Originally Posted on Medium on Apr 14, 2021

💣 The Problem

Remotely accessing IT resources is hard

Access to organizational IT resources has traditionally varied between no external access, which requires employees to be in the office on a corporate machine or VPN (Virtual Private Network) to gain access. With the growing adoption of cloud technologies and the availability of direct access services, CIO’s and CISO’s find it increasingly hard to keep mandate corporate access to gain access to corporate resources.

Traditional access is not contextual

Traditional network access was mainly focused on the source (i.e., user, machine, and geographic locations) due to the complexity of managing an application by application policy.

Being in the office is not longer a standard

COVID-19 was a significant catalyst for remote work. While many organizations enabled remote working successfully, many more were caught off-guard. Some organizations do not have the technological foundations necessary to allow remote services, while many more have the foundations but lack plans for their entire workforce to work remotely.

Segmentation is effective, but hard for achieve for most

Network firewall management can be cumbersome. Without good pre-planning, even tight firewall rules will enable a user to reach more resources than he should.​

💡 The Opportunity

Faster access, better user experiences, same security

The Zero Trust notion of enabling access to services, rather than network connectivity, is consistent with the way employees consume personal services in the form of “apps.” The delivery of apps promotes better security by reducing vulnerabilities and the attack surface.

Define access based on the user identity and context

One of the holy grails of security is within reach. The ability to distinctly define which users can reach which services, as driven by the business needs, significantly reduces organizational cybersecurity risks by promoting the Principle of Least Privilege, which states a subject should only be given those privileges needed to complete a task.

Reduce third party vendor risk

As organizations increase their reliance on third-party vendors to supply services, the security risk from a trusted or managed ecosystem is driven to a realm beyond CISO’s reach. Enabling secure third-party access to specific resources for a particular amount of time is essential.

Reduce segmentation bypasses

Due to the way networks have been built, the need to provide network connectivity has driven more and more rules. This has created a “swiss cheese” effect with various ingress and egress points for attackers to exploit. Zero Trust helps fill the gaps by allowing user-driven network connectivity to be centralized and accounted for.

Zero Trust promises to be the next generation secure service delivery system that focuses on the user’s identity and access context rather than network boundaries.

🔮 The Predictions

VPN will be replaced, but not critical infrastructure access

User experience matters in 2020, but it is not the only consideration for a CISO / CIO. The transition from traditional VPN to various Zero Trust technologies will increase, primarily on corporate services rather than within production environments that require tighter controls and monitoring.

Massive network behemoths will dominate the market

Zero Trust is a native play for the networking giants. Organizations investing millions into network security with a single or a select number of vendors will mostly opt-in for a continued partnership and avoid implementing a point solution from a start-up company.

Organizations will forget it is not only a technology

With thousands of users and hundreds of services, the value of contextuality will become negligible as technology fails to account for the organization’s inability to define roles and access policies consistently. In the end, organizations will get the same mess they had with VPN’s and Firewalls, including over permissive access patterns for large user groups.

Startups will address priviliged access management

With the domination of Cisco, Palo-Alto, and Checkpoint in the network space and their lack of a footprint in the privileged identity management space, start-ups will attempt to differentiate themselves through use cases that focus on identity over network boundaries.

🕵️ The CISO View

Look for applications/services that require console access (e.g. RDP, SSH)

While some of the Zero-Trust companies does offer the ability to expose servers, exposure of RDP and SSH may be leveraged for various lateral movement attacks and abuse of session idling by an attacker.
Remember to inspect the following:

1. How does connectivity take place? (i.e., Is it through the Cloud? Is it direct from the user device to the proxy within the organization?)

2. How does authentication pass to the remote machine? Does the vendor get exposed to the user’s password?

3. Is there a need to install an agent on the remote machine to support provisioning?

4. How can the vendor prevent “hopping” between servers after being connected via console to the initial server?

5. What level of granularity does the vendor provide to protect console access? (i.e., data transfer, reverse tunnels, clipboard control, or session recording)

6. What network/host level controls apply to the server, and are they reduced through the use of Zero Trust?

7. What does the vendor do in an encrypted traffic situation where mutual authentication and client certificates are required?

Look for homegrown business application use cases

Homegrown applications, especially Java applications and heavy clients, may prove problematic to provision due to a need for de-serializing traffic and passing it through a proxy without breaking the application or the use of configuration changes in the application (e.g., the target “connecting server”).
Remember to inspect the following:

1. Are there any business applications that require de-serialization?

2. Does the Zero Trust vendor support the enablement of such provisioning?

3. How does the vendor pass authentication to the application, or will it require another authentication?

4. What does the vendor do in an encrypted traffic situation where mutual authentication and client certificates are required?

Look for answers on account takeover or device infection

Zero Trust vendors enable organizations to provision access to applications and services with ease. On the flip side, however, there is always the question of what cost in security the organization is willing to pay for the increased user experience. In the case of Zero Trust.
Remember to inspect the following:

1. What will happen if a machine is infected and the attacker has control? (i.e., screen recording, attacker leveraging active sessions to access the system).

2. What are the vendor’s means of protecting against account takeover.

Look to understand the maintainenace of large number endpoints

There is a reason segmentation is hard. With the increase in service endpoints such as applications, services, and remote hosts, it becomes harder to manage granular permissions. While the vendor can provide a single-user to single-application granularity, managing hundreds of applications may prevent that from becoming a reality. Furthermore, a medium or larger organization considering exposure of servers may end up with tens of thousands of endpoints to manage on a single server basis. This was not feasible in the segmentation era, and it is not feasible in the Zero Trust era.

Look at the delivery method

To date, most, if not all, Zero Trust vendors leverage a SaaS delivery model for its console, policy manager, and IDP (Identity Provider). In some instances, the Zero Trust vendor may also route traffic through the SaaS solution.
Remember to evaluate the following:

1. Compliance of the vendor’s environments with security standards. Security vendors are not free from security flaws and make an excellent target for supply chain attacks. Be sure to confirm that the vendor has a good security posture and can support regulatory requirements (e.g., in cases where data flows through the Zero Trust vendor, they may require PCI-DSS, HIPAA, or other compliance alignments).

2. Confirm that scaling is available and automatic. In cases of delivery in a SaaS model, confirm the vendor can support any number of users without performance degradation. Similar logic applies to on-premise proxies responsible for routing traffic.

Look at the policies and product capabilities

Depending on the delivery model, such as reverse proxy versus tunneling, and the service endpoint (e.g., web service, console access), different vendors will enable different feature sets to ensure the organization’s security.

Evaluate what policy components the vendor is offering beyond authentication, authorization, and connectivity. For example, some vendors provide a DLP mechanism for web interfaces as traffic is routed through a reverse proxy. In contrast, others offer extended logging capabilities even for applications that do not natively support logging.

Look at the enforcement logic of the security controls

Confirm that the Zero Trust vendors provide continuous policy enforcement across the user session, not strictly at the point of authentication and authorization.

Look at the anomaly detection capabilities

When a user identity becomes the prominent (and perhaps only) method of authentication and authorization, there is a need to place special attention on user activity behavioral patterns to detect a potential account takeover. It is recommended to look for the ability to interact with the system to impact the core user risk with data from various systems externally. For example, an employee leaving the organization is more prone to engaging in cyber offenses, such as data dumping, than other employees.

Look at the vendor’s solution for generic accounts

All organizations leverage generic accounts or accounts that are not associated with a specific identity. Some may exist for application to application purposes, while others may exist for user groups that are unable or unwilling to use named accounts. Since Zero Trust relies heavily on having strong scrutiny over the user, generic accounts can be an Achilles heel in the path to real segmentation of services and full adoption of Zero Trust.

🏁 The Bottom Line

Zero Trust is here to stay… in spirit

Zero Trust is here to stay in spirit, or more practically as a methodology. The movement for network freedom and user experience drives security to seek new ventures and explore practices that will ultimately serve security needs while increasing productivity and partnership with an organization’s internal customers.

There are good reasons to adopt the trend

There are good reasons to adopt the trend, namely third-party access to organizational resources and mergers and acquisitions. In use cases where users need access to highly specific resources for a set timeframe with limited to no trust present (e.g., no managed devices), Zero Trust can prove a very viable solution.

The magic is fading away

The promise of Zero Trust to replace VPN’s and software delivery solutions is not living up to security experts’ expectations. From challenges with infected machines to inadequate resource isolation for non-web interfaces, adopt Google’s Beyond-Corp lifestyle is not feasible for every company.

Don’t buy into a dream, solve a problem

In a hyped industry there are buzzwords that sound like a silver bullet such as CASB (Cloud Access Security Broker) in 2015; Don’t fall for the buzz, evaulate the business cases for zero trust and identify the right usage patterns for the organization.