What is Zero Trust
Threat actors are getting smarter by the day, and the assumptions around protecting your network and assets are constantly evolving. Zero Trust changes the thinking from premise based "Protect the castle perimeter" thinking to a principal of "Never trust, always verify"
Why is this important?
With more and more systems becoming separated from a single site and moving to cloud hosting, the "network perimiter" is no longer a viable entity to protect. Additionally, threat actors are targeting the usage of misconfigured corportate networks to move laterally within networks.
Key principals of Zero Trust include:
Verify Explicitly: Always authenticate based on all available datapoints, including identity, asset, network, and other signals
Enforce Least Privilege: Chances are, your call center agent doesn't need direct access to the production software environment. Limit your user and application access to only what is nessesary based on who is accessing it, but also on factors like the device security they are connecting in from
Assume Breach: Operate your environments with the assumtion the threat actors are already there. Segment access, apply monitoring, and respond quickly to alerts
How is Zero Trust different from other networking theories?
Traditional remote site networking (Site to Site, Point to Site)
One network is created for resource access, segmented based on the incoming connection parameters
VLANs can be used to segment networks and stateful firewalls used to control which applications/ports can be used to cross between VLANs
Typically, only a valid identity is required to access the network
Prone to misconfigurations allowing for a wider scope of lateral movement between networks with high confidentiality and integrity requirements
In my experience working in the IT and security consulting world, many networks still operate under these practices. Does this mean they are inherently unsafe? Not necessarily. However, they may not be as robust as they can be, and can offer much higher attack surfaces for movement between networks. It's not uncommon for an initial attack vector to be a VPN client with stolen credentials, whether from an internal employee or contractor, with way too much access scopes. When everyone has access to a whole network subnet, it makes it much easier to expand the scope of what you can see
Zero Trust Networking
Eliminates the concept of a trusted internal network and untrusted external network
Continuously verifies each access attempt, whether from inside or outside the network
Evaluates each resource to access individually, rather than allowing full access to a subnet of resources
Prioritizes secure access to resources based on modern authentication protocols
By contrast, Zero Trust networking essentially makes a VLAN for each individual resource. It's a bit more than that, but assume that each resource is on its own network essentially for access when configured properly. If someone needs to get into the network to access a file share resource, this does not also automatically give them access to an application server, or to an intranet web resource. Each must have their access evaluated individually, and you may be authenticated to connect to all but not allowed to access some based on other signals
Scalability Benefits
Modern Zero Trust networking platforms allow you to quickly and security create individual tunnels to resources, create many access rules, and modify/revoke access if any changes need to be made. Where on a traditional network you may need to add a resource to an overscoped subnet or spin up multiple stateful rules, VLANs, and NAT policies, Zero Trust allows you a high level of adaptability and access to resources no matter where they are on the web.
Chosing your Zero Trust client
There's many platforms to choose from, with some big players like Cisco, Microsoft, Cloudflare, and Zscaler. We decided to go with Cloudflare, for the following reasons:
Maturity
When evaluating, at the time it was a much more mature platform that over offerings providing aribtrary TCP tunneling, browser based isolation and rendering, and the ability to insert short life SSH certificates for SSH connections
Affordability
Working in the SMB (Small/Medium Business) space, afforability is an important consideration. Cloudflare's offerings are relatively easy to include in our existing support plans, including a free plan
While a free plan is available, it does have limitations for log retention, network locations, and user counts. Additionally, it does not have an uptime SLA and only community forum support
We typically deploy the standard "Pay-As-You-Go" plan, which at the time of writing, is $7/user/mo. This includes 100% uptime SLA guarantees, support with a median response of 4 hours, up to 50 network locations, and 30 days of dashboard/log retention
Reliability
Cloudflare serves 20% of all internet traffic globally, and has a global edge network that is <50ms from 95% of all internet users. While outages happen, they have a track record of reliable services, and include a 100% uptime SLA in their paid plans
Commonality
Already using Cloudflare for our DNS and WAF management, adding their ZTNA/SASE platforms were more appealing than adding yet another vendor to our toolbelt
Does this mean other platforms are bad? No! This platform just works the best for us, but Microsoft Global Secure Access has come a long way since we evaluated it, and other enterprise platforms are spoken of highly by our peers. While this section will be using the setup of Cloudflare ZTNA as our example, the concepts should carry over into most other plaforms. I highly recommend you evaluate all options available to you to find the best solution for your organization, not just ours.
Last updated