Why Zero Trust is now the Top Cybersecurity Priority Strategy for Defending the Enterprise

It’s a cloud-first world. Your users now regularly connect directly to cloud-based applications and web destinations from any device anywhere. Sophisticated cyber threats use those connections to penetrate your traditional network perimeter.

Digital transformation and cloud migration have made the notion of a traditional network security perimeter obsolete. Some of today’s most potentially damaging cyberthreats are those that enter your network under the radar, hidden in emails and malicious URLs. The bottom line: data traffic can no longer be trusted, whether it originates inside or outside your network.

Against this backdrop, enterprises and government organizations are turning to Zero Trust architectures to protect their sensitive data. In response, forward-thinking enterprise and government organizations are fortifying their defenses by embracing Zero Trust architectures. In this article, you’ll get the complete basics about Zero Trust architectures and what they require:

• Why Zero Trust architectures have become critical to enterprise security
• Their essential components, core capabilities, and relevant use cases
• The critical roles that DNS and foundational security play in successful Zero Trust implementations
• The technology trends that have made Zero Trust architectures an urgent priority
• What a Zero Trust architecture entails and its key elements

Learn How to Bolster Your Security with the Fundamentals of Zero Trust!

Executive Summary

Zero Trust architectures have become a compelling means for modern enterprise and government institutions to secure sensitive data in the face of digital transformation and the loss of the traditional network perimeter. The paper describes a Zero Trust architecture’s essential components, its core capabilities, and some important use cases that support it. Also, it explains the critical roles that Domain Name System (DNS) and foundational security can play in your deployment of Zero Trust architectures.

The History and Evolution of Zero Trust

Nearly a decade ago, Forrester Research introduced the concept of Zero Trust. One of its leading analysts, John Kindervag, is credited with designing the original Zero Trust framework.1 Zero Trust posits that the concept of a trusted internal network zone and an untrusted external network zone should be eliminated. In essence, no data traffic can be trusted. As data flows through your network, all parties involved must undergo restriction, reauthentication, and validation at every point.

Zero Trust declares that all network traffic inside and outside the perimeter and the users and processes that create it should not be trusted at any time. “Security professionals must stop trusting packets as if they were people.” – John Kindervag, Forrester Research

At its very core, Zero Trust is both platform and technology agnostic. It enables you to build additional layers of security for your networks by using a wide variety of vendor tools and technologies.

Kindervag defined five basic tenets of Zero Trust that are still applicable today:

1. Data is the central element that must be protected. Access to this data, at any time, must be continually and carefully revalidated.
2. To best protect your data, you must understand the flows of your data, both to be able to validate it later and to build out what he called micro-networks.
3. With an understanding of the critical data that must be protected, you can then create the micro-networks that map best to the flow of the data.
4. Visibility and monitoring are key. You must have visibility into all activity within your network, log it and be able to analyze it comprehensively to determine if any malicious behavior is present.
5. You should wrap Zero Trust best practices into your security automation strategies and use orchestration tools to support your efforts.

Forrester recently expanded and clarified its original notion of Zero Trust.2 Its goal was to draw a road map to implementing a Zero Trust architecture: the Zero Trust eXtended (ZTX) Ecosystem. Forrester identifies key vendors that support its view of the Zero Trust ecosystem and turns Zero Trust from the basic concepts of 10 years ago into a concrete framework and architecture for building out cybersecurity resilience across all of your networks.

Zero Trust: A Response to Digital Transformation

The rise of digital transformation has made Zero Trust compelling. The prevalence of Internet- and cloud-connected transactions has to lead to growing numbers of security breaches and the failure of legacy, perimeter-based cybersecurity architectures.

Initially, the key to this legacy defense was the firewall, which protected trusted network systems within the perimeter. Systems outside of the perimeter were, correspondingly, untrusted, and communications with them were often automatically blocked. This architecture and the accompanying cybersecurity strategy remain dependent on defending a perimeter, primarily by identifying known threats that attempt to move through the perimeter.

To achieve this defense, data centers were typically divided into large network zones with perhaps a few firewalls between these zones. This approach can indeed restrict traffic between these zones. However, the setup of rules for the various firewalls is often complex. In many cases, unmanageably so, with the effect that the use of these zones cannot adequately protect the enterprise. Moreover, increased granularity often adds considerable expense both for hardware and for setup and administration.

To augment firewalls, organizations turned to signature-based security, which identified threats by looking for their telltale patterns. This strategy initially proved to be highly effective. That’s because, at the time, virus and malware threats had distinctive patterns in their code and files that made identification relatively simple. One of the shortfalls of signature-based security is that it is reactive. You can respond to threats only after they’ve been detected. However, once the first infection point in the cyber kill chain has been documented, it can be used to identify the presence of additional attacks. Signature recognition is a key part of that process.

In the wake of digital transformation and the rapid transition to the cloud, legacy cybersecurity strategies are increasingly dated and ineffective. Areas where security requirements have changed include:

Mixed infrastructures. Today you likely have multiple cloud deployments, perhaps a mix of private and public cloud, along with custom applications and several legacy on-premises data centers. You may have more than one cloud vendor—so your administration of basic capabilities likely varies from cloud to cloud. You may also have third-party clouds managed and administered for you for major applications, such as CRM, finance and marketing operations. All of these may be patched together with varying security controls that move between on-premises and the cloud as well as between the platforms of different cloud providers.

SD-WAN deployments. In the past, you might have had one or more enterprise data centers, likely connected by dedicated or leased lines to your branch offices. In this architecture, it was reasonable to expect that your perimeter defenses were more viable than not. The Internet has continued to deliver more cost-effective capabilities to scale connectivity and communications. Today, your branch offices and distant facilities are likely connected by SD-WAN to leverage the cost benefits of the Internet.

Internet of things. The explosion in the Internet of things (IoT) devices has created many endpoints that cannot be easily protected using standard endpoint detection and response (EDR) software. In the health-care industry, for instance, many medical devices are network connected as IoT devices. The U.S. Food and Drug Administration requires certification of medical devices, and this requirement, in effect, makes them closed devices. For reasons of both potential liability and maintenance of valid FDA certification, you cannot install any third-party cybersecurity software on these medical devices.

Industry-specific factors. In the manufacturing industry, old embedded operating systems in IoT manufacturing control points are also highly vulnerable and often out of date, presenting attackers with a multitude of known vulnerabilities to exploit. In the banking industry, ATM networks with embedded board operating systems have continually, and often spectacularly, been breached over the past few years. In retail, point-of-sale systems provide additional points of compromise within the card reader electronics and inadvertently provide attackers with immediate connectivity into sensitive networks.

In many industries, heating, ventilation and air-conditioning systems are centrally controlled through the Internet. The same is true for large-scale enterprise access control (EAC) systems that lock and unlock doors using keycard technology, as well as the security systems that may manage hundreds of security cameras within your facilities. All of these IoT devices have presented a multitude of opportunities for sophisticated malware tools to find safe harbor and establish command and control (C&C) communications. Once undetected attackers infiltrate, they can reach out to load additional tools and exfiltrate sensitive data.

Mobility. Ten years ago, connectivity through mobile devices was new, and the threats leveraging them were just starting to develop. Today, the situation has changed. Mobile devices have greatly increased the porosity of corporate networks. Accommodating the soaring demand for BYOD access has become an essential and increasingly unmanageable part of business operations. The explosion in the number of mobile devices has greatly expanded the attack surface and provided cybercriminals with a multitude of ways to bypass traditional defenses to spread malware and gain access to internal network data and resources.

To most security operations and information technology teams, the conclusion is obvious: The enterprise network has become a patchwork quilt of siloed security controls that unfortunately present abundant opportunities for cybersecurity breaches.

“Attackers will successfully and regularly penetrate your networks. A Zero Trust architecture enables you to minimize their successful reconnaissance of your network, minimize their access to your protected data and intellectual property, slow their progress and detect them early in the execution of their cyber kill chain. When you can identify and stop them before they can exfiltrate targeted data and/or funds, your cyber defense strategy will have prevailed.” – Anthony James, Vice President, Product Marketing, Infoblox, Inc.

Attackers remanufacture and repackage existing malware on a real-time basis. This continuous threat evolution significantly reduces your ability to stop attacks relying solely on the hardened perimeter and signature-oriented malware security tools. Cybercriminals are adept at using evasive techniques, such as malware-laced memory sticks, compromised websites, malware-hijacked advertising networks and socially engineered emails to achieve their mission.

The bottom line is that given the limitations of traditional security measures, attackers will repeatedly penetrate your network. Once inside, if your strategy is to allow any permission and activity to those already within your networks as trusted, it is a near certainty that they will access and compromise key assets, and even potentially devastate your network and computing resources.

Zero Trust: Basic Capabilities

Historically, access to the network implied trust and access to all of the data it contained. Zero Trust turns the paradigm upside down with a critical focus on the data. Essential Zero Trust strategy is to deny access to all data by default and without exception wherever it resides.

Encryption is an essential component of Zero Trust. And yet it is important to acknowledge the many recent examples of cyber breaches that involved the theft and use of data encryption keys. At no time should your data encryption keys be stored on or near the data they protect, and never give your data encryption keys to a third party. Beyond the basic data protection principles of Zero Trust, sharing encryption keys with third parties can expose your organization to unknown risks.

Zero Trust promotes the idea that enhanced visibility is key to success. Visibility includes authenticated traffic, access and attempted access to data and user behavior, information that can reveal the presence of malicious and threatening behavior. Zero Trust also entails the use of verbose logging (which captures more data than standard logging). In turn, data from those logs is well-integrated with other systems, enabling it to be analyzed by machine learning and analytics tools. With this data, your security teams can flag cyberattacks early in their life cycles, shut them down sooner and prevent their spread.

Zero Trust architectures generally offer many of the same basic capabilities (Figure 1). They should:

• Enable access to data resources and key applications based upon the continuously authenticated user, the permissioned and properly protected computing device and the physical location when it must be limited by policy.
• Provide minimum access to other than the smallest “microsegments” of the network and then only when necessary to complete the requirements of related tasks.
• Allow access only to specifically designated applications.
• Enable monitoring of user behavior with analytics and machine learning to identify potentially dangerous behavior, noting that all anomalous behavior is not necessarily malicious nor is all malicious behavior identified as anomalous.
• Support complete end-to-end encryption of data at rest and in motion through APIs and the network.
• Enable high visibility of data traffic to identify unusual movements of sensitive data.
• Supply high visibility of the movement of known attackers, malware tools and other malicious activity.
• Enable a consistent user experience for application access and utilization, regardless of the additional security mandated by Zero Trust security controls and policies.
• Provide high visibility to outside destinations by address and use threat intelligence to reject new untrusted domains and those that have been identified as malicious and high risk.

Implementing Zero Trust

Next, you must determine the roles for every employee within your organization and consider carefully the absolute minimum of privileges and access these roles require. A role must be thought through carefully; it defines an employee’s strategic identity and purpose at work based on looking closely at the key components of the job. Roles include accountability, areas of ownership and decision rights, among others. Roles should empower the employee to the bare minimum necessary for success but no further. Then you need to logically view the workflow of these roles against the sensitive data, networks, systems, and applications required to perform associated tasks.

It is essential to this implementation that you integrate security controls and techniques that maximize visibility. Best practices include extensive logging of data at all times and continual analysis by inspection and through the use of machine learning.

Once you have completed the basic identification and analysis of critical sensitive data and roles, you can begin to layout the architecture for your Zero Trust network.

Important Zero Trust Technologies

At its core, the primary tenants of Zero Trust assume that all networks are hostile and dangerous environments at all times. This includes your internal corporate network and any other network. Based on the establishment and maintenance of trusted identity, you will get access to the data, networks, systems, and applications that you need to do your job and nothing more. This trust must be continuously revalidated to provide certainty of security and privileges granted.

The Zero Trust approach segments the allocation of trust into slices that provide broader protection against the breach of sensitive data. If user authentication is compromised, Zero Trust will not automatically grant access to the cyber attacker to additional systems and network resources necessary to obtain and exfiltrate sensitive data.

Currently, available security controls that can be an essential part of your Zero Trust strategy include SIEM, SOAR, UEBA, CASB, deception technology, foundational security using DNS, micro-segmentation and identity and access management. Let’s take a closer look at some of these key technology sets.

Microsegmentation

Microsegmentation is a critical architectural component of a Zero Trust deployment and is available through software and/or specialized hardware appliances. Vendor security controls to implement micro-segmentation can interoperate with or, in some cases, require that the entire Zero Trust deployment use security controls from only one vendor.

Microsegmentation implements the concept of a Software-Defined Perimeter (SDF) to segment the network in more granular pieces, organized around the critical data that must be protected. The use of SDF prevents and limits access, both in and out of the network. Microsegmentation focuses on security and provides the automation and agility security teams need to rapidly implement configuration changes.

Microsegmentation can lockdown and highly restrict lateral movement (“east-west”) within a network with almost any level of granularity required. Also, micro-segmentation enables administrators to express security implementation in terms of application-oriented constructs such as the web and databases instead of IP addresses, subnets, and virtual local area networks. Applications are workloads that address very specific business needs, and workloads are operating system instances that are running various software services, containers and the like.

In a legacy architecture that does not use Zero Trust micro-segmentation, the procedure to provide basic network segmentation can be slow and cumbersome. The business analyst defines application requirements, which are, in turn, reviewed by the security analyst and described as connectivity or access policies. These policies are then reviewed and translated by the network administrator into specific firewall rules and IP addresses. All of these steps are limited by analyst time, firewall costs, compatibility and other factors. It rapidly becomes untenable to meet the challenges of digital transformation at scale using this approach.

In sharp contrast, micro-segmentation can be set up fast. Microsegmentation offers the ability to rapidly automate the deployment of the revised security policy to keylogging and restriction points. It should be noted that these restriction points do not have to be firewalls. That flexibility enables micro-segmentation to meet economies of scale. Once policies are set up, their implementation and subsequent changes can be highly automated. The entire setup is a simpler and more collaborative effort by business, security and network analysts.

Depending on the vendors you use, micro-segmentation can bring a variety of strong defensive benefits. For example, micro-segmentation might be configured to automatically quarantine certain network segments with automated policy change. Because microsegments are often smaller and defined around very specific business operations, they can be implemented using a “white list” approach, where connections are explicitly enabled by administrators, as opposed to a much larger—and almost immediately out-of-date— “blacklist,” of the sort traditional firewall configurations typically use.

Identity and Access Management (IAM)

Identity and access management (IAM) defines and manages the roles and, correspondingly, grants access privileges for authorized users. The source of truth used in IAM can be an integration of data contained in human resources and other systems.

Two-Factor Authentication (2FA)

Two-factor authentication has rapidly become an essential best-practice security control for building out any Zero Trust architecture. A federated two-factor authentication single sign-on technology makes it very difficult to steal and use authentication data. Federated to support all applications across an enterprise, it presents a highly effective front end to access any entrusted application, system or data repository.

Typically, two-factor authentication uses an electronic key that generates a constantly changing, algorithmically generated alphanumeric key that then must be appended to a password, a hardware device such as a YubiKey or, at a bare minimum, a mobile device that supports SMS-based authentication. Still more secure are some of the mobile device–based authentication applications designed and dedicated to supporting two-factor authentication.

Security Information and Event Management (SIEM)

A SIEM will integrate with and aggregate all of your data sources and alerts from across your IT infrastructure, analyze this activity and escalate priority events and notifications. It will include special analytics algorithms and often will have machine learning capability.

Security Orchestration, Automation, and Response (SOAR)

SOAR enables the collection of alert data and is in some ways similar to a SIEM, but it further aggregates and automates this data for continued investigation. SOAR integration allows automated incident response and execution of related workflows based on identified and dangerous incidents of compromise. This automated response can happen much faster than a process gated by human intervention. SOAR integration is often structured into “playbooks” that define the response to various threats, the steps to be taken and the key integrations with critical security controls. One vendor can provide SIEM and SOAR technology in a single integrated platform.

Cloud Access Security Brokers (CASB) with Encryption, DLP and DRM

CASB is a security control that is placed between the consumers of cloud services and cloud service providers. CASB is a “single wrapper” around cloud applications that provides extended visibility into cloud access and use, encryption or tokenization of cloud-based data, policy creation and implementation, data loss prevention, digital rights management and more. CASB can extend protection to a wide variety of cloud-based third-party software as a service (SaaS) applications and applications developed in-house that are deployed to cloud platforms.

Deception Technology

Deception technology is a security control category that deploys lures (fake password lists) and “honeypots” (fake endpoints and network devices with a few open vulnerabilities) within a network. Unauthorized east-west traffic and attacker reconnaissance will touch, if only with a ping, these devices and generate a high-integrity alert and incident of compromise.

Network Detection and Response (NDR)

Network detection and response provide enhanced visibility, threat detection and detailed forensic analysis of anomalous activity within the network. This security control uses machine learning to identify potentially dangerous actors within secured internal networks.

User and Entity Behavior Analytics (UEBA)

UEBA is a software control category that analyzes user activity from log files, network traffic, and other sources to identify malicious or highly unusual user behavior. Malicious user behavior is typically associated with excessive file downloads, access to sensitive data in unusual activity patterns, activity during unusual periods for that user and other suspicious actions.

Adaptive Access Control (AAC)

Adaptive access control analyzes user access based on platform, location and time and maps these factors to established policy. AAC is context-aware and balances the level of trust against access. Seemingly valid user authentication data may be rejected based on the platform (specific endpoint such as a personal device not authorized by policy) or the geographic location (such as a valid attempted login from Shanghai, China). A user with valid authentication data might also be rejected based on, for example, login from a city in the United States, followed by an attempted and seemingly valid login from a city in Australia perhaps only two hours later.

Foundational Security Using DNS Is a Core Component of Zero Trust

DNS is a central component of your current information technology and network architecture. DNS handles the domain name translation from user-friendly formats in the syntax of www.xxxxxxxx.com to an Internet Protocol (IP) address in the numeric format 222.222.222.222 to reach the desired server.

During the rapid deployment of the changes necessary to support digital transformation, many enterprises have failed to include DNS controls, administration, and management within their cybersecurity strategy. Often these capabilities have defaulted to a mix of ISPs, on- and off-premises local hardware and multiple, disparate cloud-based capabilities. These diverse and separate DNS capabilities generally have no integration with modern cybersecurity threat intelligence, web filtering or other important defensive capabilities. Most of these capabilities have no integrated support for the most common cyber threats or distributed denial of service (DDoS) attacks; they also lack the centralized visibility essential to making DNS and foundational security a cornerstone of Zero Trust for their enterprise.

Network management teams in most enterprises are now partnering more closely with their cybersecurity counterparts. One of the key areas for collaboration has been to position DNS and foundational security as a core component of Zero Trust. In this scenario, the basic foundational core network services you rely on to run your business (e.g., DNS and related services) become your most valuable security controls and threat intelligence assets.

These foundational security services, including DNS, DHCP and IP address management (DDI), are essential to all IP-based communications. Foundational security using DNS further offers an ideal opportunity to gain centralized visibility and control over all of your computing resources, per the tenets of Zero Trust. DNS can be a source of telemetry, helping to detect anomalous behavior (e.g., a device going to a server it usually doesn’t go to) and to analyze east-west traffic. DNS can also continuously check for, detect and block C&C connections. For every cloud and on-premises data center that your enterprise uses, DNS can be a centralized point of visibility and risk reduction.

Introduction to BloxOne Threat Defense

“Infoblox BloxOne Threat Defense brings all of your DNS controls, administration, and management into one hybrid architecture that gives all of the control back to you. This provides one single point of control for DNS management for all of your on-premises and cloud-based resources. Once you assert this control, you have very effectively enabled the defensive weaponization and build-out of DNS as part of what is called foundational security.” – Anthony James, Vice President, Product Marketing, Infoblox, Inc.

DNS can become a powerful control point where every Internet address can be scanned for potentially malicious behavior as identified by integrated threat intelligence. DNS can also supplement your internal resources for web and content filtering to reduce your costs and enhance performance. Finally, the capabilities of DNS also integrate with your DDI strategy to provide comprehensive data that can be used to identify and resolve cyber threats that are already present within your network. Using DNS in this fashion provides critical visibility into security events by location, physical device, session, and user—a key aspect of a Zero Trust deployment.

BloxOneTM Threat Defense from Infoblox provides the foundational security that gives you one architecturally efficient, centralized point of control and visibility to any traffic requiring resolution of a domain name with DNS services (see Figure 2). BloxOne Threat Defense also enables you to detect and block data exfiltration and malware C&C communications via DNS. It maximizes brand protection by securing traditional networks, as well as digital imperatives like SD-WAN, IoT, the cloud and mobility. It powers SOAR solutions, substantially reduces the time to investigate and remediate cyberthreats, optimizes the performance of the entire security ecosystem and reduces the total cost of enterprise threat defense.

Summary

Digital transformation has all but eliminated the traditional perimeter-based security model and has made it imperative to move to a more comprehensive security strategy such as Zero Trust. Zero Trust brings with it the philosophy that you cannot trust any user or any activity, whether inside or outside of your network. The perimeter has moved from enterprise networks, where it has been compromised, to instead surround the key data elements you want to protect. Zero Trust shines a spotlight on those who would access that data and makes certain that their identity is authenticated before allowing access. Foundational security, leveraging the visibility and protection offered by DNS services, should be a core part of your Zero Trust strategy. Foundational security enables you to reduce cyber incidents, further minimize risk and substantially strengthen your compliance and governance initiatives.