What is Zero Trust, Anyway?

Trust image by Nick Youngson CC BY-SA 3.0 Picpedia.org

Governments, scholars, and industry organizations have been trying to define Zero Trust for nearly three decades. In 1994, the term was first used by Stephen Paul Marsh at the University of Stirling in Scotland in his doctoral thesis on computer security.

In 2018, NIST began working on the SP 800-207, with an initial public draft in 2019 and the final in 2020. Many aspects of Zero Trust predate these as well as the initial coining of the term. Before the Internet was ubiquitous, many networks and network assets required to have discreet credentials and to authenticate with each new session.

When the term Zero Trust was first used in 1994, most corporate and government systems were “air gapped”, meaning they were not connected to the Internet. Each system also had its own, unique authentication. Even local networks were separated by department. HR could not see the Finance systems and vice versa. You only had visibility and access to what was required to do your job.

Common sense requirements like these have eroded over the decades, largely resulting in our current cybersecurity dilemma. However, they are a recurring theme in NIST’s Zero Trust Architecture paper SP 800-207. Zero Trust, in many ways, is a return to traditional Information Systems security practices while not hindering the ubiquitous power of the Public Internet.

So, What is Zero Trust?

Let’s start with NIST’s SP 800-207.

To quote this publication’s definition:

Zero Trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.

There is much more to it than that, though. The publication also provides seven Tenets of Zero Trust. These are high level principles meant to guide Zero Trust network deployment, maintenance, policies, and procedures. The Tenets of Zero Trust, according to NIST, are:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture

Huh? What Does That Mean To Me?

To the average person, this means that:

  1. Everything you can access on a given network is a resource (including the device you use to access that network).
  2. When you access any network resource, you should use the most secure encryption method(s) available to protect communications between you and that resource.
  3. Each time you initiate a session with a network resource, you must authenticate. Authenticating to a network or some network resource does not grant automatic access to any other resources. You will also be assigned the least privilege necessary to perform your task(s).
  4. You may be granted or denied access to network resources based on a number of criteria, states, or attributes. For instance, you may only be allowed access to a given resource between certain hours. Or, you may not have access to the network if you are connecting from an unknown location. You may also be denied access if certain resources are under attack.
  5. The owner of the network monitors it for compromised resources. If a resource is discovered to have vulnerabilities or if it is not owned or managed by the network owner, it may be denied or be given restricted access.
  6. You will likely be required to use multifactor authentication (MFA) and may be asked to re-authenticate at any time during a session, depending on network policy.
  7. The state of your computer and other resources on the network is collected, along with other information, by the network owner to enforce policy and facilitate access requests and network communications.

Is That It? Can I Run With That?

In an ideal world, you could just rely on a recommendation from your favorite three or four letter agency. This is the real world, so we like to nail things down a bit more securely. For instance, the computers that your employees use to connect from home to your company network may be wide open to other devices on their home networks – game systems, IoT devices, or even computers infected with malware. This could expose your network, even if they connect using VPN clients.

You should have a solution that makes your remote users invisible to other devices on their home networks. If you do not, based on the Seven Tenets, your home network and all devices on it effectively become an extension of the company network. This is both bad for the company as it increases risk and bad for the employee as private devices become open for introspection by corporate security systems.

Remove those home devices. How?

SmokeNet uses a separate device that provides a secure connection back to your company’s network or, for private use, anonymous, secure internet access. Your users at home are connected to the SmokeNet device and not directly to their Public Internet Router or their router’s home network. Each connection is part of a secure, remote network. The connections between the home devices and remote network are constantly employing a technique called Moving Target Defense (MTD). With SmokeNet, this means changing virtual ports at short, random intervals.

Each SmokeNet device is aggressively firewalled from the home network, meaning that only SmokeNet traffic is able to pass. This firewall is key to making SmokeNet devices invisible to the home. MTD makes the network traffic invisible on the Internet, removing all known network vulnerabilities.

The user at home connects to the SmokeNet device via WiFi using a very long passphrase or a dongle connected directly to the device through USB. This ensures they have a secure connection back to the company network, protected from other devices on the home network.

Is There More?

There is! In the coming weeks, we will publish a series of posts on Zero Trust. We will break down the Seven Tenets in detail and let you know how we address them with our own technologies.