Article

1. The Origins of Zero Trust

The traces of the term ‘Zero Trust’ can be traced back to the 1994 Thesis: “Formalising trust as a computational concept” by Harold Thimbleby (Marsh, 1994). Though, it had no relation to Zero Trust from the perspective of Information Security. The term Zero Trust in the context of Information Security was first introduced in the Report “No More Chewy Centers: The Zero Trust Model of Information Security” followed by the report “Build Security into Your Network’s DNA: The Zero Trust Network Architecture” by Forrester’s research Analyst John Kindervag along with Stephanie Balaouras and Lindsey Colt (Kindervag, 2010a) (Kindervag, 2010b). BeyondCorp started by Google in 2009 with aim of deploying a similar model for security with a focus on device and user data rather than location and network perimeters, became one of the early adopters of Zero Trust in 2015 with their Mission Statement “To enable every Google employee to work successfully from untrusted networks without the use of a VPN” (Claburn, 2016).

2. Why Zero Trust?

‘Trust’ has been often quoted as a vulnerability (Campbell, 2020) in the world of information security. The U.S. Department of Defense’s Zero Trust Reference Architecture states the purpose of implementing such architecture as - “The foundational tenet of the Zero Trust is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in the philosophy of how we secure our infrastructure, networks, and data, from verification once at the perimeter to continual verification of each user, device, application, and transaction.” (Young, 2022) (Department of Defence, 2021) Thus, the primary goal of Zero Trust is to eliminate unauthorized access to resources consisting of data (logs, PII, confidential information, plans, etc.) and services (computers, servers, networks, security systems, IoT devices, printers, etc.) through means of implementing access controls in the most granular manner possible (Rose et al., 2020) by adding a layer of verification, even for so-called “Trusted” elements. These access controls prevent unauthorized access while they also verify each authorized access each time a particular resource is used. Essentially, the aim of Zero trust remains to minimize Security Incidents. Therefore, the general notion of Zero Trust that explains it in a simplified manner ‘Never Trust; Always Verify’ (Buck et al., 2021) forms an apt description.

Since the period followed by World War 2, securing any system has been entirely dominated by perimeter-based security. This perimeter-based security model which earlier used physical security approach (Warner, 2012) transitioned to also incorporate network-layer-based perimeter defenses with the use of multiple layers like firewalls, IDS/IPS, network separation into Internal and external, DMZ, etc. in the Defence in depth model. In a nutshell,the Physical location of an object will decide whether the object must be trusted implicitly or whether to go through the identification and authentication process. A major problem with such an approach is, that if a malicious threat actor, manages to bypass the identification and authentication process once, it will be labeled as ‘trusted’ and thus perform its malicious actions for a long period; and since implicit trust is based on internal elements with fewer authentication procedures (if any) than any external element, the threat actor can cause a huge impact in form of various cyber incidents – Malware incidents, Data theft, Cyber Espionage, etc. (He et al., 2022)

On the other hand, even if the defense-in-depth model succeeds to mitigate external attacks, any internal actor in the form of staff or employees, etc. who are implicitly trusted can act as an insider threat and cause significant damage. Edward Snowden forms an apt example, who was working as an employee turned to be a whistle-blower and leaked NSA secrets – one of the world’s well-guarded agencies (Ray, 2018). The discussion of ethics can be ignored, as such acts can be performed for both unethical/ethical purposes. Nevertheless, it is a concerning incident raising questions about all Perimeter based Defences and Defence Depth Models.

John Kindervag in his 2010’s report identifies four pitfalls to the approach of Information security in his foremost report on Zero Trust (Kindervag, 2010b): 1. “It is impossible to identify trusted interfaces” (Kindervag, 2010b) Network devices usually consist of one port labeled as “Untrusted” while the other as “Trusted” and security professionals are assumed to identify the networks which fall into their respected above listed category. Past has exemplified in enough ways that trusting an internal entity or device is a blunder. Therefore, should one connect Internal Network to a Trusted or Untrusted port also which port should the Internet be connected to considering the threat environment? (Kindervag, 2010b) 2. “The Mantra ‘Trust but Verify’ is a joke” (Kindervag, 2010b) Security professionals tend to agree to adopt the ‘Trust but Verify’ policy, however, Forrester has found that trust is based implicitly while the verification process is often skipped. For instance, we implicitly trust people, yet seldom perform the verification process in day-to-day life, neglecting it due to the effort required. (Kindervag, 2010b) 3. “Malicious Insiders are often in positions of trust.” (Kindervag, 2010b) According to the Foresters survey 1, 48 % of security professionals working in companies that were the victim of security breaches due to internal incidents confirmed the presence of malicious intent for the security incidents i.e., not all breaches were due to unintentional errors made by employees. (Kindervag, 2010b)

4. “Trust Doesn’t Apply to Packets” (Kindervag, 2010b)

It is difficult to track with 100% certainty the entities in the internal network: The general assumption is that origin of traffic is known in an internal network and therefore the identity of the user and their device can be traced using MAC addresses, IP addresses, User accounts, etc. However, it is often overlooked that user accounts can be compromised, and MAC and IP addresses can be spoofed. Packets can also be crafted and spoofed to serve attackers intent to perform the above-listed operations. Therefore, standalone packets themselves can’t be trusted whether external or internal. (Kindervag, 2010b)

3. What is Zero Trust?

Zero Trust is an Information Security Architectural Model that is based on Zero Trust principles crafted to mitigate security incidents. NIST Special Publication 800-201 on ‘Zero Trust Architecture’ also highlights that it is not a singular architecture but a “set of guiding principles for workflow, system design and operations” aiming to boost security outlook. It focuses on resource security and prohibits placing implicit trust on subjects requesting to access these resources. (Rose et al., 2020) NIST describes Zero Trust with the following definition: “Zero Trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per request access decisions in Information Systems and secures in the face of a network viewed as compromised.” (Rose et al., 2020) The crux of Zero Trust is to eliminate the practices of “Trusted Network” (term usually referred to describe internal networks) and “Untrusted Network “(term usually referred to describe external networks). Instead, treat all network traffic as Untrusted and thus, must undergo all necessary security procedures like access control, inspection, logging, etc. (Kindervag, 2010b) Zero Trust Model enables users in the domain of untrusted networks despite their location to undergo authentication and policy controls to access enterprise resources. (He et al., 2022)

Pioneer of Zero Trust, John Kindervag introduces Zero Trust with three fundamental Concepts: 1. “Ensure all Resources are accessed securely regardless of location.” (Kindervag, 2010b) The Zero Trust model assumes that all incoming traffic is a threat, and therefore, must be inspected, verified, and authorized to be secured before allowing access to any resources. E.g., the use of Encrypted data transfer for both internal and external networks with appropriate hashing algorithms for authentication. (Kindervag, 2010b) 2. “Adopt Least Privilege Strategy and Strictly Enforce Access Control.” (Kindervag, 2010b)

A proper Access Control System must be established to enforce the Least privilege to prohibit user/threat actors from accessing restricted resources. E.g., Role Based Access Control Systems supported by technologies like Network Access Control and Identity and Access Management systems allow organizations to implement strict access control policies among many others. (Kindervag, 2010b)

3. “Inspect and Log Traffic” (Kindervag, 2010b) The concept of Zero Trust doesn’t end with adopting the least privilege strategy and enforcing access controls. Logging and Monitoring operations must be performed regardless, to ensure the operations that are authorized to be performed using allotted resources are not abused in any way. The “Verify and Never Trust” philosophy must be followed. (Kindervag, 2010b)

Bibliography

1) Warner, M. (2012). Cybersecurity: A Pre-history. Intelligence and National Security, 27(5), pp.781–799. doi:10.1080/02684527.2012.708530.

2) Buck, C., Olenberger, C., Schweizer, A., Völter, F. and Eymann, T. (2021). Never trust, always verify: A multivocal literature review on current knowledge and research gaps of zero-trust. Computers & Security, 110, p.102436. doi:10.1016/j.cose.2021.102436.

3) Karl De Leeuw and Bergstra, J.A. (2007). The history of information security : a comprehensive handbook. Amsterdam ; London: Elsevier.

4) Dieter Gollmann (2011). Computer security. Hoboken, N.J.: Wiley.

5) Internet Society (2017). Brief History of the Internet | Internet Society. [online] Internet Society. Available at:

https://www.internetsociety.org/internet/history-internet/brief-history-internet/