One of the earliest and continuing false paradigms that information security wrestle with is the perceived security of the corporate network. The corporate network has thought to be trusted because its private with private IP addressing. We generally trust everyone on the trusted side of the fence or firewall as adversaries can’t easily gain access from the Internet or public network. If the network is trusted then so is everything and everyone on it. This mindset has allowed compromised computers, devices and accounts free rein over far too many trusted networks. This is akin to letting wolves and foxes loose in the hen house.
As network security evolved over the years, there was hope and promise that Network Access Control or NAC would provide a zero trust framework and restrict unknowns on the network. The general principle was any device accessing the private network had to immediately authenticate or be placed on an isolated Virtual Local Area Network (VLAN) or holding pen. This in theory would help separate the foxes from the hens but not necessarily the sneaky wolves in sheep’s clothing. So who are these wolves exactly, they represent compromised computers and insider threats. In a trusted network, compromised systems (wolves) can roam free without any restraint looking for easy prey (typically unpatched servers). Like all predators, they leave a digital blood trail as they fill their bellies with sensitive data, leaving behind a wake of breached computer carcasses. Unfortunately NAC has never lived up to expectations as there has been an explosion of mobile and IOT network devices on networks.
So what is zero trust. In its most basic form it does not assume any trust relationship based on network affiliation or proximity, rather it treats everyone on the network as an unknown. Essentially your IP address is meaningless and access to corporate assets requires authentication and authorization typically through segmentation gateways (NexGen Firewalls). In a zero trust environment the network is treated much like a zoo. The segmentation acts much like cages that restrict access to the animals (servers). All of the animals are properly separated and protected and visitors (PC’s) generally have minimal access mostly view only permissions. The zoo keepers or administrators keep the animals (assets) secure under lock and key and they access the animals through private gateways to provide proper care and feeding. This is how a zero trust framework functions - keeping the assets isolated and protected from one another and access based on least privilege needed. No petting the Alligators or feeding the Lions and no leaving the zoo with your favorite Penguin.
Most of the networks we work on today assume some level of trust which leaves the cage doors open or at least ajar. Computers and servers on trusted networks provide way too much attack surface. So what happens when a fox suddenly appears at the hen house door (unpatched PC) or a wolf leaps over the fence (malware infects PC) on a trusted network. The consequences are all too common and again a lot of dead chickens. Zero trust limits these unintended consequences. Without the cages the trusted networks act much like the jungle. Survival of the fittest which relies on who is patched and free of any defects as they have the best chance to survive.
Let’s face it, zero trust is mostly common sense but why is it not more popular or mandated. Long story for another installment but short story is, it’s far cheaper and easier to put everyone into the same pen (flat network) and monitor for bad behavior. Network or zoo monitoring is still necessary even with cages in place, as there is always a chance the zookeeper leaves a door open or someone breaks into the zoo. Those Penguins are really cute! So where do we begin, segment the servers and separate the pc’s on the network and place a firewall in between. If you want to see the primates exhibit your ticket grants you limited access to the gorillas, monkeys and orangutans. The technical adoption of zero trust limits network access to corporate assets and services through proper segmentation by providing access
through firewalls or segmentation gateways. They restrict access based on who you are (authentication) and what you can access (authorization). As zero trust continues to become more popular conceptually think about transforming your network from a jungle to a zoo.