Introduction to Zero Trust Architecture Study Guide PDF
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
2022
Cloud Security Alliance
Tags
Summary
This study guide provides an introduction to Zero Trust Architecture (ZTA), covering its relevance, definitions, components, and benefits for strengthening organizational cybersecurity posture.
Full Transcript
The official location for the Zero Trust Working Group is https://cloudsecurityalliance.org/research/working-groups/zero-trust/ Disclaimer Cloud Security Alliance designed and created this Zero Trust Training course study guide (the “Work”) primarily as an educational resource for security and go...
The official location for the Zero Trust Working Group is https://cloudsecurityalliance.org/research/working-groups/zero-trust/ Disclaimer Cloud Security Alliance designed and created this Zero Trust Training course study guide (the “Work”) primarily as an educational resource for security and governance professionals. Cloud Security Alliance makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment. © 2022 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org subject to the following: (a) the draft may be used solely for your personal, informational, non- commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance. © Copyright 2022, Cloud Security Alliance. All rights reserved. ii About Cloud Security Alliance The Cloud Security AllianceSM (CSA) (www.cloudsecurityalliance.org) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. Cloud Security Alliance harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. Cloud Security Alliance activities, knowledge and extensive network benefit the entire community impacted by cloud—from providers and customers, to governments, entrepreneurs and the assurance industry— and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA Address 709 Dupont St. Bellingham, WA 98225, USA Phone: +1.360.746.2689 Fax: +1.206.832.3513 Contact us: [email protected] Website: https://cloudsecurityalliance.org/ Zero Trust Training Page: https://knowledge.cloudsecurityalliance.org/page/zero-trust-training Zero Trust Advancement Center: https://cloudsecurityalliance.org/zt/ Provide Feedback: [email protected] CSA Circle Online Community: https://circle.cloudsecurityalliance.org/ Twitter: https://twitter.com/cloudsa LinkedIn: www.linkedin.com/company/cloud/security/alliance Facebook: www.facebook.com/csacloudfiles CSA CloudBytes Channel: http://www.csacloudbytes.com/ CSA Research Channel: https://www.brighttalk.com/channel/16947/ CSA Youtube Channel: https://csaurl.org/youtube CSA Blog: https://cloudsecurityalliance.org/blog/ © Copyright 2022, Cloud Security Alliance. All rights reserved. iii Acknowledgments Dedicated to Juanita Koilpillai, a pioneer in software-defined perimeters whose contributions to the Zero Trust Architecture Training and CSA are immeasurable. The Zero Trust Training was developed with the support of the Cloud Security Alliance Zero Trust Training (ZTT) Expert Group, whose members include volunteers from a wide variety of industries across the globe. Made up of subject matter experts with hands-on experience planning and implementing ZTT, both as cloud service consumers and providers, the ZTT Expert Group includes board members, the technical C-suite, as well as privacy, legal, internal audit, procurement, IT, security and development teams. From cumulative stakeholder input, the ZTT Expert Group established the value proposition, scope, learning objectives, and curriculum of the Zero Trust Training. To learn more about the Zero Trust Training and ways to get involved please visit: https:// cloudsecurityalliance.org/zt/ We would also like to thank our beta testers, who provided valuable feedback on the Zero Trust Training. Lead Developers: Abhishek R. Singh, Araali Networks, USA Agnidipta Sarkar, Group CISO, Biocon, India Daniele Catteddu, CTO, CISM, Cloud Security Alliance, Italy Heinrich Smit, CISSP, CISA, CRISC, Semperis, USA Juanita Koilpilla, CEO, Waverly Labs, USA Michael Roza, CPA, CISA, CIA, MBA, Exec MBA, CSA Research Fellow, Exec MBA, Belgium Michael J. Herndon, CCSP, CISSP, CRISC, CGEIT, CIPP/US, CIPT, AWS Certified Solution Architect, Bayer A.G., USA Michael Shurman, Ravtech, Israel, Inactive member Prasad T, OSCP, Senior Security Architect, Verse Innovation, India Richard Lee, CISSP, CCSP, WCP, Citizens Financial Group, USA Sam Aiello, CISSP CISA CCSK MSc MBA, Verizon Business, USA Vani Murthy, CISSP, CDPSE, CCSK, CRISC, PMP, ITIL, MBA, MS, Sr. Information Security Compliance advisor at Akamai Technologies, Cambridge, USA © Copyright 2022, Cloud Security Alliance. All rights reserved. iv Contributing Editors: Abbas Kudrati, C|CISO, Forrester ZTX Strategist, CISA, CISM, CSXP, CGEIT, Microsoft, Australia, Adil Abdelgawad, Security+, 3M, USA Anna Schorr, Training Program Manager, MBA, CCSK, Cloud Security Alliance, USA Anusha Vaidyanathan, USA Hannah Rock, Content Development Manager, Cloud Security Alliance, USA Jacob Kline, CISSP, The MITRE Corporation, USA James Lam, CISA, CISM, CRISC, CDPSE, TOGAF, M.S., Accenture Strategy & Consulting, USA Jenna Morrison, CCSK, USA Junaid Islam, USA Lauren Fishburn, USA Leon Yen, Technical Writer, Cloud Security Alliance, USA Naresh Kurada, P.Eng, MBA, CISSP, Deloitte, Canada Remo Hardeman, Security Architect, Cybersecurity Advisor, Omerta Information Security, Petro SA, Vrije University of Amsterdam VU, Netherlands Shruti Kulkarni, CISA, CRISC, CISSP, CCSK, ITIL v3 Expert, ISO27001 LA, 6point6, United Kingdom Stephen Smith, Graphic Designer, Cloud Security Alliance, USA Expert Reviewer: Alex Sharpe, CRISC, CDPSE, CMMC RP, Sharpe42, USA Asad Ali, Thales, USA Matthew Meersman, PhD, CISM, CISSP, CCSP, CDPSE, PMP, MITRE Corporation, USA Michael J. Herndon, CCSP, CISSP, CRISC, CGEIT, CIPP/US, CIPT, AWS Certified Solution Architect, Bayer A.G., USA Nishanth Singarapu, CISM, CCSK, ZCEA, Neustar, USA Rajesh Ingle, PhD, International Institute of Information Technology, Naya Raipur, India Ravi Adapa, India Robert D. Morris, CISSP, GDSA, GCIH, MITRE Corporation, USA Ron Martin, PhD, CPP, Capitol Technology University, USA Ryan Bergsma, CCSK, Cloud Security Alliance, USA Shamun Mahmud, Cloud Security Alliance, USA Shinesa Cambric, CISSP, CISA, CCSP, CISM, Microsoft, USA Srinivas Tatipamula, C-CISO, CISSP, CISA, AWS CSS/CSA, CDPSE, CISM, CGEIT, CRISC, ISO 27000LA, CCSK, ITIL-F, PMP, Fairfax, USA © Copyright 2022, Cloud Security Alliance. All rights reserved. v Table of Contents List of Figures ix Course Intro 1 Course Structure 1 Course Learning Objectives 1 1 Context of ZTA 2 1.1 History of ZT 2 2 Definitions, Concepts, & Components of ZT 4 2.1 Definition of the ZT Concept 4 2.2 Tenets 5 2.3 Design Principles 5 2.4 Pillars 6 2.5 Components & Elements 7 3 Objectives of ZT 10 3.1 Technical Objectives 11 3.1.1 Establishing a Protective Framework 11 3.1.2 Reduce Management Overhead 11 3.1.3 Reduce Attack Surface 12 3.1.4 Reduce Complexity 12 3.1.5 Enforces the Principle of Least Privilege 13 3.1.6 Improved Security Posture & Resilience 13 3.1.7 Improved Incident Containment & Management 13 3.2 Business Objectives 14 3.2.1 Risk Reduction 14 3.2.2 Compliance Management 15 3.2.3 Organizational Improvements 16 4 Benefits of ZT 16 4.1 Reduced Risk of Compromise 16 4.1.1 Reduced Attack Surface & Impact Radius 17 4.1.2 Reduced Ability to Move Laterally 17 4.1.3 Reduced Time to Detect & Contain Breaches 17 4.2 Increased Trustworthiness of Access 18 4.3 Increased Visibility & Analytics 19 4.4 Improved Compliance 20 4.5 Additional Benefits 21 © Copyright 2022, Cloud Security Alliance. All rights reserved. vi 5 Planning Considerations for ZTA 21 5.1 Organizational & Technical Planning 23 5.1.1 Understand Your Needs 23 5.1.2 Identify Key Stakeholders 23 5.1.3 Assemble a Team 24 5.1.4 Define Current State 24 5.1.5 Set Goals 25 5.1.6 Define the Use Cases 25 5.1.7 Develop Collaboration Plan 25 5.2 Risks of Project Implementation 26 6 Implementation Options of ZTA 29 6.1 NIST Approach to ZT 29 6.2 Software-Defined Perimeter 29 6.2.1 Description 30 6.2.2 Compliance with ZT Principles 31 6.2.3 Implementation Options 32 6.2.3.1 Service Initiated (Cloud-to-Cloud) 32 6.2.3.2 Collaboration Across Boundaries 33 6.2.4 Characteristics 33 6.3 Zero Trust Network Access 34 6.3.1 Description 34 6.3.2 Compliance with ZT Principles 35 6.3.3 Implementation Options 35 6.3.4 Advantages 35 6.3.5 Disadvantages 36 6.4 Google BeyondCorp 36 6.4.1 Description 36 6.4.2 Compliance with ZT Principles 37 6.4.3 Implementation Options 37 6.4.3.1 Service Initiated (Remote Application Access) 37 6.4.4 Advantages 37 6.4.5 Disadvantages 37 7 ZT Use Cases 38 7.1 Remote Access & VPN Replacement 38 7.1.1 Use Case Description 38 7.1.2 Security Risks 38 © Copyright 2022, Cloud Security Alliance. All rights reserved. vii 7.1.3 ZT Mitigation of Risks 39 7.1.3.1 User Experience Impact 40 7.2 Micro-Segmentation 40 7.2.1 Use Case Description 40 7.2.1.1 Types of Micro-Segmentation 41 7.2.2 Security Risks 41 7.2.3 ZT Mitigation of Risks 41 7.2.4 Limitations & Dependencies 41 7.3 Software as a Service & ZT 41 7.3.1 Use Case Description 42 7.3.2 Security Risks 42 7.3.3 ZT Mitigation of Risks 42 7.3.4 Limitations & Dependencies 42 7.4 Hybrid, Multi-Cloud, & ZT 43 7.4.1 Use Case Description 43 7.4.2 Security Risks 43 7.4.3 ZT Mitigation of Risks 44 7.4.4 Limitations & Dependencies 45 7.5 Operational Technology 45 7.5.1 Use Case Descriptions: CPS, IoT, IIoT, ICS 45 7.5.1.1 IoT & IIoT 46 7.5.1.2 Industrial Control Systems 46 7.5.2 Security Risks 48 7.5.3 ZT Mitigation of Risks 49 7.5.4 Limitations & Dependencies 50 7.6 5G 50 7.6.1 Use Case Description 51 7.6.2 Security Risks 51 7.6.3 ZT Mitigation of Risks 52 7.6.4 Limitations & Dependencies 52 Conclusion 52 Glossary 53 © Copyright 2022, Cloud Security Alliance. All rights reserved. viii List of Figures Figure 1: ZT History and Milestones 3 Figure 2: Key Logical Components of a ZTA 8 Figure 3: PDP and PEP Data Flows and Sources 9 Figure 4: ZT Concept Framework and Elements 10 Figure 5: CISA High-Level Zero Trust Maturity Model 22 Figure 6: ZTA Project Implementation Risks 26-28 Figure 7: SDP Pre-Vetting of Connections 30 Figure 8: Cloud-to-Cloud ZTA Service Initiation 33 Figure 9: Endpoint-Initiated ZTNA Communication Flow 34 Figure 10: Service-Initiated ZTNA Communication Flow 35 Figure 11: BeyondCorp Components and Access Flow 36 Figure 12: Traditional VPN Gateway 39 Figure 13: Protection of Services by ZTA Gateway 39 Figure 14: Micro-Segmentation 40 Figure 15: ZT Model for SaaS Management 43 Figure 16: ZTA Model for VPC and Private Cloud Deployments 44 Figure 17: Cyber-Physical System Types 46 Figure 18: IoT Entities and Communication Flows 47 Figure 19: IoT and IIoT Device Types 47 Figure 20: ICS Communication Flows 48 Figure 21: Fifth Generation 51 © Copyright 2022, Cloud Security Alliance. All rights reserved. ix Course Intro Welcome to Introduction to Zero Trust by Cloud Security Alliance. Please note that moving forward we will refer to Zero Trust Architecture as ZTA and to the Cloud Security Alliance as CSA. CSA is dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment across the globe. We hope you are as excited to learn about ZTA as we are about sharing this knowledge with you. This training module is part of a larger series of CSA programs on Zero Trust (ZT) that was created with the support of subject matter experts. If you are interested in volunteering with CSA to help our ongoing research efforts or are just interested in learning more about cloud security, please visit our website at cloudsecurityalliance.org. In this training, we will provide an introduction to ZTA and ZT. This includes a discussion regarding ZT’s relevance, followed by definitions, components, requirements, tenets, pillars, goals, objectives, and benefits of ZT. We’ll also cover planning considerations and implementation options for ZTA, as well as use cases demonstrating how different topologies can work together to enhance security in environments assumed to be hostile. Diagrams, explanations, and references are provided to facilitate the learning process. Course Structure This introductory course on ZTA consists of seven units, each geared towards helping learners gain competency in a specific area/topic: Context of ZTA Definitions, Concepts, & Components of ZT Objectives of ZT Benefits of ZT Planning Considerations for ZTA ZTA Implementation Examples ZT Use Cases Course Learning Objectives After completing this course, learners will be able to do the following: Understand the foundations of ZT and ZTAs Explain ZTA’s objectives and benefits Discuss possible planning considerations before implementing a ZTA Distinguish between the different ZTA implementation options Describe ZT use cases and applications © Copyright 2022, Cloud Security Alliance. All rights reserved. 1 1 Context of ZTA In this unit, you will learn how the various factors of the evolving technology landscape led to the emergence of ZTA, as well as explore ZT’s roots and early approaches in both government and enterprise. Organizations today are in a cycle of adopting new technologies by leveraging cloud services, either through platforms or by utilizing elastic computing. This means that while transformations are increasingly popular and technology adoption is the strategy for these organizations, their networks and security measures are equally under pressure to keep up with the changing environment and associated new risks. Changes in the technology landscape, such as cloud computing, edge computing, and IoT, and the evolution of social behavior, such as increased requests for mobility, have led to organizations increasingly adopting distributed environments. Cloud computing, in all its combinations of delivery and deployments models is becoming the leading source of IT services1. The result is an increase in complexity for networks and service architectures, due to the need for integrating on-premises IT services with public cloud services, sensors, and actuators. In addition, the need to connect remote offices, remote workers, contractors, smart objects, and others has reinforced the requirement for more flexible, scalable, and secure network capabilities. Similarly, data often resides in virtual environments outside the organization’s premises and its physical control. However, the organization is still responsible and accountable for the data. From a data protection standpoint, traditional security architectures that focus on securing the physical network perimeter are increasingly ineffective in preventing cyber attacks. This is where ZTA comes into play. ZTA is a model that creates virtual enclaves and grants access to resources inside of that enclave. Every transaction is vetted using the ZT concept of “never trust, always verify”. In essence, ZT enables the designing of architectures from the inside out versus outside in. 1.1 History of ZT ZT was first coined by John Kindervag around 2010 while working as a principal analyst at Forrester2. However, this concept was being researched much earlier by the Jericho Forum at the Open Group, and previously by the U.S Defense Information Systems Agency (DISA) and Department of Defense (DOD), with the Black Core project3. Kindervag, known as the grandfather of ZT, emphasized that all network traffic is untrusted. His position was that all requests to access data or resources should be verified at each step, with this being termed ‘trust but always verify’. 1 Cloud Security Alliance, “Security Guidance for Critical Areas of Focus in Cloud Computing v4.0,” 26th, July 2017, https://cloudsecurityalliance.org/artifacts/security-guidance-v4/ 2 John Kindervag, “Build Security Into Your Network’s DNA: The Zero Trust Network Architecture,” 5th, November 2010, https://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf 3 In the CSA’s literature on SDP, terms such as “black cloud” or “network darkening” have been discontinued in favor of more neutral terminology. © Copyright 2022, Cloud Security Alliance. All rights reserved. 2 The earliest concept of ZT was based on a data-centric network design and leveraged micro- segmentation which mandated more granular rules and policies to ultimately limit lateral movement of attackers. As the concept of ZT continued to evolve, it took a more identity-centric approach. This trend accelerated with the adoption of mobility and cloud. In 2013, Cloud Security Alliance’s (CSA) Software-Defined Perimeter (SDP) concept was initiated. SDP was designed to create an invisible perimeter through a security architecture that requires positive identification of network connections from a single packet inspection prior to accessing resources. In 2014, Google implemented ZT for its employees, which motivated it to publish the BeyondCorp model. The approach revolved around the idea that the perimeter had expanded, hence traditional perimeter security and a protected intranet were no longer sufficient to protect against cyber threats. Google’s BeyondCorp model shifted the access controls and policies from the perimeter to individual devices and users. It addressed the need to replace the traditional VPN while still allowing users to work securely from any untrusted network with a superior security posture. Since its inception, the concept of ZT has extended the original security model beyond traditional infrastructure, databases, and network devices to include IoT, cloud environments, big data projects, DevOps environments, containers, and microservices. In 2018, Chase Cunningham and his team at Forrester published the Zero Trust eXtended (ZTX) Ecosystem report, which extends the original ZT model beyond its network focus to encompass today’s ever-expanding attack surface. In August 2020, NIST announced the final publication of Special Publication (SP) 800-207, Zero Trust Architecture, which discusses the core logical components that make up a ZTA4. Clearly, ZT is gaining widespread adoption, even as it continues to evolve as a security model. Figure 1: ZT History and Milestones 4 NIST, “SP 800-207 Zero Trust Architecture,” August 2020, https://csrc.nist.gov/publications/detail/ sp/800-207/final © Copyright 2022, Cloud Security Alliance. All rights reserved. 3 2 Definitions, Concepts, & Components of ZT In this unit, you will learn the definitions for key ZT terminology, as well as the concept’s main tenets, design principles, pillars, and components and elements. 2.1 Definition5 of the ZT Concept ZT is a set of principles and practices designed for reducing cyber risk in today’s dynamic IT environments. As a security model, ZT requires strict authentication and verification for each person, device, or service trying to access an IT resource, regardless of whether it is inside or outside the physical network perimeter. Since ZT emphasizes the protection of IT assets rather than network segments, the assessment of a given resource’s security posture is not based on its location, but rather on what authentication and authorization controls are in place, and by leveraging risk-based analytics for access verification. A key aspect of ZT networks is that authentication and explicit authorization must occur prior to network access being granted (e.g., the communication between a requesting entity and the target resource). Encrypting communications between two endpoints will no longer suffice; security practitioners must also ensure that access controls are implemented and each individual flow is confirmed as an authorized connection. ZT lays out a blueprint for combating both internal and external threat agents trying to access protected assets. Research has shown that 90% of attacks start with a breach via a phishing email6. This exploit leads to the creation or compromise of an administrative account, followed by the lateral movement of malware inside the network, finally leading to the exfiltration of enterprise data. In the context of this training and study guide, CSA defines the ZT concept as a cybersecurity approach that requires the following: Making no assumptions about an entity’s trustworthiness when it requests access to a resource Starting with no pre-established entitlements, then relying on a construct that adds entitlements, as needed Verifying all users, devices, workloads, network and data access, regardless of where, who, or to what resource, with the assumption that breaches are impending or have already occurred Recent trends in enterprise security point to an increasing number of remote users and assets that are based in the cloud versus inside the traditional corporate network7. To meet the security 5 Note: CSA’s working definition of ZT and ZTA is based on existing market definitions of ZT (e.g., as defined by Forrester, NIST, etc.). Throughout this study guide, CSA also incorporates material from normative reference documents developed by the ISO/IEC and IEEE. 6 CISO, “Cybersecurity Threat Trends,” 2021, https://umbrella.cisco.com/info/2021-cyber-security- threat-trends-phishing-crypto-top-the-list 7 NIST, “SP 800-207 Zero Trust Architecture,” August 2020, https://csrc.nist.gov/publications/detail/ © Copyright 2022, Cloud Security Alliance. All rights reserved. 4 challenges brought on by this shift, hardware manufacturers and software vendors are rapidly adopting the ZT model and validating that their products are fit for a ZT implementation. 2.2 Tenets A tenet is defined as a principle generally held to be true. According to the USA DOD, ZT has five major tenets8. 1. Assume a hostile environment: Malicious actors reside both inside and outside the network. All users, devices, and networks/environments should be untrusted, by default. 2. Assume breach: Most large enterprises experience a barrage of attempted cybersecurity attacks against their networks every day and many have already been compromised. Create, manage, and defend resources with vigilance, assuming that an adversary already has a foothold in your environment. Access and authorization decisions should be scrutinized more closely to improve response outcomes. 3. Never trust, always verify: Deny access by default. Every device, user, application/workload, and data flow should be authenticated and explicitly authorized using least privilege, multiple attributes, and dynamic cybersecurity policies. 4. Scrutinize explicitly: All resources should be consistently accessed in a secure manner using multiple attributes— both dynamic and static— to derive confidence levels for determining contextual access to resources. Access is conditional and can change based on the action and resulting confidence levels. 5. Apply unified analytics: Apply unified analytics and behavioristics to data, applications, assets, and services (DAAS), and log each transaction. 2.3 Design Principles Several design principles can be used to guide the creation of a ZTA9. These design principles include the following: Denying access until the requestor has been thoroughly authenticated and authorized withholding access until a user, device, or even an individual packet has been thoroughly inspected, authenticated, and authorized. The access to resources is temporary and reverification is required. The timespan of the access is defined by policies Allowing access to the network changes with ZT; requesters (users, machines, processes) aren’t allowed access to anything until they authenticate who they are Allowing access to resources only after the requesting entity has been authorized Enforcing least privilege, specifically, granting the least amount of access required Requiring continuous monitoring of existing security controls’ implementation and effectiveness (e.g., controls over access or user behavior) sp/800-207/final 8 DOD, “Department of Defense (DOD) Zero Trust Reference Architecture,” February 2021, https:// dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf 9 ISO/IEC/IEEE 42010: 2011 defines “architecture” as: “The fundamental concepts or properties of a system in its environment embodied in its elements, relationships, and in the principles of its design and evolution.” © Copyright 2022, Cloud Security Alliance. All rights reserved. 5 2.4 Pillars The ZT concept is a work-in-progress with boundaries and definitions that continue to evolve, especially in terms of scope of applicability and use cases. Even so, the industry has reached a certain level of consensus regarding what the fundamental pillars of a ZTA are. CSA emphasizes these seven pillars of the DOD ZTA10. 1. Users/identities: Securing, limiting, and enforcing access for person, non-person, and federated entities’ to DAAS, encompasses the use of identity, credential, and access management capabilities, such as multi-factor authentication (MFA) and continuous multi- factor authentication (CMFA). Organizations need the ability to continuously authenticate, authorize, and monitor activity patterns to govern users’ access and privileges while protecting and securing all interactions. Role-based access control (RBAC) and attribute- based access control (ABAC) will apply to policies within this pillar in order to authorize users to access applications and data. 2. Device/endpoints: The ability to identify, authenticate, authorize, inventory, isolate, secure, remediate, and control all devices is essential in a ZT approach. Real-time attestation and patching of devices in an enterprise are critical functions. Some solutions, such as mobile device managers or comply-to-connect (C2C) programs, provide data that can be useful for device confidence assessments. Other assessments (e.g., examinations of compromise state, anomaly detection, software versions, protection status, encryption enablement, etc.) should be conducted for every access request. 3. Network/environment: When taking a ZT approach, organizations should logically and physically segment, isolate, and control the on-premise and off-premises network/ environment with granular access and policy restrictions. As the perimeter becomes more granular through macro-segmentation, it enables micro-segmentation to provide greater protections and controls over DAAS. It is critical to (a) control privileged access, (b) manage internal and external data flows, and (c) prevent lateral movement. 4. Applications and workload: These should include tasks on systems or services on-premises, as well as applications or services running in a cloud environment. ZT workloads should span the complete application stack from application layer to hypervisor. Securing and properly managing the application layer as well as compute containers and virtual machines should be central to the ZT adoption. Application delivery methods like proxy technologies enable additional protections and therefore should also be an important part of ZT decision and enforcement points. Source code developed in-house and common libraries should be vetted through DevSecOps development practices to secure applications from inception. 5. Data: ZT protects critical data, assets, applications, and services. A clear understanding of an organization’s DAAS is critical for the successful implementation of ZTA. Organizations should categorize their DAAS in terms of mission criticality and use this information to develop a comprehensive data management strategy, as part of their overall ZT approach. This can be achieved through the categorization of data, developing schemas, and encrypting data at rest and in transit. Solutions such as DRM, DLP, software-defined storage and granular data-tagging are crucial for protecting critical data. DOD, “Department of Defense (DOD) Zero Trust Reference Architecture,” February 2021, https:// 10 dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf © Copyright 2022, Cloud Security Alliance. All rights reserved. 6 6. Visibility and analytics: Vital, contextual details should be included to provide a greater understanding of performance, behavior, and activity baselines across the various ZT pillars. This visibility improves the detection of anomalous behavior and provides the ability to make dynamic changes to security policies and real-time contextual access decisions. Additionally, other monitoring data from sensors, in addition to telemetry, are used to provide situational awareness in the environment. This will aid in the triggering of alerts used for response. A ZT enterprise will capture and inspect traffic, looking beyond network telemetry and into the packets themselves to observe threats and bolster defences more appropriately. 7. Automation and orchestration: ZT includes automating manual security processes to take policy-based actions across the enterprise with speed and at scale. Security orchestration, automation, and response (SOAR) improves security and decreases incident response times by automating responses to threats. Security orchestration integrates security information and event management (SIEM) with other automated security tools in the management of disparate security systems. In order to provide proactive command and control, automated security responses require defined processes and consistent security policy enforcement across all environments in a ZT enterprise. 2.5 Components & Elements At a high level, ZTA requires three core components before any logic can be applied to allow a decision to be made for access: 1. Communication: A request for an entity to access a resource, and the resulting access or session 2. Identity: The identity of the entity (e.g., user or device) requesting access to the resources 3. Resources: Any assets within the target environment In addition to these three core components, ZT is also composed of two other fundamental elements: 1. Policy: The governance rules that define the who, what, when, how, why of access to the target resource access 2. Data sources: The contextual information providers can use to keep policies dynamically updated The applicability of all of these components and elements will depend on your use cases and deployment models. © Copyright 2022, Cloud Security Alliance. All rights reserved. 7 Figure 2: Key Logical Components of a ZTA11 In the publication, SP 800-207, NIST has provided a simple representation of the key logical components of a ZTA (see diagram above). In the NIST ZT workflow the policies are defined, managed, and enforced via the following two mechanisms: Policy decision point (PDP) Policy enforcement point (PEP) Together, the PDP and PEP regulate access to resources by being placed in the access workflow of traffic. The PDP is composed of a policy administrator and policy engine (PE). The PDP determines the rules and communicates them to the PEP. The PEP acts as a gateway to ensure that access to an approved resource has been granted to the correct entity, with the correct access levels. NIST defines the following12: PDP as the control plane: the component of the logical architecture that has the responsibility to collect, analyze, and transform the data first into intelligence and then into rules to govern the access to resources. PEP as the data plane: the component that, based on input passed by the control plane, has the responsibility to enforce the rules and provide access to the resources (i.e., data). Data sources serve the purpose of feeding data into the PDP, with the goal of maintaining the rules and keeping the overall decision-making process updated. Various sources of intelligence feed into the policy engine and support the policy administrator in defining and/or refining the access rules. 11 Figure adapted from NIST, “SP 800-207 Zero Trust Architecture,” August 2020, https://csrc.nist. gov/publications/detail/sp/800-207/final 12 NIST, “SP 800-207 Zero Trust Architecture,” August 2020, https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-207.pdf © Copyright 2022, Cloud Security Alliance. All rights reserved. 8 The following is a list of the possible information sources for the policy engine: Intrusion detection system (IDS)/Intrusion detection and prevention system (IDPS) Network devices (e.g., firewalls, proxies, gateways, routers, etc.) Threat intelligence feeds (e.g., third party databases of threats, vulnerabilities, weaknesses, and exploits) Information sharing systems Denylists and blocklists Identity providers and access management systems (e.g., Active Directory [AD] or cloud access security brokers [CASBs]) Legal and regulatory compliance requirements Asset/device management and discovery systems Public key infrastructure (e.g., certificate revocation lists) The figure below provides an alternative representation of the data flows and data sources that feed into the PDPs and PEPs. Figure 3: PDP and PEP Data Flows and Sources13 Security incident and event monitoring databases can be a collection point for any/all of the above sources. Together, these components have telemetry information relating to all the core components of ZTA. This gives enterprises more context to make better informed policy decisions. Due to the greatly increased number of PEPs, manual management of the access model can be challenging and is not recommended. Instead, automation represents another important characteristic of a ZT environment, as it supports both granular and global control. 13 Figure adapted from Cloud Security Alliance, “SDP Architecture Guide v2,” 7th, May 2019, https:// cloudsecurityalliance.org/artifacts/sdp-architecture-guide-v2/ © Copyright 2022, Cloud Security Alliance. All rights reserved. 9 3 Objectives of ZT In this unit, you will learn how ZT addresses the main technical and business objectives related to reducing cyber risk in an organization. As with most security architectures, the primary objective of ZTA is to address security risks inherent in the assumption of trust, and the lack of proper access controls. Typical approaches to addressing these risks include reducing the attack surface and/or improving the effectiveness of security controls. The motivation behind ZTA is to provide a holistic and consistent security approach for protecting an enterprise against malicious actors both internal and external — threats that exploit inherent or newly-created gaps in conventional protection methods and defense-in-depth controls. The key differentiator in ZTA is the ephemeral nature of any trust between data/computing resources and the principals requesting access. This differentiator, combined with capabilities like dynamic policy enforcement and decisioning, bolster an environment’s security posture, from the cloud to on premises. This is true for both internal and external attacks that exploit and compromise exposed access mechanisms maliciously. A ZT approach fulfills both technical and business objectives. Technically, it establishes a framework for protecting resources, simplifies the user experience, reduces the organization’s attack surface size and complexity, enforces least privilege, improves control and resilience, and localizes the impact radius of a security failure. From a business perspective, ZT aims to reduce risk, improve governance and regulatory compliance, and align the organization’s culture with the risk appetite of its leadership. Figure 4: ZT Concept Framework and Elements14 Figure adapted from ACT-IAC, “Zero Trust Cybersecurity Current Trends,”, 18th, April 2019, https:// 14 www.actiac.org/system/files/ACT-IAC%20Zero%20Trust%20Project%20Report%2004182019.pdf © Copyright 2022, Cloud Security Alliance. All rights reserved. 10 3.1 Technical Objectives The following technical objectives serve as critical milestones for organizations looking to adopt ZTA. These objectives include activities and efforts related to the implementation of specific technologies and supporting security frameworks. 3.1.1 Establishing a Protective Framework The protective framework established by ZT represents a novel approach to cybersecurity. As mentioned previously, ZT’s core premise is that an organization should not inherently trust any entity that comes from within or beyond its boundaries. This new protective framework enables a shift of focus to more business oriented goals, with systems designed around the value of the data and their specific protection needs. Many procedures and strategies that were once considered strong security measures are no longer fully effective; as a result, aged cybersecurity techniques and technology will increasingly yield limited results and inadequate protection. It is no longer practical to use approaches and frameworks based on physical objects and systems, nor is it effective to rely on signature-based threat detection. The increasing frequency and scale of attacks, combined with today’s hyper connected world, virtualized environments, and software- based organizations, requires businesses to reconsider everything from network configurations to detection and prevention approaches. 3.1.2 Reduce Management Overhead ZTA reduces management overhead by applying a consistent access model throughout the environment for all assets, from network devices to virtual servers and applications. Every request for access, whether explicit or implicit, is met with the same interrogation: Who are you? Do you need this access now? Okay, you get this access to this resource for this period. © Copyright 2022, Cloud Security Alliance. All rights reserved. 11 To support this uniformity, ZTA models are absent of the following: Complicated diagrams of nested groups using legacy access control lists (ACL) with allow and deny parameters producing unexpected results Layers of groups managed by potentially irrelevant decision-makers Stale and orphaned groups whose owners have long since moved on Authorization mechanisms based on antiquated models/labels (e.g., local vs. global) Delays in provisioning, deprovisioning, or access revocation, since every request is handled consistently, just-in-time by the PDPs 3.1.3 Reduce Attack Surface In a traditional security architecture, access decisions made at the network perimeter either allow or deny access. Denied traffic is dropped outside of the perimeter, while allowed traffic enters the perceived secure environment and travels unencrypted, as it is rare for organizations to encrypt internal traffic. Once inside, an attacker may run port scans, find vulnerabilities, launch denial-of- service attacks, steal additional credentials, eavesdrop on privileged network traffic, and move laterally unobstructed with relative ease. In contrast, with the ZT model the same attacker is no better off than if they had not penetrated the system’s external defenses, because each internal resource makes a decision as to whether or not to grant access at any given moment. The organization’s attack surface effectively contracts from every resource to only improperly secured resources. 3.1.4 Reduce Complexity An organization’s ever-expanding digital footprint makes for an increasingly complex IT environment, especially with some access decisions being made far in advance of being requested/used or even necessary. Access levels often remain, even as the party granting the access has long since moved on, leaving behind orphaned objects with unmanaged permissions. Such complexity represents one of the biggest security challenges for an organization, as it further reduces visibility, complicates configurations, creates weaknesses and vulnerabilities, and generally makes it easier for malicious actors to gain a foothold in the network. Additionally, the adoption of newer IT paradigms like hybrid cloud implementations, multi-cloud architectures, and edge computing also further complicates the access control policy management. ZT reduces this complexity by assuming that all parties requesting application access are malicious and should therefore be untrusted. Instead of trying to police all the borders and paths across the network, security professionals need only create islands of applications and data to protect in a more focused manner. This is because ZT strategies require far more attributes than standard security mechanisms. As organizations strive for agility by simplifying networks and consolidating data centers, ZT provides a robust security mechanism to reduce security architecture complexity by creating perimeters around applications and identity. This also reduces the number of access points into an enterprise’s IT environment, resulting in tighter control over each identity’s level of access and privileges, including third parties like vendors and suppliers. © Copyright 2022, Cloud Security Alliance. All rights reserved. 12 3.1.5 Enforces the Principle of Least Privilege ZT enforces the principle of least privilege, which dictates that users and programs should only have the necessary privileges to complete their tasks. Per ZT, users get access to exactly what they need to conduct their business, when they need it. ZT also includes the use of micro-segmentation, or the creation of zones in an IT environment to isolate workloads for better security. This enables users to connect to the right application and use only the services they require. This simplified access provisioning makes it easier to manage security operations and governance teams in a continuously evolving security landscape. ZT also includes the use of purpose based dedicated identities also known as identity personas. Identity persona is created for a group of resources that address a common functionality, which helps in limiting the attack surface created by the compromise of an identity. 3.1.6 Improved Security Posture & Resilience The objective of ZT is to enhance and bolster the resilience and the security posture of an enterprise’s IT infrastructure. From outside of the organization, ZTA ensures that malicious actors have reduced visibility into the enterprise’s IT infrastructure and individual assets, thereby reducing the potential attack vectors at their disposal. From within the organization, ZTA restricts lateral movement to minimize the risk of cross-site attacks and damage inflicted by insider threats. Because external users are contained and controlled within a small area of the network, any resulting security issues can be quickly contained and addressed. ZT limits the impact radius of security incidents and enables the swift return of systems to their earlier state. The reduced attack surface ensures that any source scanning and mapping activities initiated by internal or external actors are not successful unless they are authorized within the ZT implementation. The two-layer architecture consisting of a separated control plane and data plan helps ensure that access is granted to the organization’s network only after the users and their devices have been properly authenticated and authorized. 3.1.7 Improved Incident Containment & Management A primary goal of ZTA is to make the incident management process more effective and efficient; to this end, several of ZTA’s core design principles like “never trust, always verify” and the presumption of an ongoing breach require continuous behavioral monitoring of all system entities. Micro-segmentation and the requirement for continuous network access authorization reduces the impact radius of potential breaches, as it restricts a cyber attacker’s ability to move laterally. When a breach does occur, damage is limited to a confined area and containment/eradication and remediation efforts can be carried out with respect to the incident’s scope. The continuous monitoring capabilities included in ZTA allow for more effective identification of anomalies and incidents. The incident-related data is also used to update the PDP, allowing for dynamic policy definition/enforcement critical to limiting the impact across the organization’s network. © Copyright 2022, Cloud Security Alliance. All rights reserved. 13 3.2 Business Objectives The following key business objectives can serve as critical milestones for organizations looking to align ZT adoption efforts with ongoing, high-level operational needs. These include the overall reduction of both compliance and cyber risk, as well as the fostering of a ZT-based organizational culture. 3.2.1 Risk Reduction A primary business goal of ZTA is the reduction of cyber risk. This is especially critical for organizations dealing with complexity brought on by the proliferation of distributed, open computing infrastructures and the enterprise’s migration to the public cloud. The risk reduction objective relates to some of the technical goals and objectives mentioned in the previous section, such as reducing the attack surface and achieving/maintaining an improved and resilient security posture. Chiefly, ZTA aims to reduce the risk of the following: Improper privilege escalation via lateral movement Access beyond the need to know requirements Access beyond the required time frame Access by unsecure devices Access via unsecured methods such as unencrypted channels or channels using invalid certificates Compromises using methods like brute force, distributed denial-of-service (DDoS), or man in the middle (MITM) attacks Unauthorized lateral movement Additionally, ZT supports the adoption of MFA to protect logins against common brute-force attacks, dictionary attacks, or stolen credentials attacks. In alignment with the ZT model, users and devices are validated before gaining access to protected resources and mutual authentication occurs between the server and client when the connection is being established. © Copyright 2022, Cloud Security Alliance. All rights reserved. 14 Implemented in all ZTA variants, the principle of least privilege is effective in mitigating the most sophisticated and difficult to detect internal attacks. ZT’s level of granularity prevents users from accessing unauthorized resources, as controls and policies are applied separately to every protected resource, for every access request. In addition, all communications between clients and servers flow through mutually authenticated encrypted tunnels, creating extended micro-segmentation systems in lock step. ZT also includes continuous monitoring as a critical requirement for cyber risk reduction. To maintain a strong security posture, enterprises should continuously monitor all resource access activity and investigate potential signs of compromise. Since ZTA is policy-based, the risk of unauthorized access by compromised accounts can be mitigated, since policies can be conditioned on user and device security posture. Above all, the ZT model reduces the total risk of running a connected enterprise by using one unified framework, typically provided by a limited number of vendors. This allows an enterprise to mitigate all the major threats that previously required multiple solutions, each with its own drawbacks and security flaws. 3.2.2 Compliance Management A primary objective of ZT is to help organizations achieve and maintain an optimal compliance posture, reducing both the financial and technical impact of compliance, internal and external. This is mainly achieved through two key ZT features: (1) discovery and (2) mapping out of all networked assets and related access controls. ZT requires that assets are automatically discovered and validated for alignment with the latest compliance requirements since assets and data can only be protected if their presence is known. ZT helps segregate resources based on the relevant legal, regulatory, and contractual compliance requirements. A proper implementation of ZT verifies authentication and authorization each time traffic moves laterally or inside/outside the network. This approach prevents unauthorized access before data can be accessed, compromised, encrypted for ransom, or exfiltrated. Additionally, it creates an audit trail for satisfying regulatory requirements regarding record keeping and auditing. The benefits of ZT are instrumental to an organization’s efforts in maintaining regulatory compliance. Privacy-related regulations such as General Data Protection Regulation (GDPR)15 and the California Consumer Privacy Act (CCPA) define stringent requirements for processing and storing personally identifiable information (PII). Organizations must build an accountability framework for maintaining control and visibility over PII: how it is collected, processed, stored, where it resides, for what purpose, how, and by whom; with these components in place, organizations can implement the proper security controls for protecting PII from internal and external threats. ZT enables organizations to better align with standard security practices integrated into existing regulatory requirements’ internal controls. 15 See for instance GDPR Article 30, “Records of processing activities” © Copyright 2022, Cloud Security Alliance. All rights reserved. 15 3.2.3 Organizational Improvements The ZT model’s “never trust, always verify” approach results in significant changes to the organization’s mindset regarding how resources are accessed, as it requires enterprises to adopt a coordinated, structured approach to cybersecurity. Organizations must shift to a culture based on processes and procedures that support continuous verification — only then can each entity within the company’s IT environment be trusted at any given moment in time. 4 Benefits of ZT In this unit, you will discover the range of benefits that ZT adds to an organization’s security efforts, from reducing the risk of compromise to increased visibility and improved compliance. ZT provides a myriad of benefits for strengthening the cybersecurity posture of an organization, both on-premises and in the cloud. These include, but are not limited to: Collectively, ZT’s benefits enable organizations to bolster their defenses against internal and external threats, reduce cyber risk and improve adherence to compliance frameworks. 4.1 Reduced Risk of Compromise One of the main benefits of ZT is that it reduces risk of compromise, primarily through the following: Reducing the attack surface and limiting the radius of impact Reducing an attacker’s ability to move laterally Reducing the time to detect and contain breaches © Copyright 2022, Cloud Security Alliance. All rights reserved. 16 4.1.1 Reduced Attack Surface & Impact Radius The principle of least privilege and “never trust, always verify” are at the very core of ZT. Resources are accessed based on the attributes of the entity or user, security hygiene of the device, context of the request, and relative risk to the environment. This reduces the risk of unauthorized access and escalation of privileges. In addition, ZTA implementations leverage the concept of resource hiding, where resources are only visible to authenticated, authorized users. This concept is described in various ways depending on the ZTA implementation technique. As described in NIST SP 800-20716, a user sends a request from the system (e.g., a laptop) to the PEP to access a resource. The PEP forwards the request to the PDP for authorization, which in turn checks if the user has been authenticated and authorized by policy. The PDP then sends its response to the PEP. This variation of the agent or gateway deployment model implies the use of vetted, compartmentalized applications or processes (e.g., virtual machines, containers, or some other implementation); regardless of what technology is being used, the goal is the same: to protect the application or application instances from potentially compromised hosts or other applications sharing the same server resources. According to this model, the server only runs approved, vetted applications in a sandbox; these applications can communicate with the PEP to request access to resources, but the PEP will refuse requests from other applications running on the server. In this model, the PEP could be an enterprise service running locally or a cloud service. 4.1.2 Reduced Ability to Move Laterally ZT calls for the implementation of micro-segmentation to restrict lateral movement inside an enterprise IT environment, thereby reducing the attack surface and potential impact radius. Each access attempt to any resource—internal as well as external—is authenticated and authorized before access is granted, regardless of the requester’s origin. 4.1.3 Reduced Time to Detect & Contain Breaches ZTA’s centralized authentication and policy enforcement enables improved visibility into all access attempts across multiple cloud providers and on-premises IT infrastructures. This visibility, in conjunction with dynamic access policies, enables organizations to detect malicious access attempts in real-time and mitigate attacks before they cause damage. By adopting ZTA, organizations increase their level of continuous verification and capability in detecting threats like phishing attempts, privilege elevation for accessing applications and services, and/or the use of stolen credentials. Early detection of these threats can often stop attackers from launching a successful intrusion attempt. NIST, “SP 800-207 Zero Trust Architecture,” August 2020, https://csrc.nist.gov/publications/detail/ 16 sp/800-207/final © Copyright 2022, Cloud Security Alliance. All rights reserved. 17 4.2 Increased Trustworthiness of Access ZTA increases the trustworthiness of data by distrusting anyone inside or outside the organization’s perimeter. ZTA considers consolidated identity access management (IAM) and policy solutions capable of managing access across the organization’s entire environment, providing a single source of truth for identity, and supporting single sign-on (SSO) as a fundamental capability. User authentication is centralized with authentication being strong, dynamic, and strictly enforced before access is allowed. This is supported by MFA, session timeouts, re-authentication requests, and validation. These steps are equally applied to any layer in the stack. Granular access and permissions are configured based on roles, context, or attributes as applicable. Access to resources is based on the principles of least privilege and need to know. Access to any data is protected cryptographically based on its sensitivity — whether it is at rest, in motion, or being processed. In summary, from the perspective of access to the resources, some of the benefits of a ZTA are: Granular access and permissions, and ability to grant access based on context Authentication of device and user before granting access to network and resources Enforcement of the least privilege rule Strong authentication, including MFA Centralized access control Continuous validation of identity, authentication, and authorization to resources Improved data protection Additionally, some ZTA methods incorporate single packet authorization (SPA), which also helps increase the trustworthiness of access. SPA uses a next generation passive authentication technology that features no open ports and service listeners; instead, a specialized encrypted packet is used in the following procedure: The first SPA packet sent by the client is rejected A second service identifies the SPA packet in the IP stack and attempts to authenticate it If successful, the server creates an explicit policy to expose the service to the requesting endpoint For example, the server may open a port in the firewall (e.g., iptables on Linux systems) for the client to establish a secure, encrypted connection with the service in question. The PEP provides the support to enforce the IAM policy of least privilege for the user identity requesting access by communicating with the PDP, preferably executing MFA—only then is a mutual transport layer security (mTLS) session is created for data transfer. Then an mTLS session is created for data transfer. The device is actively validated in context during this process. Frequent and periodic validation can be part of the IAM policy, which can be enforced either manually or by automation. Another example of how ZTA increases the trustworthiness of access is described in NIST SP 800- 207. The enhanced identity governance approach establishes enterprise resource access policies based on identity and assigned attributes. The main requirement for access is a given entity’s access privileges (or lack thereof); in addition, the device used, asset status, and environmental factors also © Copyright 2022, Cloud Security Alliance. All rights reserved. 18 come into play, as they will affect the ultimate level of access granted to the subject, regardless of its identity privileges. The user authenticates to the device (e.g., with a username and password), which in turn authenticates to the network. The user authenticates to the network (e.g., using directory services) and their access request to the resource in question is sent to the gateway or portal. The request is forwarded to the policy administrator/policy engine. After authenticating with the identity provider, the result/decision is returned—if approved, access to the resource is granted to the user. Consider the example of an IEEE 802.1x implementation using network access control (NAC) coupled with Lightweight Directory Access Protocol (LDAP): all corporate laptops have agents installed, and users authenticate to the laptop, which in turn authenticates to the network via IEEE 802.1x. User requests to access resources are vetted by NAC, LDAP, and potentially other access management applications. The request is authorized if the user is verified as part of the appropriate group. 4.3 Increased Visibility & Analytics ZTA requires logging, monitoring, and alerting capabilities for increased visibility into users’ activity: what actions they took, and when they took these actions. Attempts to access privileged resources as well as administrative or root account activity should always be logged, monitored, and reported. Anomaly detection should also be in place for detecting suspicious patterns in both inbound and outbound traffic. Varying degrees of automation can be developed for these capabilities, as well as automated workflows for faster, more streamlined response and remediation. For example, alert notifications can be created when certain conditions are met, followed by automatic task assignment to the appropriate parties for further action. To summarize, ZTA’s visibility and analytics-related improvements include the following: Granular logging and monitoring for greater visibility across the enterprise Monitoring analytics over user entities behavior, leading to user entity behavior analytics Network isolation and micro-segmentation for improving the ability to quickly detect and resolve errors Continuous monitoring across all attack surfaces, making it easier to detect data breaches and enforce appropriate responses Minimization of data exfiltration Continuous device posture assessment The specific visibility and analytics benefits will vary depending on the ZTA implementation. In the case of CSA’s SDP, IAM policies are enforced when access requests are made to a device or host. Granular records of both successful and failed attempts of all components in the path provides increased visibility and the foundation for analytics. Device posture is evaluated during setup of the mTLS sessions. As logs become more granular and descriptive and user entity behavior analytics evolve, security analytics also become more detailed, making it easier to detect breaches or anomalous behavior. This also enables automation of appropriate responses. © Copyright 2022, Cloud Security Alliance. All rights reserved. 19 Whereas, NIST SP 800-207 specifies that requirement (3) of ZTA is that it enables “the enterprise to observe all network traffic. The enterprise records packets (i.e., OSI layer 3) seen on the data plane, even if it is not able to perform application layer inspection (i.e., OSI layer 7) on all packets. The enterprise filters out metadata about the connection (e.g., destination, time, device identity) to dynamically update policies and inform the PE as it evaluates access requests.” The DOD ZT Reference Architecture outlines a model for logging, analytics, and automation. 1. Historical user behavioral data and current user actions are sent to the analytics engine to be analyzed. 2. A user’s historical and current actions/behaviors are compared against global baselines or unusual activity indicators that house all acceptable trends. These baselines and unusual activity indicators can then be derived from internal analytics metrics or vendor-supplied feeds. 3. The analysis results in a confidence score based on the user’s behavior. 4. As users traverse the network, their confidence score and historical behavior patterns dictate the level of access they receive. 5. Monitoring and analysis is continuously occurring in the background. 6. Access to a resource is denied if the users’ actions and behavior patterns result in their scores dropping below a certain threshold. 7. If the users’ actions and behavior patterns do not appear malicious, they can be informed that their scores do not meet the threshold. 8. If the users’ actions and behavior appear malicious, different handling procedures are initiated depending on the specific actions/behaviors and accessed resources. 9. All actions are logged to a SIEM platform, processed by the analytics engine, and handed to a SOAR platform to deploy real time policy access decisions. 4.4 Improved Compliance ZTA has the potential to improve an organization’s compliance posture in several ways. For example, ZTA requires organizations to frequently review access policies to ensure they stay in alignment with requirements as their IT environment evolves. To this end, policies are a key element for security governance as they enable organizations to translate their goals and objectives into the rules that drive their approach to security. Polices also support the organization in remaining accountable to its shareholders and stakeholders. In a ZT approach, policies controlling access to resources are carefully enforced, continuously monitored, and frequently updated based on the current situation. These approaches enable organizations to maintain a strong compliance posture in regards to both external (i.e., legal regulations and oversight measures) and internal (i.e., company policy) requirements. Continuous monitoring is critical for effective policy management, as it enables the alignment of policy definitions with enforcement measures. This is crucial for organizations looking to implement controls for continuous auditing and compliance. © Copyright 2022, Cloud Security Alliance. All rights reserved. 20 Finally, micro-segmentation strategies apply access controls to each individual resource via fine- grained authorization mechanisms. The requester’s trustworthiness is evaluated prior to access being granted. Policies actively determine access levels and may be based on the user’s observable state/identity, the requesting system, and other behavioral attributes. By implementing micro- segmentation and the principles of need to know and least privilege, organizations effectively reduce their attack surface/risk exposure, which may in turn limit their liability when it comes to laws and regulations. For example, a fewer number of users/devices with access to sensitive data and/or restricted by location reduces the scope of certain compliance measures (e.g., PCI-DSS or GDPR). 4.5 Additional Benefits A ZT approach can help organizations identify business processes, data flows, users, data, and associated risks. These insights better equip them to reduce risk in their cloud and container deployments while also improving governance and compliance. Organizations can also gain deeper insights into users and devices, identify threats more quickly, and maintain more comprehensive control across a network. A well-architected ZTA also reduces IT complexity while supporting resiliency and defense-in-depth. Security benefits aside, the advantages of a ZT security framework are numerous and vary depending on the enterprise’s organizational landscape, architecture, and operating model. Utilizing cloud technologies to automate ZT functions helps minimize ongoing operational costs and eases the burden on human resources and staffing. The ZT model provides a unified access control to data, services, applications, and infrastructure. This enables enterprises to counter major threats with one solution, versus a combination of tools (e.g., firewalls, VPNs, CASBs). By unifying the organization’s access controls, ZT reduces security costs while improving efficacy, visibility, manageability, and user experience. The following is a non-exhaustive list of additional ZT benefits: Potential cost reduction Simplification of IT management design Improved data protection (business critical data and customer data) Secure remote access Improved user experience 5 Planning Considerations for ZTA In this unit, you will learn about the preliminary activities required to successfully implement ZTA in an organization, as well as some common tools and frameworks for planning. As mentioned by leading technology vendors as well as public agencies like NIST, the implementation of a ZTA — and more generally the ZT approach and its design principles — is not a one-off task, but rather a process that depends on a number of different factors, including the following: © Copyright 2022, Cloud Security Alliance. All rights reserved. 21 The maturity level of the organization’s security approach, especially regarding asset mapping and classification and identity and access management The existing organizational culture, skills, and expertise The amount of existing legacy technology and its criticality Existing investments Available budget The complexity of service architecture and data flows The end goal and objectives of the organization Risk management forms the core of any competent cybersecurity approach; subsequently, ZT migration tactics are highly dependent on the risk profile and risk appetite of the organization in question. For some, the ZT design principle will be applied to a limited set of assets; others will apply ZT to all assets across the organization. In either case, the migration to ZT will follow a risk-based staged approach with numerous iterations culminating in the final transformation into a ZT-driven organization. For example, CISA’s ZT Maturity Model provides a reference roadmap that organizations can use for charting their transition towards a ZTA. Figure 5 CISA High-Level Zero Trust Maturity Model17 The CISA ZT Maturity Model consists of five pillars and three cross-functional capabilities that together form the crucial foundations for ZT. Each pillar outlines specific examples of traditional, advanced, and optimal ZTA. Figure adpated from CISA, “Zero Trust Maturity Model,” June 2021, https://www.cisa.gov/sites/ 17 default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf © Copyright 2022, Cloud Security Alliance. All rights reserved. 22 5.1 Organizational & Technical Planning This section describes the high level set of actions each organization is likely to follow when implementing a ZTA. 5.1.1 Understand Your Needs The first step in the ZT implementation process is the analysis of the organization’s needs at a high level. The ZT champion’s role is to guide the organization’s decision makers in answering the following questions: Why should the organization consider adopting ZT? What are the critical assets to be protected? What is the mission relevance and criticality of ZT to the organization? What are the opportunity costs of adopting versus not adopting ZT? Is the organization a cultural fit for ZT? What are the existing gaps, if any? How urgent is the ZT adoption and migration? What are the success metrics? 5.1.2 Identify Key Stakeholders The identification of key stakeholders is another foundational step in ZT organization and planning. Like other enterprise-wide risk analysis processes, the organization must ensure that all key stakeholders are engaged and surveyed—this ensures that all the perspectives, requirements, pain points, and possible constraints are collected and considered. Additionally, a critical element in ensuring successful adoption of ZT is support from senior leadership in the organization. Without this, ZT adoption efforts are typically disconnected and uncoordinated; while pockets of success may be realized within the organization, a comprehensive and effective enterprise approach cannot be achieved. The key stakeholders that should be involved include, but are not limited to: Business/service owners Application owners Infrastructure owners Service architecture owners CISO/security teams Legal officers Compliance officers Procurement officers Any other relevant management © Copyright 2022, Cloud Security Alliance. All rights reserved. 23 5.1.3 Assemble a Team Effective team collaboration across multiple groups is critical when assessing the application and server access landscape across the organization. Groups must have cross-team communications channels in place, as well as processes for collating their findings for future planning — this may span multiple phases, based on a formalized roadmap. A detailed explanation of the various technical planning aspects is covered in the following section. 5.1.4 Define Current State At a high level, the organization needs to determine the level of maturity of its internal approaches and processes, specifically in regards to the following: Governance Risk management Compliance Asset management Identity and access management Cybersecurity Are these processes and approaches already fully optimized and automated, or are they still ad-hoc and informal? The level of maturity will help create a realistic plan for initial adoption of ZT principles, and a roadmap of future incremental evolutionary steps. The organization should analyze each one of the seven ZTA pillars identified earlier in this training, in respect to existing processes, procedures and technical solutions related to ZT. These include, but are not limited to the following: Asset/data inventory and classification Authentication and authorization (e.g., MFA, RBAC/ABAC, federated identity) Network segmentation (e.g., micro/nano segmentation) Encryption and key management (e.g., for data at rest/in transit, confidential computing) Secure software development lifecycle (SDLC) management; © Copyright 2022, Cloud Security Alliance. All rights reserved. 24 Continuous integration and continuous delivery (CI/CD) Monitoring and analytics Transaction flows Organizations with a greenfield and/or cloud-native IT infrastructures have the opportunity to build ZT into the design of their IT and OT systems from the ground up. 5.1.5 Set Goals The understanding of the organizational and technological status quo will facilitate the definition of realistic short and medium/long-terms goals. Is it the final objective of the organization to create a complete transformation to ZTA, or to establish a hybrid of ZTA and legacy perimeter-based controls? What’s the percentage of resources that will be affected by the ZT migration? Once the medium/long term expectations have been set, the organization should answer the following questions: What are the priorities (e.g, what needs to be addressed immediately)? Are there any quick wins/low hanging fruit? What are prerequisites or upstream dependencies? Are the existing foundations to start from? Additionally, the following questions are critical for addressing key factors during the goal setting process: What is the level of executive mandate? What is the strategy? What is the budget? What is the roadmap? 5.1.6 Define the Use Cases This step is a critical process to understanding the organization’s needs — specifically, in defining an organization’s need for ZTA (i.e., its use cases and applications). 5.1.7 Develop Collaboration Plan Effective team collaboration is crucial for a successful ZTA deployment. To this end, organizations should establish a unified collaboration plan shared among all team members and stakeholders; this can take the form of a Kanban board or software-based collaboration platform. All project communications regarding the ZTA deployment should be centralized on this platform. © Copyright 2022, Cloud Security Alliance. All rights reserved. 25 Once a collaboration plan is in place, ZTA planning and deployment teams can move on to addressing the following crucial action items and concerns: Determine assets involved ( e.g., data or services) and what needs protection– this can be determined through a risk analysis/assessment Identify principals in scope (e.g., humans, machines, and processes) Define IAM approach and methodology Determine processes in scope including both existing processes that need to change and new processes needed Select the service architecture Design the data and process flow Select the ZT implementation model and approach Define policies, both new and changes to existing policies Test/evaluate/select the technology or solution Implement/develop/deploy/deliver the selected approach/solution Monitor the ZT implementation for security and performance issues and plan for routine testing of ZTA security control Adapt/review/improve based on the results of monitoring and continuous testing, adapt/ review/improve the ZTA implementation Extend the scope/reiterate the relevant steps of the process 5.2 Risks of Project Implementation Any project that involves integrating new technologies or adopting novel approaches/methodologies bears some risk of failure; that said, the benefits of ZTA for improving the organization’s security posture outweigh any perceived risks. The following table covers some of the project risks that could arise while implementing a ZTA in an organization, as well as their impact and mitigation tactics. Description Implementation Impact Mitigation Risks Failure of the Could hinder Access to the secured Deploying a high ZTA operational users and affected assets could be availability system elements such as applications from compromised. and/or a failover PDP or PEP authenticating/ mechanism. operating properly. New assessment Incorrect As the new infrastructure A preplanned set and review criteria implementation solely depends on the of procedures and must be applied and compromised architecture, an incorrect assessment steps operations. assessment of the created to validate the solution may leave gaps. ZT implementation. © Copyright 2022, Cloud Security Alliance. All rights reserved. 26 Security An interface Security level is reduced, Comprehensive Operations between two leaving potential gaps analysis of sensitive systems in which in defenses. Responses data and acceptable (a) they are to security incidents routes should be not connected will use incorrect performed early in physically and procedures. ZTA’s design stages. (b) any logical connection is not automated (i.e., data is transferred through the interface only manually, under human control). Remote API calls Lack of API protocol Complexity in parsing Implement support for support, API request API requests and the all relevant parsers. inspection, data existence of deprecated Provide the right leakage monitoring, versions. controls to protect and API discovery sensitive data like PII. (e.g., for shadow or zombie APIs). Hybrid Unforeseen ZTA adoption and Alerts for the same implementation resource implementation will network event may be complexity misallocations that likely co-exist with handled differently by resulting in could significantly legacy or non-ZTA an enterprise SIEM per environments that increase environments, so environment. require additional implementation operations/technology/ effort/resources to costs and deadlines. infrastructure must operate, maintain, support hybrid and support architectures. ZTA integration Incompatibility Interoperability with ZTA integration can with existing with the legacy the legacy systems be carried out in network systems must be is paramount whilst incremental phases and security addressed before implementing the ZTA. with validation infrastructure and implementing the processes and backout operations can be ZTA. contingencies. challenging © Copyright 2022, Cloud Security Alliance. All rights reserved. 27 Fielding of partial Fielding without Vulnerabilities present Validate that the ZTA or incomplete ZTA adopting within the ZTA will be adoption strategy is solutions capabilities through targeted by adversaries, properly conceived the organizational potentially resulting to ensure that the maturity levels in technical and/or intent to execute ZTA may create reputational exposures adoption through the vulnerabilities that to the organization. organizational maturity ZTA was intended to levels is captured. mitigate. Additionally, confirm that organizational leadership understands that the initial implementation will not be the final end state and will require continuous, iterative development through the maturity model. Fielding of ZTA Inconsistent These risks expose Ensure that the ZTA solutions without enterprise the organization to adoption strategy proper operational baselines of fielded adversarial threats, properly covers sustainment/ technologies, resulting in elevated both the initial maintenance solutions/resources technical and deployment as well planning that are deteriorated reputational risk to the as long term costs or expended organization. and organizational without effective restructuring results. necessary to support/ maintain ZTA on a long term basis. Figure 6 ZTA Project Implementation Risks © Copyright 2022, Cloud Security Alliance. All rights reserved. 28 6 Implementation Options of ZTA In this unit, you will learn about the various ZTA implementation approaches defined by NIST SP 800-207, as well as some real-world ZTA implementation methods and their main characteristics. The options presented in this unit focus on the network architecture domain and align with the NIST approaches “ZTA Using Micro-Segmentation” and “ZTA Using Network Infrastructure and Software- Defined Perimeters”. The primary ZTA implementation options covered in this unit are CSA’s SDP, Zero Trust Network Access (ZTNA), and Google BeyondCorp. 6.1 NIST Approach to ZT Organizations looking to adopt NIST’s ZT model have several approaches at their disposal for designing their secure workflows. Each approach implements all of the ZT tenets outlined in Section 2.1 of NIST SP 800-207, and a fully-realized ZT solution will incorporate elements from all of the three NIST ZTA approaches: ZTA using Enhanced Identity Governance ZTA using Micro-Segmentation ZTA using Network Infrastructure and Software Defined Perimeters Depending on factors such as the organization’s existing business flows, requirements, and cybersecurity maturity level, a particular approach may be more suitable for a given environment—in turn, the components used and main sources for policy rules will also vary accordingly. As mentioned previously, this unit focuses on the NIST approaches for “ZTA Using Micro- Segmentation” and “ZTA Using Network Infrastructure and Software-Defined Perimeters’’. Subsequent ZT training courses in this series provide a more comprehensive and expanded overview of NIST’s approach to ZT. 6.2 Software-Defined Perimeter CSA’s SDP concept is an approach to enabling and enforcing ZT principles. The SDP architecture is designed to provide on demand, dynamically provisioned air-gapped networks: trusted networks that are isolated from all unsecured networks to mitigate network-based attacks. © Copyright 2022, Cloud Security Alliance. All rights reserved. 29 Figure 7: SDP Pre-Vetting of Connections18 6.2.1 Description ZT implementations require the verification of anything and everything attempting to access assets, prior to authorization. Additionally, ZT requires continued evaluation of sessions and their risk levels during the entire connection’s duration. As described in CSA’s Software-Defined Perimeter (SDP) and Zero Trust, “a ZT implementation using SDP enables organizations to defend new variations of old attack methods that are constantly surfacing in existing network and infrastructure perimeter- centric networking models. Implementing SDP improves the security posture of businesses that face the challenge of continuously adapting to expanding attack surfaces that are increasingly more complex19.” The enterprise must monitor the integrity and security posture of the assets. SDP enforces this trust strategy by enabling a default drop-all gateway until users/devices are authenticated and authorized to access the assets hidden by the gateway. By requiring the pre- vetting of connections, SDP enables complete control over who can connect, from which devices to what services, infrastructure, and other conditions and parameters. As described in the SDP Architecture Guide v2, SDP consists of the following major components: The client/initiating host (IH) The service/accepting host (AH) — also referred to as the PEP per NIST’s ZTA model An SDP controller to which the AH and IH both connect — also referred to as the PDP per NIST’s ZTA model An SDP gateway that implements the drop-all firewall 18 Figure adapted from Cloud Security Allaince, “Software-Defined Perimeter (SDP) Specification v2,” 10th, March, 2022, https://cloudsecurityalliance.org/artifacts/software-defined-perimeter-zero-trust- specification-v2/ 19 Cloud Security Alliance, “Software-Defined Perimeter (SDP) and Zero Trust,” 27th, May 2020, https://cloudsecurityalliance.org/artifacts/software-defined-perimeter-and-zero-trust/ © Copyright 2022, Cloud Security Alliance. All rights reserved. 30 According to the SDP Architecture Guide v2, SDP works in the following manner: The SDP client software on the IH opens a connection to the SDP. IH devices (e.g., laptops, tablets and smartphones) are user-facing, meaning the SDP client software is run on the devices themselves. The network can be outside the control of the enterprise operating the SDP. AH devices accept connections from IH and provide a set of SDP-protecting/secured services. AH typically reside on a network under the enterprise’s control (and/or under the control of a direct representative). An SDP gateway provides authorized users and devices with access to protected processes and services. The gateway can also enact monitoring, logging, and reporting on these connections. IH and AH host devices connect to an SDP controller: a device/appliance or process that secures access to isolated services by ensuring the following: 1. Users are authenticated and authorized 2. Devices are validated 3. Secure communications are established 4. User and management traffic remain separate on the network The controller and AH are protected by SPA, making them invisible and inaccessible to unauthorized users and devices.20 Six deployment options are available for implementing SDP: Client-to-Gateway Client-to-Server Server-to-Server Client-to-Server-to-Client Client-to-Gateway-to-Client Gateway-to-Gateway 6.2.2 Compliance with ZT Principles The SDP conforms to the following ZTA principles: 1. The IH and users should first be authenticated and authorized by the controller before connecting to the AH. The AH is cloaked from the IH and its users until authentication is completed. 2. The SDP gateway applies the drop-all policy until the SPA from the IH is verified. The cryptographic mechanism behind the SPA ensures that only authorized devices can communicate with the AH’s controller. 3. Every service and AH is protected with its own SDP gateway drop-all policy; communications from the other server should also follow the same access policies. IH and users can therefore only access resources to which they were explicitly granted permissions, ensuring 20 Cloud Security Alliance, “SDP Architecture Guide v2,” 7th, May 2019,: https://cloudsecurityalliance. org/artifacts/sdp-architecture-guide-v2 © Copyright 2022, Cloud Security Alliance. All rights reserved. 31 adherence to the principle of least privilege. 4. The SDP controller and SDP gateway are the chokepoints for all access attempts and communications. Subsequently, they can provide continuous monitoring, logging and reporting of all network communications, to include both legitimate and suspicious access attempts. 6.2.3 Implementation Options Several options are available for implementing a SDP: controllers may reside on-prem or in the public cloud, the gateway can be deployed on the servers (i.e., the AH) or an external node, and the SDP can be configured to protect a single service or multiple services. The following are some critical best practices for implementing SDP: Because they are single points of failure, controllers should be designed for high availability (HA) in order to withstand DoS/DDoS attacks and other similar malicious activity. HA strategies such as the use of multiple physical server instances with load balancing (e.g., domain name system load balancing) should be considered. Gateways can block a service in the event of a case of failure or overload. Different load- balancing schemas can be used (e.g., the controller can act as a load balancer for gateways). Gateways are stateful SDP entities that can maintain mTLS sessions, so switching over to a different gateway may interrupt sessions across the tunnel. SDP controllers may use an internal user-to-service mapping or a connection to a third party service (e.g., LDAP, directory service, or other on-premises/cloud-based authorization solution). Authorization is typically based on user roles and more fine-grained information, user or device attributes, or even the specific data element/data flow the user is authorized to access. In effect, the access policies maintained by the SDP controller can be informed by other organizational constructs such as enterprise service directories and identity stores. Per NIST, the dynamic ZT policies enforced by the controller are categorized as a ZT tenet. 6.2.3.1 Service Initiated (Cloud-to-Cloud) An increasingly common use case for deploying a ZTA entails the use of multiple cloud providers. In this scenario, the enterprise manages a local network but uses two or more cloud service providers to host applications/services and data; occasionally, the application/service is hosted on a cloud service separate from the data source. As depicted below, the application hosted in Cloud Provider A should directly connect to the data source hosted in Cloud Provider B. This enables better performance and ease of management, as the application isn’t forced to tunnel back through the enterprise network. © Copyright 2022, Cloud Security Alliance. All rights reserved. 32 Figure 8: Cloud-to-Cloud ZTA Service Initiation21 This use case is the server-to-server implementation of the CSA SDP Specification v2. A more common example is Cloud Provider A cloud calling Cloud Provider B’s LDAP service for authorization/ authentication, as part of SSO. ZTA services are often set up in a mesh configuration. Meshed services lend themselves well to a multi-cloud environment since they facilitate service-to-service communication (to include micro- services communication) via a proxy. 6.2.3.2 Collaboration Across Boundaries Cross-enterprise collaboration is another prominent ZTA use case. For example, a hypothetical project may involve employees from Enterprise A and Enterprise B. Enterprise A manages the project database but must allow certain members of Enterprise B to access the data. To meet this requirement, Enterprise A can set up specialized accounts for Enterprise B employees to access the required data, denying access to all other resources; however, this approach can quickly become difficult to manage. Enrolling both organizations in a federated ID management system streamlines the configuration of these permissions, provided both organizations’ PEPs can authenticate subjects in a federated ID community. 6.2.4 Characteristics SDP’s main advantages are its maturity and widespread adoption. Early on, prominent enterprises and leading institutions such as the DOD were supporters/adopters; today, organizations across all industries are implementing different flavors of SDP for varying purposes and environments, to include hybrid and multi-cloud deployments, VPN replacement, and securing IoT. Additionally, regular hackathons that test SDP’s attack durability continue to add to its popularity. Figure adapted from NIST, “SP 800-207 Zero Trust Architecture,” August 2020, https://csrc.nist. 21 gov/publications/detail/sp/800-207/final © Copyright 2022, Cloud Security Alliance. All rights reserved. 33 SPA and mTLS are highly effective mechanisms for enforcing ZT principles without sacrificing user experience. SDP is in fact capable of providing robust security while simultaneously improving the user experience—especially when replacing legacy solutions. SDP is also relatively easy to implement and can complement existing solutions in place. Organizations are free to adopt a gradual implementation and/or migration to an SDP. Because SDP is completely distributed and scalable, it can easily protect highly complex deployments (e.g., hybrid and multi-cloud environments). High availability is also built-in to SDP’s architecture. A major disadvantage of SDP is the requirement for client agent installation on eac