Zero trust and security architecture evangelist. Focus on analyzing foreign advanced network security systems, and provide reference for domestic military, government and enterprise chief security officers. The subject of the account is Dr. Ke Shanxue, who is currently working in the 360 R&D Center. Since July 2020, this subscription account is only original, and the opinions of the articles do not represent the position of the company. Thank you for your attention!
One side of the zero trust coin is access control and identity management, and the other side of the coin is host microsegmentation. The former is still essentially an outside-in approach, while the latter is an inside-out approach. Both address access issues, but the former is from the user’s perspective, while the latter is from the application and workload’s perspective.
Achieving the goals of the DoD Zero Trust Cybersecurity Framework is a multi-stage process. After the basic stages such as access control and identity management are achieved, DoD may begin to move towards the mid-to-advanced stages of zero trust, a more data-centric approach to security.
Access control will always be critical, but it is only an important first step in the zero trust journey. The SolarWinds complex cyberattack provides a more convincing case for the U.S. Department of Defense to accelerate its move to the mid-to-advanced stages of zero trust.
This article is the fifth in the “Illumio Six” series, focusing on revealing the relationship between the US Department of Defense Zero Trust and host micro-segmentation technology.
From the logic of this article, Gartner’s Zero Trust Network Access (ZTNA) is indeed incomplete in terms of leading the Zero Trust framework, while Forrester’s Zero Trust Ecosystem Extension (ZTX) framework is clearly superior.
1. Two sides of the zero trust coin
1) Two perspectives of zero trust
2) One side of the coin is access control and identity management
3) The other side of the coin is host microsegmentation
2. Why Host Micro-Segmentation Matters
1) Discrimination and analysis of three ways to realize micro-segmentation
2) Comparison of Two Zero Trust Perspectives
3. Two Phases of DoD Zero Trust
1) Basic Stages of Zero Trust in DoD
2) Mid-to-Advanced Stages of Zero Trust in the Department of Defense
3) Real-life example: speak with facts
4) Let the two approaches go hand in hand
1. Two sides of the zero trust coin
01 Two perspectives of zero trust
NIST SP 800-207 (Guide to Zero Trust Architecture) states, “Zero Trust is the term for a set of evolving cybersecurity paradigms that shift defenses from static, network-based perimeters to focusing on users, assets, and resources. The author believes that the “users, assets and resources” here should be decomposed into two parts: one is users (access); the other is assets and resources. Because the two correspond to different perspectives.
We know that least privilege access is at the heart of zero trust. This shows that the Department of Defense needs to change the traditional concept of “allow all access, deny specified access” to the principle of “deny all access, allow specified access”.
The crux of the matter is that for all of these accesses: on the one hand, from the user’s perspective; on the other, from the application and workload perspective.
Clearly, the U.S. federal government and Department of Defense are already working on improving zero-trust user access; however, in a zero-trust environment, the focus is gradually shifting to protecting its assets and resources.
02 One side of the coin is access control and identity management
The U.S. federal government and Department of Defense have begun to seriously consider zero trust. And an important aspect of zero trust, the preliminary work on Zero Trust Network Access (ZTNA), has been completed.
However, this is primarily an outside-in approach to zero trust.
03 The other side of the coin is host microsegmentation
One of the more important aspects of Zero Trust has to do with connecting applications and workloads. And this is exactly what attackers are targeting, but the federal government and the Department of Defense are not adequately protected in this area.
The “other side” of zero trust, the host-based micro-segmentation approach, will bring greater security from the inside-out and will prevent the lateral movement of malware.
NIST SP 800-207 specifically defines micro-segmentation as the use of software agents or firewalls on one or more endpoint assets. These gateway devices dynamically grant access to individual requests from clients, assets or services. And that’s the best way to protect your high-value assets (HVA), specifically presented in the FY2020 FISMA CIO Indicators report.
2. Why pay attention to host micro-segmentation
01 Discrimination and Analysis of Three Ways to Realize Micro-segmentation
Because at the heart of Zero Trust is the concept of least privilege, if a compromise occurs, it should be locked down to one server, workload, or laptop. This is an inside-out approach to zero trust.
From a system architecture perspective, this zero-trust approach can be implemented in three ways: software-defined networking (SDN), network firewalls, and host-based micro-segmentation.
1) SDN or network virtualization approach: is a weak security option for enforcement as it focuses on network security and uses a free-form tagging and labeling structure. The lack of governance in managing the metadata used to identify workloads makes it difficult to manage and deliver policies. Tracking IP addresses adds complexity and prevents scaling. It also requires a complete network upgrade and is expensive. Remember: the “N” in SDN stands for Network. Therefore, any segmentation of any SDN controller deployment, a network-centric approach, is implemented to focus on network challenges rather than host challenges.
2) Network firewall approach: To control the movement of east-west traffic, additional firewalls need to be deployed. However, hardware firewalls are too “hard” and lack flexibility. And for internal/data center firewalls, when the environment is virtualized and highly automated, keeping track of zones, subnets, IP addresses, order of rules also becomes quite unwieldy and difficult. As the environment becomes more complex, the potential for application disruption during firewall rule changes also increases. Similar to the SDN approach, application-to-application traffic lacks visibility, large deployments can be expensive, and this remains a network-centric approach.
3) Host-based micro-segmentation approach: is to program a native stateful firewall that resides in each host. Essentially, focusing on the application decouples segmentation from the network architecture. It is simple to deploy, easy to scale, low cost, and can be rolled out in any architecture, including cloud, container, hybrid and bare metal. It works with heterogeneous hardware assets such as firewalls, load balancers, network switches, and provides real-time application and workload dependency graphs. CIOs and CISOs can finally see, for the first time, what their applications and workloads are doing.
02 Comparison of Two Zero Trust Perspectives
Which angle/route a user takes to implement a zero-trust architecture will determine how easy it is to implement.
When users can create application and workload maps in real-time, they can significantly reduce the complexity of implementing Zero Trust. Because correctly creating a baseline application and workload dependency graph is critical to embedding security in the computing architecture of the entire organization. Users can view the traffic applied to the application and workload for proper segmentation.
While Zero Trust requires robust identity management tools; users also need to segment workloads and applications to prevent illicit lateral movement that could seriously impact an organization or mission.
Two different approaches: user-to-app and device-to-app traffic monitoring, requiring significant dependencies on credential escrow, strong authentication, identity management; and machine-to-machine or workload-to-workload connectivity, often API-based Yes, a different approach is required.
Both sides can be done at the same time. Credentials rely on network security; policy enforcement focuses on application security, which does not require a network. So, in fact, both sides of the Zero Trust coin can go on at the same time.
The path forward for Zero Trust means that the emphasis on network perimeters in the past must be replaced by a greater emphasis on users, data, and applications.
Going a step further, securing high-value assets with an inside-out approach is the most prudent way to start a Zero Trust pilot. This recommendation is consistent with the November 2019 DHS release of microsegmentation as a recommended capability for the CDM (Continuous Diagnosis and Mitigation) program.
3. Two Phases of Zero Trust in the U.S. Department of Defense
01 Basic Stages of Zero Trust in the Department of Defense
Achieving the Zero Trust vision is a multi-stage effort. The Defense Information Systems Agency (DISA) and the National Security Agency (NSA) are working together to develop a Zero Trust Reference Architecture and are also establishing a new Zero Trust Lab.
Ask people in the U.S. federal and DoD IT departments what “zero trust means” and you’ll probably hear it’s about access control: never allowing access to any system without first authenticating the user or device, Apps, networks, even if the user is an insider.
On the Defense Information Systems Agency’s (DISA) list of interpretations of zero trust, the top term is “never trust, always verify”, followed by “always assume an adversary already exists in the network environment” and “obviously” authentication”. These correspond to the basic stages of the DoD Zero Trust Maturity Model.
The basic phases, access control and identity management, are indeed the first important components of zero trust, and the Department of Defense is actively working on it. Currently, there are several pilot projects underway in the U.S. Army, Air Force, Navy, and DISA that focus on Zero Trust from the outside-in, with a focus on using a Zero Trust Network Access (ZTNA) approach to Upgrade identity management and user credentials. However, ZTNA does not show workload-to-workload connections and data flow. These jobs only tell half the story.
In the previous “Pillars of Zero Trust for the US Department of Defense” and “US Cybersecurity | Replacing Middle-Tier Security with Zero Trust?” “Introduced the Ministry of Defense’s zero trust construction ideas, it is indeed mainly based on identity management and SDP.
02 Mid-to-Advanced Stages of Zero Trust in the Department of Defense
The DOD Zero Trust journey doesn’t end there. Officials with the Department of Defense (DoD) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) said in February that to establish a truly effective defense against the sophisticated cyberattacks used in the SolarWinds attack, further adoption of zero Trust safe. The incident also provides a more convincing reason for the U.S. Department of Defense to accelerate its progress toward the mid-to-advanced stage of zero trust.
Furthermore, the DoD has been seeking to leverage zero trust to improve network security without the need to purchase new equipment, and host-based micro-segmentation, by allowing agents to program local firewalls, makes the DoD’s security thinking possible.
In addition, the Department of Defense’s Digital Modernization Strategy (DMS) has made “recognizing data as a strategic asset” as one of its primary goals, and the Department of Defense recently released a separate “DoD Data Strategy” that will “recognize data as a strategic asset” Data Governance” is listed as the first step in implementing this strategy. The application layer, or layer seven, is at the heart of Zero Trust, which involves application and data-centric security.
Think of the basic phases of zero trust (identity/access control) as something like securing the front door of a house, and maybe even the inner door leading from one room to another. You want to make sure every entrant is verified and authenticated, even if they want to enter another room from home.
But the front door is not the only entrance. There are also side doors, back doors, basement doors, various windows that also need protection. For these doors and windows, the main concern should be data. DoD IT staff need to ensure they can understand activity across all doors and windows with multi-cloud/multi-application visibility and command and control of any data that goes in and out of side and back doors. Without these controls, data could leak, exposing sensitive information.
The last DISA director, Vice Admiral Nancy Norton, once said, “Zero trust will impact every area of our cyber domain, allowing us to better protect our data by closing every compartment on our ships.” These, obviously need to override access controls or just protect the front door.
As the DoD moves toward the intermediate and advanced stages of the Zero Trust Maturity Model, key capabilities to ensure its success include: full visibility into multi-cloud environments; security analytics for assessing user behavior; Dynamic policy enforcement of advanced data protection for approved applications, and more importantly DoD-authored mission applications; automated and orchestrated threat detection in hybrid cloud environments.
03 Real-life example: speak with facts
A bunch of big truths and logic have been said above, and now let’s cite a few real-life examples.
It’s no secret that cloud usage and threat scenarios have risen dramatically during the pandemic. The DoD deployed commercial virtual remote (CVR) cloud productivity tools to more than a million users in just a few months, and rapidly expanded their cloud usage in 2020. A recent report found that cloud usage from unmanaged devices doubled in the first 4 months of 2020, while external attacks against cloud accounts increased by more than 6x. Therefore, securing data beyond the front door is especially important because many of the DoD work in remote environments, accessing data and applications from multiple and hybrid cloud environments.
Let’s say a member of the military is working on a personal computing device, not through the department’s VPN, and wants to access an application through the cloud service Microsoft Teams. While the department has a secure connection to Microsoft Teams, the app add-on may be hosted by another cloud provider, which may or may not be secure. This cloud-to-cloud connection opens a hole, a side door, that needs to be locked to prevent exposure of sensitive data. Access control doesn’t help in this situation; that’s the role of Unified Cloud Policy data protection.
Let’s take a more technical example of a backdoor. Open S3 (Simple Storage Service) buckets have been the culprit in recent data breaches, as when misconfigured, it can lead to data leaks. An open data bucket is like an unsecured backdoor. S3 buckets can be set up as public or private, and the wrong setup is possible, especially when technicians are overworked and managing multiple buckets across an enterprise. Choosing the wrong setting will accidentally open this back door to the public. Again, access control and identity management do not solve this problem, but multi-cloud data protection solutions in the middle stage can.
04 Let the two approaches go hand in hand
Achieving the goals of the DoD Zero Trust Cybersecurity Framework is a multi-stage process. The planned rollout of the DISA/NSA Zero Trust Reference Architecture will help DoD better move forward. After implementing the basic stages of access control, identity management, and encryption of data flow from endpoint to cloud, DoD may begin to move towards the mid-to-advanced stages of Zero Trust.
Initial actions are being undertaken from an identity management or ZTNA perspective; however, the next step requires more focus on an inside-out approach, a host-based micro-segmentation approach, to achieve zero trust. Doing so will help prevent the spread of lateral movement, leverage existing equipment to improve the cybersecurity posture of a DoD agency or command, and provide unprecedented real-time visibility maps.
In short, closing all DoD network doors and windows in a zero-trust fashion. Both sides of the Zero Trust coin can go hand in hand and should go hand in hand.
The Links: MG15G1AL2 LM170E03-TLB3