Zero Trust Architecture – Overview – Patrick Marc's Networks

Notes about ZeroTrust Security

WORK IN PROGRESS

What is Zero Trust?

Trust nothing, verify everything.

https://www.cerbos.dev/blog/20-open-source-tools-for-zero-trust-architecture

https://research.aimultiple.com/ztna-open-source/

https://zerotrustnetworkaccess.info/

History of ZT

pre 2010 ZT Research by DISA, DOD and Jericho Forum.

2010 ZT was first coined by John Kindervag.

2013 CSA’s SDP concept

2014 Google BeyondCorp

2018 Forrester’s Zero Trust eXtended (ZTX) Ecosystem Report

2020 NIST Special Publication (SP) 800-207, Zero Trust Architecture

Definitions, Concepts, & Components of ZT

Tenets

A tenet is defined as a principle generally held to be true. According to the USA DOD, ZT has five major tenets.

Assume a hostile environment
Assume breach
Never trust, always verify
Scrutinize explicitly
Apply unified analytics

Design Principles

Denying access until the requestor has been thoroughly authenticated and authorized
withholding access until a user, device, or even an individual packet has been thoroughly
inspected, authenticated, and authorized. The access to resources is temporary and
reverification is required. The timespan of the access is defined by policies.

Allowing access to the network changes with ZT; requesters (users, machines, processes)
aren’t allowed access to anything until they authenticate who they are.

Allowing access to resources only after the requesting entity has been authorized.

Enforcing least privilege, specifically, granting the least amount of access required.

Requiring continuous monitoring of existing security controls’ implementation and
effectiveness (e.g., controls over access or user behavior).

Pillars

Users/identities
Device/endpoints
Network/environment
Applications and workload
Data
Visibility and analytics
Automation and orchestration
Governance

Components & Elements

At a high level, ZTA requires three core components before any logic can be applied to allow a
decision to be made for access:

Communication
Identity
Resources

In addition to these three core components, ZT is also composed of two other fundamental
elements:

Policy
Data sources

Control Plane	Policy decision point (PDP)
Data Plane	Policy enforcement point (PEP)

SP 800-207, NIST key logical
components of a ZTA

Logical Components of Zero Trust Architecture

NIST SP 800-207: Components	Description
Policy engine (PE)
Policy administrator (PA)
Policy enforcement point (PEP)

Supporting Components

NIST SP 800-207: Components
Continuous diagnostics and mitigation (CDM) system
Industry compliance system
Threat intelligence feed(s)
Network and system activity logs
Data access policies
Enterprise public key infrastructure (PKI)
ID management system
Security information and event management (SIEM) system

Mapping ZTA components to SDP

ZTA: NIST SP 800-207	SDP: CSA	Definitions
Subject/Entity	Initiating Host (IH) or Client	Subject/entity/IH/client: represents an individual or entity accessing resources. These accessing entities can be user devices or non-person entities such as hardware, network devices, software applications, and services. An SDP user may use an SDP client or browser to initiate.
Policy Decision Points (PDPs) Policy Administrator (PA) & Policy Engine (PE)	SDP Controller	PDPs determine the “rules” applicable to each authenticated identity and communicates them to the PEP. The PDP is made up of a PA and a PE. The PE makes and logs the decision (as approved, or denied), and the PA executes the decision. The SDP Controller is a policy definition, verification, and decision mechanism (a ZT PDP). It maintains information about which users/groups via which IHs (i.e.,userdevices) have permission to access which organization’s resources via AHs (on-premises or in the cloud).
Policy Information Points (PIPs)	IAM, Endpoint & Data Security, Resource Protection and Analytics	PIPs are an access control mechanism component that provides telemetry and other information generated by policy or collected by supporting components (IAM, analytics, etc.) that the PDP needs for making policy decisions.
Policy Enforcement Points (PEPs)	Accepting Host (AH) or SDP Gateways	The PEP acts as a logical gateway to ensure that the correct access has been granted to the right entity, with the proper access levels to an approved resource. A PEP may be implemented in SDP-specific software or hardware. It allows or disallows network traffic to a target service (which may be anapplication, a lightweight service, or a resource) based on instructions from the SDP controller. AHs entities are logical components that front applications, services, and resources being accessed and protected by the SD. In some SDP deployment models, the AH function is performed by an SDP Gateway). In SDP, the AHs are the ZT PEPs that ensure the “rules” used to determine “who” can access to “what,” “when,” for “howlong,” and “for what purpose” are enforced.
Resource	Resource	The applications, services, and resources being accessed.

CISA Zero Trust Maturity Model for the identity pillar

CISA Zero Trust Maturity Model for the networks pillar

A network refers to an open communications medium including typical channels such as agency internal networks, wireless
networks, and the Internet as well as other potential channels such as cellular and application-level channels used to transport
messages.

https://learn.microsoft.com/en-us/security/zero-trust/cisa-zero-trust-maturity-model-networks

Function: Network segmentation

	Description
CISA ZTMM Stage
Traditional Status	Agency defines their network architecture using large perimeter/macro segmentation with minimal restrictions on reachability within network segments. Agency may also rely on multi-service interconnections (e.g., bulk traffic VPN tunnels).
Initial Maturity Status	Agency begins to deploy network architecture with the isolation of critical workloads, constraining connectivity to least function principles, and a transition toward service-specific interconnections.
Advanced Maturity Status	Agency expands deployment of endpoint and application profile isolation mechanisms to more of their network architecture with ingress/egress micro-perimeters and service-specific interconnections.
Optimal Maturity Status	Agency network architecture consists of fully distributed ingress/egress micro-perimeters and extensive micro-segmentation based around application profiles with dynamic just-in-time and just-enough connectivity for service-specific interconnections.

Function: Network traffic management

CISA ZTMM Stage	Description
Traditional Status	Agency implements dynamic network rules and configurations that continuously evolve to meet application profile needs and reprioritize applications based on mission criticality, risk, etc.
Initial Maturity Status	Agency establishes application profiles with distinct traffic management features and begins to map all applications to these profiles. Agency expands application of static rules to all applications and performs periodic manual audits of application profile assessments.
Advanced Maturity Status	Agency implements dynamic network rules and configurations for resource optimization that are periodically adapted based upon automated risk-aware and risk-responsive application profile assessments and monitoring.
Optimal Maturity Status	Agency implements dynamic network rules and configurations that continuously evolve to meet application profile needs and reprioritize applications based on mission criticality, risk, etc.

Function: Traffic encryption

CISA ZTMM Stage	Description
Traditional Status	Agency encrypts minimal traffic and relies on manual or ad hoc processes to manage and secure encryption keys.
Initial Maturity Status	Agency begins to encrypt all traffic to internal applications, to prefer encryption for traffic to external applications, to formalize key management policies, and to secure server/service encryption keys.
Advanced Maturity Status	Agency ensures encryptions for all applicable internal and external traffic protocols. Manages issuance and rotation of keys and certificates, and begins to incorporate best practices for cryptographic agility.
Optimal Maturity Status	Agency continues to encrypt traffic as appropriate, enforces least privilege principles for secure key management enterprise-wide, and incorporates best practices for cryptographic agility as widely as possible.

Function: Network resilience

CISA ZTMM Stage	Description
Traditional Status	Agency configures network capabilities on a case-by case basis to only match individual application availability demands with limited resilience mechanisms for workloads not deemed mission critical.
Initial Maturity Status	Agency begins to configure network capabilities to manage availability demands for additional applications and expand resilience mechanisms for workloads not deemed mission critical.
Advanced Maturity Status	Agency has configured network capabilities to dynamically manage the availability demands and resilience mechanisms for the majority of their applications.
Optimal Maturity Status	Agency integrates holistic delivery and awareness in adapting to changes in availability demands for all workloads and provides proportionate resilience.

Function: Visibility and analytics Capability

CISA ZTMM Stage	Description
Traditional Status	Agency incorporates limited boundary-focused network monitoring capabilities with minimal analysis to start developing centralized situational awareness.
Initial Maturity Status	Agency employs network monitoring capabilities based on known indicators of compromise (including network enumeration) to develop situational awareness in each environment and begins to correlate telemetry across traffic types and environments for analysis and threat hunting activities.
Advanced Maturity Status	Agency deploys anomaly based network detection capabilities to develop situational awareness across all environments, begins to correlate telemetry from multiple sources for analysis, and incorporates automated processes for robust threat hunting activities.
Optimal Maturity Status	Agency maintains visibility into communication across all agency networks and environments while enabling enterprise-wide situational awareness and advanced monitoring capabilities that automate telemetry correlation across all detection sources.

Automation and orchestration Capability

CISA ZTMM Stage	Description
Traditional Status	Agency uses manual processes to manage the configuration and resource lifecycle for agency networks and environments with periodic integration of policy requirements and situational awareness.
Initial Maturity Status	Agency begins using automated methods to manage the configuration and resource lifecycle for some agency networks or environments and ensures that all resources have a defined lifetime based on policies and telemetry.
Advanced Maturity Status	Agency uses automated change management methods (e.g., CI/CD) to manage the configuration and resource lifecycle for all agency networks and environments, responding to and enforcing policies and protections against perceived risks.
Optimal Maturity Status	Agency networks and environments are defined using infrastructure-as-code managed by automated change management methods, including automated initiation and expiration to align with changing needs.

Function: Governance Capability

CISA ZTMM Stage	Description
Traditional Status	Agency implements static network policies (access, protocols, segmentation, alerts, and remediation) with an approach focused on perimeter protections.
Initial Maturity Status	Agency defines and begins to implement policies tailored to individual network segments and resources while also inheriting corporate-wide rules as appropriate.
Advanced Maturity Status	Agency incorporates automation in implementing tailored policies and facilitates the transition from perimeter-focused protections.
Optimal Maturity Status	Agency implements enterprise-wide network policies that enable tailored, local controls; dynamic updates; and secure external connections based on application and user workflows.