Zero-trust and network security: friend or foe?
Zero-trust networking is all the rage. But does it address all security issues?
Mobile working and cloud-hosted applications have made a tremendous impact on the security architecture of enterprise networks. Mobility means that users connect from anywhere over untrusted public networks. IT teams address this exposure with secure VPN technologies. But an increasing number of mobile users connect into public clouds because their data and applications have been moved there from the enterprise network. Accessing the cloud by sending traffic through the enterprise network becomes an unnecessary detour. Giving the mobile user direct access to the cloud seems to be the better approach but bypassing the user’s enterprise network creates some security issues. Zero-trust network architectures can mitigate security concerns with any untrusted network through robust authentication of end-points and least privilege principles for authorization of access to any resource. But do they solve every security issue? Let’s take a closer look.
From perimeter protection to secure access services
Today’s standard network architecture is built using perimeter protection. This approach combines physical access control with digital security controls to prevent unauthorized access to physical and virtual assets within a protected site. Within the perimeter, users are known to be trustworthy and are allowed to access data and IT applications. The digital perimeter uses sophisticated firewalls and intrusion detections systems to block any unwanted traffic and keep out unauthorized external access.
Mobile workers can connect to the enterprise network using public networks for access. However, as public networks are generally considered untrusted, any access requires secure authentication and an encrypted connection. What’s more, as data and applications move into public clouds, they need to securely and directly access the cloud rather than going through their perimeter-protected enterprise network. They need to establish a trusted relation with the cloud and the application hosted in the cloud. As there isn’t just one cloud and just one application, the problem becomes complex, creating a business opportunity for a secure access service edge (SASE) offering.
A SASE architecture combines zero-trust principles with network security functions such as firewalls, intrusion detection and end-point protection preferably hosted as a virtual network function. Strong authentication and encrypted connections mitigate any concern with transport of data over untrusted networks.
Security experts view these zero-trust SASE network architectures as a future-proof way to solve the security needs of an increasingly mobile workforce but also as a way to protect enterprise cloud access. That means direct access to cloud-hosted data and services as well as secure integration of IIoT with an enterprise’s digitized processes. Such a simple and pragmatic security architecture is frequently promoted to remove the need for complex multi-layer protective controls. The solution is preferably implemented with technology from a single vendor to ensure easy integration. It might be operated by a professional services provider with extensive security competence, or as a ring-fenced operation of the enterprise.
The reasons for zero-trust architecture and the value of SASE architectures are obvious. However, there are other considerations that deserve a closer look:
Don’t trust the others, trust me!
The zero-trust model assumes that any network can be subject to fraud, even perimeter-protected IT networks. Zero-trust architecture with a common security broker such as a secure access provider replaces the need for multi-lateral trust relations with a more transparent trust relation with the operator of the secure access network.
A zero-trust network architecture gains trust from strong authentication of devices and applications. Building on this, robust encryption protects data transported over connectivity networks. From a user perspective, the complexity of this security architecture is much lower, as a trusted relation must be established with only a single entity, the operator of the secure access service edge.
On the other hand, the operator of the secure access service needs to assure trust with the cloud and the applications hosted there, creating a need for careful analysis and consequent security assurance. From a trust relation perspective, this security architecture replaces multiple trust relations, with a smaller number of them coming at the expense of additional complexity.
Unprotected lower network layers threaten application security
Zero-trust network architectures provide security through strong authentication of users and devices among each other but also with applications hosted in both private and increasingly public clouds. Those applications also include virtualized security functions such as virtual firewalls and virtual intrusion detection among others. While the connection from the user to those security controls is well protected, the underlying software stacks, including operating systems and hypervisors, are not and might be subject to malicious action. We must also protect the lower layer virtualization stacks. A secure connectivity network and perimeter protection is a sensible approach. Virtualized security won’t protect servers and therefore won’t make protection at lower network layers obsolete.
Network availability is also an essential piece of information security
Information security addresses the three key objectives: privacy, integrity and availability of data. While zero-trust architectures address the initial two, the third receives insufficient attention. A malicious service provider or an attack against a service provider might compromise the ability of a user or device to connect with urgently required data and applications. There are cases, such as real-time control in critical infrastructure, in which the availability of information is far more relevant than its privacy. Unavailability can have tremendous – even catastrophic – negative impact.
Information security and openness
Zero-trust architectures and related secure access service architectures have gained significant interest in the market. Frequently, it’s suggested that this type of security solution should be implemented with technology from a single vendor but not more than two suppliers to keep integration effort at bay. This seems to negate the present trend towards open, transparent and standardized network architectures, and it conflicts with Kerckhoff’s principle of openness of security controls.
Don’t accept untrusted networks - a wakeup call
The above considerations challenge some of the messaging surrounding zero-trust architectures and SASE solutions. I however assume, that we need to question the key underlying assumption. We should question whether we want to accept untrusted networks.
Please note, that today mobile networks operate the only globally well-established means for secure authentication of customers across any network. It is therefore reasonable to assume that network operators are in a key position to take responsibility in creating secure global architectures. It is on the other hand not reasonable to accept a status of “untrusted” with public networks.
We should look at methods to work with untrusted networks but, ultimately, steps should be taken to force all networks to become trustworthy. Networks need to be secure, able to protect privacy and integrity as well as being capable of assuring highest availability. While no zero-trust security control at end-points can guarantee all of this, communication service providers shouldn’t be released from their obligation to deliver trusted connections.
Open, standardized and well established technologies can be applied to make any network trustworthy through a combination of quantum-safe encryption with secure key exchange and a trust anchor from globally accepted certified authorities and methods for secure identification of any endpoint in a network.
Extending zero-trust through bottom-up defense
We need well protected networks – resilient trustworthy network architectures that provide security at each network layer and resilience in a resource-efficient way. Automated key exchange using PKI is well established and highly efficient, and quantum-safe AES encryption can be provided at reasonable cost. Those technologies are standardized, open and proven.
What’s more, communication networks have efficient ways to isolate traffic through virtualization technologies such as VLANs in Ethernet, MPLS or tunneling technologies in IP. This adds an additional, very efficient method of protecting sensitive information.
This is a very powerful solution to efficiently mitigate a lack of trust at any network layer. We refer to this architecture as “extended zero-trust network architecture” or “bottom-up defense.”
Operators of communication networks can become trusted connectivity service providers. This is true for mobile and fixed network connectivity. The secure access services and zero-trust networking discussion should include this option rather than simply branding public networks as untrusted.
Summary
As the digital transformation accelerates across enterprise networks, governments and critical infrastructure, the attack surface that needs to be mitigated increases, mainly caused by cloudification and mobility. Zero-touch network architectures and SASE solutions are a sensible approach. However, there is a room for more efficient security architectures that involve the operators of connectivity networks rather than marking them as untrusted domains. The proposed extended zero-trust network architecture is a very efficient way to protect sensitive traffic in a more comprehensive way. By establishing trust in the connectivity network, we can protect the complete infrastructure with all its users, devices, servers, control and management systems.