Defense in Depth Network Strategy Incorporating Zero Trust Architecture

 

Insider threats, hackers, and bots, Oh My!  When the Wizard wants to protect his confidential information, he used a curtain to conceal the system from the public.  This was quite easily revealed by a small group trying to gain access.  Network security architecture has been evolving since the days where it was a firewall between the LAN and the Internet.  The concept of defense in depth has been evolving into the segmentation of systems based on their function and classification of the data.  Developing models of separation evolved in conjunction of sophisticated standards and policies.  The focus of network security architecture will move to addressing perimeter security, internal zone segmentation security and extending the perimeter of the traditional network. The basics of what is in NIST SP:800-207[i] need to be understood as the baseline.

Zero Trust has seven fundamental concepts that are core tenets needed for implementation. 

• .       Data sources and computing services are considered resources. 
• .       All communication is secured regardless of network location. 
• .       Access to individual enterprise resources is granted on a per-session basis.
• .       Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
• .       The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
• .       All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
• .       The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

In addition, the network has an addition six assumptions for secure connectivity.

1.       The entire enterprise private network is not considered an implicit trust zone.

2.       Devices on the network may not be owned or configurable by the enterprise.

3.       No resource is inherently trusted.

4.       Not all enterprise resources are on enterprise-owned infrastructure.

5.       Remote enterprise subjects and assets cannot fully trust their local network connection.

6.       Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture.

With those six core assumptions, there architecture is divided into two logical areas which are the control plane and data plane.  In the control plane of the network, there is the policy decision point which makes up the policy administration and the policy engine. The policy engine is where the policy is executed on what access is provided whereas the policy administrator is used for creating and destroying communication paths between system assets.  Between the control plane and data plane, there is the policy enforcement point, which is responsible for enabling, monitoring, and termination connections between assets. Other tenets that are applicable to both planes are:

• .       Continuous diagnostic and mitigation system
• .       Industry compliance system
• .       Threat Intelligence feeds
• .       Network and system activity logs
• .       Data access policies
• .       Enterprise public key infrastructure
• .       Identity and access management
• .       Security information and event management (SIEM) system

As these core principles are now established, the next focus is designing and defining perimeter security zones, internal security zones and extending out the perimeter.

 Anything that is outside of the enterprise control and ownership should be considered untrusted and hostile to the enterprise, which includes B2B partners, vendors, and the Internet.  The area that provides access to those areas is considered the perimeter zone, or commonly known as a DMZ.  The traditional DMZ structure is archaic and should be refined much more clearly.  First, there should be multiple perimeter security zones, and these should be connection dependent on the untrusted area. There used to be a simple DMZ that housed all external traffic that was ingress to the enterprise (B2B, Vendor, Internet) and traffic that was destined to external resources for data egress.  This architecture had significant risk which allowed pivot points for hostile attackers to utilize.  In the current environment, it is prudent to establish individual perimeter zones for B2B DMZ, Vendor DMZ, Inbound Internet DMZ and Outbound Internet Access DMZ.  Modern technological advances in gateway technology allow for the subdivision of networks to be used on the same device using a variety of mechanisms.  The use of a firewall as a gateway creates the needed policy enforcement point that controls access between assets between the zones.  It is within these zones that all traffic regardless of ingress or egress direction should be inspected, authenticated, and authorized before leaving the enterprise.  The importance of the perimeter zones is that they are untrusted, and this is where all data flows are vetted.  There should be no data-at-rest stored in this zone.  Any asset placed in this perimeter must be viewed as a system that can be sacrificed to prevent further incursion to interior networks.  Any of these assets should be viewed like sentry guards to a fortress, where once the alarm is sounded, the connections are shut off like the gates on a castle are locked down.  For traffic that is inbound, there should be the ability to have a landing spot, where encrypted traffic must be decrypted and inspected before being forwarded to the final destination.  There are several commercial network detection and response solutions that provide Digital Loss Prevention (DLP), Anti-Malware/Anti-Virus, Content Inspection, and Instruction Detection/Prevention that provide visibility to decrypt commonly used protocols such as SFTP and HTTPS.  By having allowed traffic pass through that gauntlet of inspection reduces the risk prior to sending it to a trusted zone.  For other not common protocols, the inspection point becomes the application server situated in the semi-trusted perimeter zone. It is paramount that all outbound data flows be inspected to prevent data leakage.  The use of a content filtering proxy also prevents users and systems from accessing sites that would not be authorized due to policies and standards. 

 The internal zone is what should be considered your most prized enterprise assets which consist of your data and intellectual property.  Most enterprises this is the area where the users and servers reside for the company’s daily operations.  With the zero-trust incorporating defense in depth concepts, the internal zone needs to be segmented into multiple secure zones.  There should be zones for securing databases, policy management systems, internal applications, and line of business systems.  Secure zones for lines of business should be established for Human Resources, Accounting, Marketing, Manufacturing, and Infrastructure Management. Policy Enforcement Points (PEP) should be established for all access to and from those zones that is based on authentication, authorization, and inspection.  Please note that there should be no access from an untrusted zone directly to a trusted zone and no access from a trusted zone.  Access to the secure zone should only initiate from another secure zone or a semi-trusted zone with the correct authentication and authorization. There should be no user systems in any of the secure internal zones. Systems within the secure zones should not be directly accesses from user systems but instead through a jump box or a middleware application.  All systems should have access controlled by policy and access control device such as a firewall gateway.   Systems should be monitored and have logs sent to a SIEM for threat analysis and system monitoring.  Compliance systems should be regularly run against systems than are in-scope for violations on regular intervals.

 There is one more internal zone that should be considered insecure yet semi-trusted due to the systems being owned and managed by the enterprise.  That is the User Zone.  There must be stringent controls on these systems that would have anti-malware and host-based firewall installed.  Users are considered an essential threat to the infrastructure no matter how much training is provided.  Even the best trained security aware employees fail to follow precautions 100% of the time.  The human factor is the weakest link in the environment.  Systems need to be locked down so no unauthorized software is installed and USB access disabled.  Authorized hardware, software and patching should be done from a centralized distribution point.  Users’ systems should not access the Internet directly but should utilize a content filtering system that limits access to only authorized sites.  For access to internal secure areas, users should access a jump box in the Trusted Internal Zone that provides that controlled access.  Corporate data should never be stored on a user system. 

The biggest challenge to the Zero Trust Architecture Framework is the remote workforce.  This has been exemplified by COVID-19.  The perimeter has been extended to the users outside the confines of the controlled environment to the User’s home.  Countless threats that the enterprise cannot control are being faced by the remote workforce.  Enterprises need to make sure the systems used to connect to the environment have a Virtual Private Network (VPN) connection established continually.  This VPN needs to be secured using higher IPsec Standards using certificate-based PKI Crypto standards. Systems should be automatic locked with a short timeout.  When connectivity is established, a system check should be performed.  Hard drives should also be encrypted. E-Mail should be stored on the server and local post office boxes should be disabled by policy. 

 In conclusion, there is a need to incorporate the defense in depth philosophy with the zero trust.  If this were a fortress, you would have a strong perimeter and each interior room would be locked with an access reader that requires you to badge in ever entrance and exit.  I have created the following graphic to visually display the flows of access.

---

[i] Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2019). Zero trust architecture (No. NIST Special Publication (SP) 800-207 (Draft)). National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Appendix – References

 

Kindervag, J. (2010). Build security into your network's dna: The zero trust network architecture. Forrester Research Inc, 1-26 http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf

Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2019). Zero trust architecture (No. NIST Special Publication (SP) 800-207 (Draft)). National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

Gilman, E., & Barth, D. (2017). Zero Trust Networks. O'Reilly Media, Incorporated. https://www.usenix.org/sites/default/files/conference/protected-files/lisa16_slides_gilman.pdf

M. Campbell, "Beyond Zero Trust: Trust Is a Vulnerability," in Computer, vol. 53, no. 10, pp. 110-113, Oct. 2020, doi: 10.1109/MC.2020.3011081. Beyond Zero Trust: Trust Is a Vulnerability | IEEE Journals & Magazine | IEEE Xplore (tamu.edu)

McKay, Paul, “How to find the right zero-trust strategy: Large tech companies and the US Federal Government have adopted zero trust as their next-generation security model.” in Computer Weekly. 3/3/2020, p22-24. 3p. How to find the right zero-trust strategy: Large tech companies and the US ...: Discovery Service for Texas A&M University Libraries (ebscohost.com)

Saran, Cliff. “Zero Trust: Taking Back Control of IT Security” Computer Weekly. 2/18/2020, p15-18. 4p. ZERO TRUST: TAKING BACK CONTROL OF IT SECURITY.: Discovery Service for Texas A&M University Libraries (ebscohost.com)

Leong, Khoo Boo. “The importance of zero trust networks to data center network security”, NetworkWorld Asia. Sep/Oct2012, Vol. 9 Issue 3, p33-33. 1p. The importance of zero trust networks to data center network security.: Discovery Service for Texas A&M University Libraries (ebscohost.com)

Moscaritolo, Angela. “Eliminating Trust”, SC Magazine: For IT Security Professionals (15476693). Jun2011, Vol. 22 Issue 6, p24-26. 3p ELIMINATING TRUST.: Discovery Service for Texas A&M University Libraries (ebscohost.com)

Gordon, Scott. “A Matter of Trust”,  In Network Security. May 2019 2019(5):9-11 A matter of trust - ScienceDirect (tamu.edu)

Diogenes, Y., & Ozkaya, E. (2019). Cybersecurity-Attack and Defense Strategies. Packt Publishing.

Chuan, T., Lv, Y., Qi, Z., Xie, L., & Guo, W. (2020, October). An Implementation Method of Zero-trust Architecture. In Journal of Physics: Conference Series (Vol. 1651, No. 1, p. 012010). IOP Publishing. An Implementation Method of Zero-trust Architecture - IOPscience