-trust philosophy when designing their security architecture for several reasons:
- Protection of customer data: The wasted time and frustration that comes from the loss of customer data is eliminated, as is the cost of losing customers who no longer trust the business.
- Reduced redundancy and complexity of the security stack: When a zero-trust system handles all of the security functions, you can eliminate stacks of redundant firewalls, web gateways, and other virtual and hardware security devices.
- Reduced need to hire and train security professionals: A central zero-trust system means you don't have to hire as many people to manage, monitor, secure, refine, and update security controls.
Without zero-trust architecture in place, companies unnecessarily expose themselves to costly data breaches. For example, in May 2014, hackers gained access to the addresses, names, dates of birth, and passwords of 145 million eBay users. To get in, they simply used the login credentials of three eBay employees.
If eBay had used a zero-trust model equipped with at least two levels of MFA, the hackers would have needed more information than just a username and password to gain access. Requiring a USB device to be plugged into a specific computer, for example, could have saved eBay the embarrassment and loss of public trust.
How to Implement Zero-trust Security
With the right tools, implementing a zero-trust approach to security only takes a few basic steps.
Define a Protect Surface
Outline the types of data or network components you absolutely need to protect. For many companies, this may include:
- Customer data
- Financial records
- Employee information
- Proprietary collateral such as blueprints and patents
- Network equipment like servers, switches, and routers
Limit Access to Data
Determine what resources each user needs to access to perform their duties, and make sure they can only access those specific areas. Limiting the attack surface for phishing or malware invasions this way, reduces human error. And if a user only has one weak password that is used for several points of access, a malicious actor could figure out that password and inflate the effects of a breach. The hacker could infiltrate areas essential to the user’s job but also the nonessential sections of the network as well.
Give Your Team Visibility
When your IT team has visibility, they can help users get the most out of the network and keep a watchful eye on the system. Visibility tools may include:
- Reports: User activity reports can be analyzed to identify attempts to break into the system.
- Analytics: Analyzing user activity over a period of time may reveal patterns of behavior. A break in the pattern could indicate an attempt to bypass security protocols.
- Monitoring: Real-time monitoring of the system can reveal hackers’ attempts at infiltration as they happen.
- Logs: When system activity is logged, you can analyze the data to look for anomalies that could be due to attempted breaches. You can also ascertain the methodology of a hacker by studying the logs after a hack.
Build Your Zero-trust Network
Fortinet can provide the foundation of your zero-trust network. With FortiOS and FortiClient, you have a ZTNA solution that works across many architectures and leverages your existing deployed FortiGates, VM FortiGates, or SASE services.
With FortiNAC, you get an intelligent network access control system with built-in zero-trust controls. Additionally, you can shield your network from malicious users attempting to use Internet-of-Things (IoT) devices to compromise your system.
With the combination of FortiAuthenticator and FortiToken, you get the power of trustless identification access management (IAM) for the Fortinet Security Fabric. FortiAuthenticator provides centralized authentication services, while FortiToken adds a secondary factor by implementing physical and mobile application-based tokens.