Zero trust approach
BYOD , Mobile user and device, cloud are now a part of the IT landscape.
Classic model security models viewed the network perimeter, often protected by firewalls and other on-prem solutions, as the ultimate line of defense. Users inside the enterprise network were considered trustworthy and given free rein to access company data and resources. Users outside the perimeter were considered untrustworthy and cannot access resources.
This concept is called the castle-and-moat concept. In castle-and-moat security, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default.
The problem with this approach is that once an attacker gains access to the network, they have free reign over everything inside.
Zero trust is a concept built to answer to that issue’s previous issues. Instead of having trustworthy people we will consider them. We will require identity verification for every person and device trying to reach our resources in the network.
Zero trust components
Zero trust is not a specific technology , it is more a concept or approach. That means we can build zero trust from many ways but the tools have mainly the same functions.
As said previously zero trust require strong identity verification , so IAM is one of the main components. IAM (Identity and access management) is a way to tell who users are and what they are allowed to do.
Identity management (IdM), also known as identity and access management (IAM or IdAM), is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources.
You can implement MFA (multi factor authentication) in addition to a password with an IAM , but also tracking access into the Company.
IAM helps prevent identity-based attacks and data breaches that come from privilege escalations (when an unauthorised user has too much access).
MFA which require more than one piece of information to authenticate a user , is a core value of the Zero trust.
The IAM policies are built on user context (Who are they? Are they in a risky user group?) and application context (which application the user is trying to access).
It is important to use microsegmentation (is a method of creating zones in data centers and cloud environments to isolate workloads from one another and secure them individually).
Organizations use microsegmentation to reduce the network attack surface, improve breach containment and strengthen regulatory compliance.
Zero trust system will need to monitor the location context ( Where the user is logged , analyse impossible travel , check new city /state/country).
Device context is a strict control on device access ( Is it a new device ?, Is it a managed device). MDM can help you to push a strong and efficient device context policy.
For example you can require a computer enrolled (from byod or zero touch) and compliant on your MDM to access the application.
Once these contexts are verified you will push a contextual response ( allow access , Require mfa or block access).
Build a zero trust system
From an existing and classical infrastructure you will start the zero trust implementation from an audit of your existing resources.
Analyse which applications can be moved to a cloud model (eg : classical file server , laptop identity).
You can use some tools to redirect ports from an https target with tools like Pritunl Zero , Okta gateway server , Cloudflare access or Azure application proxy for example.
Improve or implement IAM to your identities system with an IDP ( eg : Google , Azure , Okta, Fusion auth).
Once the IAM is implemented , is it important to create policy access and build the application and user context as read previously.
Mainly to build a zero trust policiy you can use tools like proxy , it allow you access to the product securely with https but also redirect from a secure point.
example of how Cloudflare Access work with IDP
Build a device policy with a mdm system (mobile device management), for company devices and BYOD devices (Mosyle , Intune , Jamf , Workspace one).
Several IDPs( Okta , Azure or Google) can already communicate with the MDM systems.
Okta fast pass is linked to the mdm and can check registered devices
NOTE : For Azure the communication with the mdm is done with Intune and based on the conditional access.
Intune device can be verified in a conditional access policy
Conclusion
Well with this article we have seen what are the global components of the Zero trust approach. We’ve also seen how we can consider moving our infrastructure to zero trust.
For the next articles we will try to go deeper with concrete examples of zero trust implementation.