Different ways of building corporate systems based on the zero trust architecture
The corporate infrastructure of US government agencies will soon be transferred to a new network security model called Zero Trust Architecture (ZTA). Last year, U.S. President Joe Biden released an Executive Order on Improving the Nation's Cybersecurity. Later, on January 26, 2022, the Federal Government released a Federal Zero Trust Architecture (ZTA) strategy memorandum that sets the rules for the construction of a new IT infrastructure for government agencies and organizations in accordance with the ZTA strategy.
In this article, I want to look at the fundamental changes that the new paradigm brings, replacing the secure perimeter model, which has so far been the base for the construction of corporate IT systems.
The new architecture will require changes to all software and hardware elements of the network infrastructure and information resources. New end-to-end technology will also require changes in communication routines that have to do with processing both external traffic and data flows within the enterprise loop.
It will also be necessary to revise user access policies by implementing mechanisms that allow users to authenticate when they receive the appropriate access rights. It will be necessary to make changes to the systems for monitoring user activity and the operation of software systems.
Key features of Zero Trust Architecture
The National Cybersecurity Center of Excellence (NCCoE) is developing the basic principles for building the ZTA architecture. According to the recommendations, the new ZTA architecture should provide the following essential functions:
1) Identification. Performing the tasks of inventorying all elements of corporate systems, including hardware and software resources, as well as any related elements, classifying them, and developing a specific set of rules (policies) for detecting anomalies.
2) Protection. Performing a complete cycle of authentication and authorization procedures. The concept of ZTA is to support group authentication policies and perform various authentication and integrity checks of all resources used.
3) Detection. Detecting anomalies in the operation of controlled devices, searching for suspicious events in network activity in order to take proactive actions and prevent potential threats.
4) Response. If a malware threat is detected, a set of measures is taken to contain its propagation and reduce possible harmful effects.
To implement these tasks, it is allowed to use both a single IT solution and several different solutions that can work together to implement the ZTA principles.
In what form can ZTA be implemented?
There are several typical implementation scenarios of the Zero Trust Architecture. Here are the most common types:
- ZTA based on traditional networks that supports enhanced identification
The ZTA architecture generates new elements of the network infrastructure that become an important factor in the formation of a new security policy. It becomes possible to set individual access rights to all corporate resources. Access rights will be created based on the ID and assigned attributes of the user or system accessing the given resource.
The main task that new elements solve is providing the user or software/hardware system with an appropriate level of access to resources while simultaneously denying access to elements that are undesirable or prohibited.
- ZTA based on micro-segmentation of network elements
This implementation of the ZTA concept involves placing users and resource groups in different network segments. Between them, gateways are opened, which are entrusted with the task of ensuring secure data transmission.
This form allows the use of various network equipment like routers, switches, new generation firewalls (NGFW), including their software implementations.
The operation of all elements is controlled by their own policy enforcement mechanisms (Policy Enforcement Point) that allow you to grant permissions in response to incoming requests, providing the necessary level of security.
- ZTA based on a set of software-defined network perimeters
This option is focused on the construction of virtual networks implemented on the basis of software modules, with the construction of software-defined infrastructures. This group can also include hardware networks that allow their restructuring, taking into account software-selected policies.
This method leads to the creation of a Software-Defined Perimeter (SDP). This, in turn, allows you to create a Software-Defined Network (SDN) with a flexible connection of virtualized devices.
ZTA can be expensive
The emergence of a new conceptual architecture has long been discussed in the network community. Security experts participated in multiple discussions evaluating the level of security and the resources necessary for ZTA implementation.
According to some experts, the Zero Trust concept can be expensive to implement. In the context of digital transformation and the high dynamics of the construction and renewal of networks, the implementation of Zero Trust technology is available only for companies that are ready to make significant financial investments in its implementation to fully protect themselves from all threats.
The reason for doubting the 100 percent effectiveness of a ZTA concept lies in the fact that one way or another, all companies now have cloud subsystems, as well as counterparties, contractors, patch management systems, and other information interactions that require access to the corporate infrastructure. BYOD can be tricky if some mobile devices carry phone trackers. Under such conditions, it is hard to fully implement the new concept that is laid down in the ZTA architecture. One can only strive for its ideal variant. It is often more reliable to implement the idea of practical security based on unacceptable events and business risks, conduct comprehensive security audits, cybersecurity exercises, use the best practices and methodological recommendations in the field of information security, and supplement the infrastructure with modern means of protection.
Intelligent ZTA on the way
The development of the ZTA concept is already in full swing. Currently, it has already moved to the next stage which can be called the Intelligent ZTA.
The new implementation option provides not only the supply of each network device with its own protection mechanism but also the introduction of artificial intelligence algorithms. They will be used to implement information security in networks with a new architecture.
It is proposed to assign the following tasks to new smart protection mechanisms: real-time network and device monitoring, assessing the risks of unwanted access requests, making authorization decisions based on AI algorithms and dynamically allocating the required level of privileges, etc.
Intelligent ZTA is expected to apply Multi-Access Edge Computing (MEC) technology to connect IoT and mobile devices. This will allow them to be protected and help eliminate the risks of vulnerabilities that are prone to networks with traditional perimeter protection when connecting a fleet of numerous devices to them.
The new Zero Trust Architecture is no longer just a subject of discussion. The start of its implementation in government and other organizations was given by the appropriate orders, acts, and memoranda. The main contours of future secure networks, the forms they may take, and the directions of new developments have already been outlined.
Image credit: Olivier26/depositphotos.com
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis. Alex has strong malware removal skills. He is writing for numerous tech-related publications sharing his security experience.