Zero Trust Visibility
Zero Trust Architecture (ZTA) is a term much discussed recently in the context of cybersecurity and touted as being offered by cybersecurity vendors. But there isn’t a single ZTA solution. The architecture is composed of numerous components, that when taken together, form a paradigm for dealing with security that is appropriate in a modern world where corporate enterprises are no longer confined to a well-defined and trustworthy perimeter (think remote work, cloud etc). For reference, the National Institute of Standards and Technology (NIST) has created a very detailed ZTA publication https://www.nist.gov/publications/zero-trust-architecture . In this blog, I’ll attempt to distill down relevant concepts and elaborate a bit on the particular components related to security visibility.
To summarize, Zero Trust is a response to trends such as bring your own device and cloud assets not located within an enterprise owned boundary. ZTA is a cybersecurity paradigm that moves defenses from static network-based perimeters, to focus on users, assets and resources. No implicit trust is granted to assets or user accounts based solely on their physical location, or asset ownership. In a ZTA authentication and authorization are performed before a session to any enterprise resource is established, and the focus is on protecting resources (assets, services, workflow, accounts etc.), not network segments. Some key ZTA components discussed in this blog focus on controlling access, visibility, and continuous validation.
In a traditional corporate IT enterprise, the network perimeter was defended in a limited number of places by technologies such as Firewalls (this is now sometimes referred to as the ‘North-South’ perimeter). Due to more employees now working from home because of the pandemic, as well as previously emerging trends in remote and cloud access, the well-defined security perimeter is evaporating. While traditional perimeter Firewalls are still important, they alone aren’t sufficient in distributed, dynamic and increasingly software defined infrastructure. Assets can no longer be trusted simply because of their location on the network.
With ZTA, components are added to secure inside the perimeter (sometimes this inside domain is referred to ‘East-West’, or Internal, or other names), or wherever else application resources need to be accessed (e.g. Cloud, SaaS). These components control access to resources and include; management of identity authentication authorization and privileges, policy enforcement points (PEP), micro-segmentation and implicit trust zones, software defined perimeters, and compliance. Control components such as micro-segmentation may be accomplished by placing purpose-built PEPs, or specially configured hardware or software such as Next Generation Firewalls (NGFW), to protect communication between Internal resources. To simplify, ZTA control components are responsible to control who get access to which resources – regardless of where they are located.
In addition to controlling access, there are additional ZTA components related to validating security such as asset discovery, network traffic monitoring, threat feeds, and continuous diagnostics and mitigation. The job of these visibility components is to validate that the ZTA controls are securing access as expected. I refer to these aspects of ZTA collectively as Zero Trust Visibility. These visibility components tend to get less attention than their control component counterparts, but they are equally important in my opinion.
For example, policy enforcement depends on knowing what resources to control. There will always be new and unknown assets that appear, whether malicious or not. Asset discovery mechanisms are needed to find out what needs to be secured in the first place. Detection and Response of threats on all known and previously unknown assets is critical – techniques such as network traffic monitoring, threat feeds, logging and metadata analysis are key. Related capabilities such as decryption are also important.
Another example is the need to continuously validate security controls between endpoints, to ensure that potential breaches are discovered. Emerging techniques such as breach and attack simulation help safely simulate attacks between endpoints and report on which of these simulated attacks succeed and which fail. Based on these reports ZTA control components (e.g. rules on software defined micro-segmentation, policy enforcement configuration, and identify and privilege authorization) can be adjusted.
In conclusion, ZTA is a broad paradigm with no "one size fits" all solution. It requires a heterogenous approach including both control and visibility components. Keysight Technologies offer solutions which can help with Zero Trust Visibility components related to ZTA, in areas such as network traffic visibility (inline visibility paired with NGFW offerings from Keysight partners, or out of band visibility paired with asset discovery plus detection and response offerings from Keysight partners) threat intelligence, decryption, plus breach and attack simulation. See resources below for background, and please feel free to contact Keysight for further details.