Zero Trust Networking (and everything else Zero Trust)

Started by deanwebb, December 01, 2023, 09:18:54 AM

Previous topic - Next topic

deanwebb

The biggest difference between Zero Trust (ZT) thinking and earlier design concepts is that ZT means there is *no* trusted zone. There is *no* area of the network where we can safely assume that only the Good Guys are doing things in. Assume a breach can happen from any direction, starting in any location. Where you are not looking is where the attacker is preparing a base of operations.

Taking a step back from plunging into raving paranoia (which can be a good career choice, should you want to be deeper in security), ZT networking means the end of the flat network where everything can reach everything else. It's about determining what communications need to go where and permitting those and no more. The reason? Attackers, being unfamiliar with the network, will do probes and recon missions that go all over the place so they can plan their next moves. Blocking recon at the start makes things that much more difficult for attackers.

Which means they go the human route more and more - intimidation is on the rise as a component in cyberattacks, which means our own employees are more and more likely to use their access to permit attackers' entry and operations. Therefore, we have to keep an eye on those employee credentials, making Identity Management a critical pillar of ZT. No more assign users to groups and give groups rights on the network: assign users to groups and group members can check out temporary credentials to perform tracked and monitored functions.

Is this a bit police state-y? Yes. Yes, it is. If you read histories of how the East German secret police, the Stasi, ran operations, you will see ZT shot through their thinking. I abhor everything the Stasi stood for - oppression, silencing voices, totalitarianism - but at the same time, I can learn from studying them. By no means do I ever want to go as far as keeping scent samples on people so I can track them down with dogs or develop planar discharge mines to kill only people (or animals, as it turned out) who tried to cross border fences. But do I see a need to track and record all admin actions? Yes, I do. Most won't be reviewed, but if a forensic investigation arises, we want those for the investigation, 100%.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

config t

This is a good place to start:
https://www.nist.gov/publications/zero-trust-architecture

The amount of acronyms in ZT is staggering. Granted, I'm somewhat new to doing cybersec for a living, but I feel as if I'm learning a new language.
:matrix:

Please don't mistake my experience for intelligence.

icecream-guy

ZT is a very detailed architecture, where one needs to be extremely familiar with to identify applications. group ports/protocols needed for those applications to work, identify sources and destinations. One must be an extraordinary engineer to deploy. The application owners have must have clarity on exactly what group ports/protocols needed for those applications, what is talking to what. but one must be an extraordinary application owner to have this knowledge, most don't have a clue. Application users have no clue, they just want click and the application to work as usual. This is usually left up to the network engineer to run packet captures and use Wireshark to identify. unless there is mega money dumped into tool that can monitor the network and identify apps, which may may take a huge investment to setup in the first place even before ZT pilot is deployed.

:professorcat:

My Moral Fibers have been cut.

deanwebb

And then it gets to the cloud... there, continuous monitoring is needed to make sure APIs or passwords aren't publicly exposed or accessible.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.