Zero Trust is a catchphrase that is growing in use and is employed by cyber security product and service vendors to promote their offerings. Zero Trust, as the concept implies, requires that users aren’t allowed any access to anything until they can prove who they are. Attaching the moniker “Zero Trust” usually misleads buyers into a false sense of security (no pun intended). True Zero Trust requires that no one is allowed into the network without rigorous authentication at the machine and user level along with the use of true multi-factor authentication.
Implementing Zero Trust in today’s networks is very complicated. Waverley Labs has pioneered an open source reference implementation of an architecture called the Software Defined Perimeter (SDP) funded by the Department of Homeland Security. This work has been leveraged to provide security for software defined networks and is the ONLY way to implement a Zero Trust network effectively and efficiently. This presentation will not only show how zero trust can be implemented but also how to orchestrate security effectively and efficiently in on-premise, cloud, hybrid, IoT and Physical Security environments.
One way to implement Zero Trust in traditional networks is to use VPNs and Firewalls to allow the user to connect to services (e.g., a mail server) after authentication with an Identity Provider (IdP). Firewalls can be set up to ban IPs and services can be set up to figure out which IP addresses are good or bad. Connections can be vetted with existing authentication schemes (eg. Active Directory etc.) IT teams believe they achieve “Zero Trust” by implementing a VPN set up to only let the users on the network who have the authorized VPN client and the appropriate keys using protocols that are vetted at the firewall. However, unauthorized users who clone the VPN client and steal the keys, using key-stroke recording malware and the like, are already in the network so they can access the mail server and then determine other user names and passwords to perform malicious acts such as DDoS, credential theft, etc. The extorted user names and passwords allow one to access other services (eg. SharePoint) that are not on the mail server network segment. Unauthorized users that gain access to the network can access other shared services using hacking techniques. With the VPN and Firewall approach exposure is unlimited, that is to say, that allowing network access BEFORE rigorous authentication enables users (good and bad) to have access to all the services; not just logins, but actual access.
Another way to implement Zero Trust is to containerize applications, implement micro-segmentation and enforce fine-grained access policies. Combining these technologies to secure applications, which is seemingly the goal, is very complicated – especially while using traditional network environments. In the cloud, it may be easier to reduce the attack surface but there again, the scalability and elastic capabilities of cloud implementations complicates implementing and managing Zero Trust. Without separating the configurations of the containers, they cannot be easily shutdown and moved when security is compromised. Even though micro-segmentation addresses the changing perimeter by reducing the attack surface, the fact remains that unless there is a separate control plane to verify connections prior to traversing these segments, the issue of allowing access BEFORE rigorous authentication still remains.
Allowing access to the network changes with real Zero Trust; as the concept implies that users aren’t allowed any access to anything until they authenticate who they are. Today’s “Zero Trust” implementations are like putting up a wall with multiple doors and allowing people to come and pick a lock on the door. We are then just relying on the locks. It is much better to put up a fence around and authenticate people before they get to the doors. One does want to see who is knocking, but one doesn’t want the threat to do bad things – like pick the locks. Authentication BEFORE access is the essence of real Zero Trust. Separating access control to validate logins prior to accessing services and data is the essence of real Zero Trust. In addition, creating an impenetrable fence to prohibit access before authenticating to the service, is the holy grail of Zero Trust.
Enter the Software Defined Perimeter (SDP) Architecture adopted by the Cloud Security Alliance that published the first specification of it in 2014. The specification defines a protocol to implement a ‘deny-all’ firewall and uses a single packet authorization scheme to open the firewall dynamically to access the services behind it, a controller that authenticates users and validates their devices prior to allowing the firewall to be opened and a separate bi-directional encrypted connection between the user and the service. Integrating all these elements ensures implementation and the enablement of Zero Trust Orchestration.
Waverley Labs was funded by the Department of Homeland Security to develop an open source reference implementation of the SDP specification (www.sdpcenter.com) specifically to show how it protects cloud applications from large-scale DDoS attacks (www.waverleylab.com/demo) in 2016. Since then Waverley Labs has further developed the capability to orchestrate Zero Trust. Business owners now have visibility into the security of their critical applications and assets and this talk will touch on the Zero Trust Orchestration capabilities that they can adopt to accomplish this.