Zero trust visibility

Zero Trust Architecture (ZTA) is a trendy term touted by cybersecurity vendors. But there isn’t a single ZTA solution. The architecture is composed of numerous components, that when taken together, form a new paradigm for dealing with cybersecurity that is appropriate in a modern world where corporate enterprises are no longer confined to a well-defined and trustworthy perimeter such as remote working and cloud environments. For reference, the National Institute of Standards and Technology (NIST) has created a very detailed ZTA publication

The concept of Zero Trust began in a response to trends such as bring your own device and where cloud assets are not located within an enterprise-owned boundary. ZTA moves defenses from static network-based perimeters, to focus on users, assets and resources. No implicit trust is granted to assets or user accounts based solely on their physical location, or asset ownership. ZTA authentication and authorization are performed before a session for any enterprise resource with the primary focus to protect resources (assets, services, workflow, accounts etc.), not network segments.

In a traditional corporate IT enterprise, the network perimeter was defended in a limited number of places by technologies such as Firewalls (this is now sometimes referred to as the ‘North-South’ perimeter). Due to more employees working from home because of the pandemic, as well as previously emerging trends in remote and cloud access, the well-defined security perimeter is evaporating. While traditional perimeter Firewalls are still important, they alone aren’t sufficient in distributed, dynamic and increasingly software defined infrastructure. Assets can no longer be trusted simply because of their location on the network.

With ZTA, components are added to secure inside the perimeter (sometimes this inside domain is referred to ‘East-West’, or Internal), or wherever else application resources need to be accessed such as cloud. These components control access to resources and include: management of identity authentication authorization and privileges, policy enforcement points (PEP), micro-segmentation and implicit trust zones, software defined perimeters, and compliance. Control components such as micro-segmentation may be accomplished by placing purpose-built PEPs, or specially configured hardware or software such as Next Generation Firewalls (NGFW), to protect communication between Internal resources. To simplify, ZTA control components are responsible to control who get access to which resources – regardless of where they are located.

In addition to controlling access, there are additional ZTA components related to validating security such as asset discovery, network traffic monitoring, threat feeds, and continuous diagnostics and mitigation. The job of these visibility components is to validate that the ZTA controls secure access as expected. I refer to these aspects of ZTA collectively as Zero Trust Visibility. These visibility components tend to get less attention than their control component counterparts, but they are equally important.

For example, policy enforcement depends on knowing what resources to control. There will always be new and unknown assets that appear, whether malicious or not. Asset discovery mechanisms are needed to find out what needs to be secured in the first place. Detection and Response of threats on all known and previously unknown assets is critical – techniques such as network traffic monitoring, threat feeds, logging and metadata analysis are key. Related capabilities such as decryption are also important.

Another example is the need to continuously validate security controls between endpoints, to ensure that potential breaches are discovered. Emerging techniques such as breach and attack simulation help safely simulate attacks between endpoints and report on which of these simulated attacks succeed and which fail. Based on these reports, ZTA control components (e.g. rules on software defined micro-segmentation, policy enforcement configuration, and identify and privilege authorization) can be adjusted.

ZTA is a broad paradigm with no "one size fits" all solution. It requires a heterogenous approach including both security control and visibility components to be successful. Additional components such as breach and attack simulation and continuous validation help minimize risk and prepare an organization for security breaches.

Greg Copeland is Director of Technical Alliances at Keysight Technologies, Inc.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.