Our prior post entitled “What is Zero Trust, Anyway?” discussed a bit about how Zero Trust is defined at a high level and touched on the Seven Tenets of Zero Trust. Today, let’s take a deeper dive into those tenets and learn more. We’ll expand on what each tenet means with regard to a network.
The First Tenet
All data sources and computing services are considered resources.
Any network has multiple resources on it. If there is a server with a shared drive, that is a resource. If you access a database on the network, that is also a resource. The computer you are using – a resource. If there is an IoT device that controls manufacturing equipment on the same network, it is considered a resource as well. Even a rogue device that someone maliciously plugs into the network without anyone’s knowledge is a resource. What?!?! That’s right; everything connected to the network is a resource – even bad things. We’re not done yet though… even the network and every piece of equipment servicing that network are resources.
The Second Tenet
All communication is secured regardless of network location.
Because there could be bad resources introduced to the network at any time, all communication must be secured. This means that connections such as one between a user’s laptop and a database, a control channel between two manufacturing systems, a connection between a home and a remote office, and any other connection between resources must be encrypted. What’s more, NIST SP 800-207 declares that these connections should use the most secure encryption method available.
The reason that all connections must be secured is at the root of Zero Trust. Two or more resources communicating with each other on the network should have Zero Trust in other devices on the network. Why? Because if any other resources on the network had a need to consume or contribute to these communications, they would have been included in the encrypted connection. Zero Trust means that every resource is on a “need to know” basis. In summary, the mindset is that everything is compromised so everything needs to be protected.
The Third Tenet
Access to individual enterprise resources is granted on a per-session basis.
In a network, a session is a time limited link between two or more resources. The session is established, utilized, and then ended. Sessions may be limited by time, number of transactions, or other criteria. Each time one resource requests access to another, the process of creating a session is completed. If the requesting resource authenticates and is allowed access, a session is established. When the necessary activity is completed or when time limits are reached, the session will end. In some cases, such as when the session times out, the requesting resource may be given an option to re-authenticate to continue the session.
There are many reasons for granting access to a resource each time a session is established. For instance, authorization to access resources may change often, employees may leave and no longer be allowed access, or a compromised device may be denied connections for security reasons.
The Fourth Tenet
Access to resources is determined by dynamic policy – including the observable state of client identity, application/service, and the requesting asset – and may include other behavioral and environmental attributes.
An organization’s policies tend to change, sometimes infrequently, sometimes constantly. This is where the Fourth Tenet comes in. In any network, it is important that access to resources adheres to policies that are in place. In a Zero Trust network, policies around people, risk, security, usage, access, and other attributes are enforced through systems that either monitor or can request the state of any resource.
Policies are based on a number of things, including business needs and acceptable risk. Fewer rules may come into play for an inventory of office supplies compared to an inventory of critical device components. Principles of least privilege, where a resource is given only the level of access required to perform their task, play a key role.
For example, let’s assume that the aforementioned inventories of cleaning supplies and critical device components are stored in the same database. The manager of the custodial team would be granted access to the database, but would be limited to interacting only with cleaning supply records, while a manufacturing floor supervisor might have access only to records pertaining to device components. A third person, in accounting, might have limited access to both. A fourth person, perhaps in charge of requisitions, could have read-only access to show the entire inventory of available stock. This kind of access may be less restricted or may have nearly no restrictions at all as there is little to no threat to the overall system.
Should any of these people encounter changes in their positions or should policies change around a given resource because it is deemed lower or higher risk, dynamic policy aims to ensure that each resource is granted only the appropriate levels of access to any other resource.
The Fifth Tenet
The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
This tenet boils down to what Zero Trust is all about – Trust Nothing. At least, trust nothing inherently. The organization embracing Zero Trust continuously monitors and queries all resources on the network, determining the access allowed for a resource at any given time. If an asset is compromised or found to have known vulnerabilities, it may be denied all access until the issues have been eliminated. Unknown resources could be automatically determined to be a threat and be denied access completely. Resources not owned by the organization (associated assets) may require registration and will likely be confined to a restricted segment of the network.
Any resources attempting to connect to the network will be subject to the same monitoring and restrictions as ones owned by the organization, possibly even more. The organization may even require that specific software be installed on devices connected to the network or that connections be made only through hardware based cybersecurity solutions, such as SmokeNet.
The Sixth Tenet
All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
There is a theme in these tenets – automation – and this one is no exception. Zero Trust Networks implement a system of dynamic authentication and authorization. Depending on cybersecurity policies, business rules, and other factors, connected resources may be required to authenticate or re-authenticate multiple times to connect and stay connected to the network. Multi Factor Authentication (MFA) will be a requirement. Resources will be continuously monitored to ensure adherence to policies. For instance, if a policy requires re-authentication after a given period, the resource will be required to re-authenticate.
Policies may be influenced by a number of factors, including security, usability, and budget. In the spirit of Zero Trust, security should be the primary factor.
One point of contention is Single Sign-On (SSO). This is where only one authentication is used to provide access to multiple resources. Strictly following the rules of Zero Trust, SSO is not allowed. Nor, by common sense, should it be allowed. Attackers only have one authentication to defeat to get access to multiple resources? This is exactly the kind of thinking that gets organizations into this mess in the first place.
To quote the Third Tenet of Zero Trust from NIST SP 800-207, “authentication and authorization to one resource will not automatically grant access to a different resource.” SSO flies in the face of this. Unfortunately, in the preliminary draft of NIST SP 1800-35B, Implementing a Zero Trust Architecture, Volume B, NIST has allowed private companies to inject their SSO products into a list of “relevant products and capabilities they bring to this ZTA effort”. This effectively contradicts SP 800-207, pitting the two against each other. Bear in mind that SP 800-207 was created entirely by NIST and CISA, two US Government organizations, while SP 1800-35B was largely authored by representatives of private companies.
That said, SSO is something many solution providers are touting as a zero trust solution. Our recommendation: if you see a solution selling Single Sign-On as a feature, move on. This is completely outside these tenets and the spirit of Zero Trust Architecture.
The Seventh Tenet
The enterprise collects as much info as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
The seventh tenet is very much about network monitoring, while involving key facets of some of the other tenets. It essentially states that as much data as possible should be collected from all of the monitoring, authentication, access, and other activities done under the other tenets. This data is to be used to glean insights on how to create more effective policies and improve enforcement.
SmokeNet and the Seven Tenets of Zero Trust
SmokeNet is a real Zero Trust Networking solution that touches every one of the Seven Tenets.
How does SmokeNet tie in to the Seven Tenets of Zero Trust? Let’s start with the First Tenet. A SmokeNet client device is a resource on the network. Additionally, laptops, workstations, or other devices that authenticate and connect through that SmokeNet client device are resources on a SmokeNet network and may be resources on other networks that the SmokeNet network communicates with.
On to the Second Tenet, all communications between devices on a SmokeNet network are secured. In fact, they are secured using the most secure encryption method available – a Vernam Cipher. A Vernam Cipher is the only known encryption that cannot be cracked. As mentioned in the Second Tenet section, using the most secure encryption method available is a key part of the Second Tenet of Zero Trust.
The Third Tenet, as we learned before, says that access to each resource is granted on a per-session basis. SmokeNet goes above and beyond this requirement. Every SmokeNet device authenticates at initialization, then re-authenticates, in both directions (send and receive), at random intervals, usually multiple times per minute, during any given session. Moreover, the authentication credentials are random and constantly rotated at a machine level. This is in addition to any user authentication that may be implemented on the network.
Adhering to the Fourth Tenet, Individual SmokeNet client device connections are configurable and can be disabled by automatic process based on policy or by a human administrator at any time. This allows instant and immediate termination of access to the SmokeNet network and any resources on it.
The Fifth Tenet calls for monitoring and measurement of integrity and security posture of assets. SmokeNet devices are able to report on and can be monitored using standard IP network monitoring methods. SmokeNet has been tested by an independent third party, with results showing Zero Network Vulnerabilities. SmokeNet devices are aggressively firewalled, making it easy to monitor for anomalies, security issues, and other possible problems. In short, it removes network threats and the possibility of hacking into the network – a major problem for VPN and a primary method of conducting Ransomware attacks.
Dynamic, strictly enforced authentication and authorization are prescribed by the Sixth Tenet. SmokeNet allows network operators to tighten their security policies by only allowing certain access, such as remote access, through a proven, secure, hardware based access method. If security and ease of use are codified in policy, SmokeNet can be a key component of your Zero Trust Network. Because SmokeNet is hardware, it also meets the requirement of “having something” constantly. This is much more than just proving you have your phone.
The Seventh Tenet is all about information collection. SmokeNet devices gather a wealth of information that can be used to improve security on the network. There are logs available for every session, every connection, every authentication and re-authentication, and other activities. There are event logs that record attempted intrusion. All of this information can be used to shape future security policies.
SmokeNet is not a one stop solution to Zero Trust Architecture but it is the only real solution for Zero Trust Networking (ZTN) because it removes trust in the base network protocols. That is why assessments show zero network vulnerabilities. Like a VPN, SmokeNet is a network inside a network. The difference is SmokeNet is truly private. This is why it is the real ZTN.
In a nutshell, SmokeNet reduces the threat vectors and provides the data required for facilitating all seven tenets of Zero Trust.
Implementing a real Zero Trust Network solution
However you build your Zero Trust Network, just remember – Zero Trust is all about not inherently trusting anything that connects to your network, keeping your systems and data secure. SmokeNet client devices plug into a router or other device and don’t allow other devices on that network to communicate with it. When someone connects using that SmokeNet device, there is no fear that other devices on the regular network can cause issues.
There are many other factors in play as well. One of these factors is authentication. Another equally important factor is the strength of the encryption used on the network. A requirement of the Second Tenet is using the most secure encryption method available. SmokeNet, as mentioned earlier, does that with the Vernam Cipher.
We are able to use Streaming Encryption with a Vernam Cipher because we have zero network vulnerabilities. This is accomplished by using Moving Target Defense. This uses the raw network (like the Internet) in a different way that provides Zero Trust of the underlying protocols and creates a tunnel with a private network that is under your control. You can even create SmokeNet networks inside other SmokeNet networks for critical information for departments or groups to further increase the Zero Trust Networking segmentation beyond just simple network segmentation.
If you are putting together a network and would like to adhere to the Seven Tenets of Zero Trust, drop us a line. We would be glad to work with you to deploy the most secure network possible. If you are a small business or want something more secure than private VPN, click here to purchase online.