Zero Trust networks with zero hype - an overview of real world deployments

Dr Bernard Parsons

Category:

  • Security Blog

As the concept of Zero Trust networks has gained broad popularity and acclaim, elements of the approach have been quietly adopted and applied across a diverse range sensitive IT environments. The ever-dissolving corporate perimeter has been a driver for the Zero Trust concept, however for parts of government and security conscious private sector organisations, it is more a case of not placing complete trust in a perimeter even where it can be identified. Such organisations instead look to build a defence in depth architecture that offers better protection and detection capabilities than conventional IT architectures. This article captures some insight gained from working with early adopters of network models that reduce implicit trust, influenced by a project called CloudClient, run by the UK National Cyber Security Centre (NCSC).

Defining Zero Trust

With phrases as popular as Zero Trust, there is often lack of agreement on the exact definition – perhaps as there are too many claimed solutions to the problem! The Zero Trust model was created in 2010 by John Kindervag, a principal analyst at Forrester Research. Kindervag emphasised that organisations should not automatically trust users or assets, irrespective of location.

As technology has evolved, it is perhaps best to think in terms of the important characteristics of the Zero Trust approach, and how these may continue to adapt. The key point remains that you should no longer implicitly trust a managed entity - be that a device or user - just by virtue of them being, for example, connected to an internal network. This leads to two responses:

  • Seeking to have greater trust in the identities managed; and,
  • Having greater control over how resources are accessed.

The desired outcomes include having confidence in both the identity and integrity (health) of a device, combined with the identity of a user that can be verified at a granular service level when a service is accessed, all underpinned by robust security mechanisms that are, as far as possible, transparent to the user and easy to manage.

The tools available to achieve these outcomes include:

  • Device Identity Management
  • Device Health Monitoring
  • User Identity & Access Management
  • Service Segmentation
  • Traffic Inspection


NCSC CloudClient – A brief history

The predecessor of the UK National Cyber Security Centre (NCSC) initiated a research project a few years back that incorporated the characteristics of Zero Trust networks. The objective of the CESG CloudClient project was to facilitate the secure sharing of IT infrastructure across government, allowing an employee of one department to securely access their online services from collaborating organisations. The project required that the health of devices could be measured and validated across organisational boundaries with a high level of assurance, to ensure that no organisation’s security posture was reduced through collaboration, and that user identity management would automate the delivery of defined service components.

The first building block of the resulting architecture was a security-focused operating system optimised for accessing online services - effectively a secure platform to launch a browser. Adopting a browser-based operating system simplifies the process of validating device identity or health, as it becomes viable to cryptographically validate all firmware, operating system and application software components – a task that is problematic for a full-blown general purpose operating system.

The CloudClient project resulted in the end-to-end implementation of a Remote Attestation protocol for a desktop environment compliant with the relevant Trusted Platform Group open standard, using a Trusted Platform Module as a hardware root of trust. At a high level, this means that an organisation can be confident in not just the identity of a device, but its integrity. A device in a known healthy state indicates that no malware or unauthorised software is present.

The CloudClient architecture utilises the SAML (Security Assertion Mark-up Language) authentication protocol that allows collaborating organisations to exchange authentication parameters as part of a federated device identity model. This allows web services to be published that can then create end-to-end encrypted sessions with 3rd party devices at the same level of confidence as internally managed devices. Two factor user authentication is implemented using physical smartcards, with associated policies defining granular authorised service access.

A real world deployment

Paradox data Sheet DowloadWhilst CloudClient was a research project, its successful outcomes were subsequently adopted across both UK government departments and private sector organisations within the Critical National Infrastructure. Well aligned with a ‘cloud first’ policy, the ‘cloud client’ model allowed a number of security benefits to be derived by optimising end user devices for cloud access. However, in addition to security, the need to optimise usability proved a key driver for user adoption. Even with some of the most sensitive government environments, security today needs to be as automated and transparent as possible, whether that is single sign-on, timely certificate management or automated patching. These are all necessary characteristics of a well-designed Zero Trust architecture.

Security operations overheads may also be reduced through the cloud client model, as a light-weight and secured OS can significantly change the security event monitoring landscape. Minimising the software stack with a browser-based model reduces security auditing ‘noise’ from endpoints, whilst cryptographically enforced health checks provides a very low-volume high-value audit profile. This can offset the potential for increased network traffic logging and inspection as advocated by the Zero Trust model.

With NCSC and wider UK government’s preference for commercial off-the-shelf products, Becrypt has been able to productise the project’s outputs in the form of an end user device platform called Paradox (no formal endorsement by NCSC implied).

Lessons learned

The CloudClient programme and subsequent real-world deployments have shown how a standards-based approach can be adopted to combine both device health and identity management with user identity management to provide granular access to services. Beyond security the model also demonstrated how the typical cloud benefits of security, cost and flexibility can be extended to the end user device infrastructure. When moving to cloud and online services, there is a temptation to focus on the benefits that the chosen cloud-based infrastructure can offer, but when the endpoint needs little more than a browser, it becomes difficult to justify a general-purpose OS, and easier to implement Zero Trust enabling controls.

To date, Paradox has been deployed to secure desktops, laptops and kiosks with a range of use cases from standard enterprise access to O365, to the more specialised examples of SOC hosting and control of 3rd party supplier access, providing varied examples of the shift towards a Zero Trust model.

Leave a comment




Comments (3)

  1. Jane:
    Jul 02, 2019 at 03:10 AM

    These are actually wonderful ideas in about blogging.
    You have touched some nice factors here.
    Any way keep up wrinting. Greetings! Very useful advice in this particular article!
    It's the little changes that produce the greatest changes.
    Thanks for sharing! Howdy just wanted to give you a
    quick heads up. The words in your content seem to be
    running off the screen in Safari. I'm not sure if this is a format issue or
    something to do with browser compatibility but I figured I'd
    post to let you know. The design and style look great though!
    Hope you get the issue fixed soon. Thanks http://tagomi.com/

  2. avocado blog:
    Aug 19, 2019 at 10:51 AM

    Thank you a bunch for sharing this with all folks you
    really know what you are speaking about! Bookmarked.
    Kindly also visit my website =). We could have a link
    trade contract between us

  3. https://www.desiretechsupport.com/activate-espn-on-roku/:
    Sep 13, 2019 at 11:49 AM

    Thanks for ones marvelous posting! I seriously enjoyed reading it, you happen to be a great
    author. I will be sure to bookmark your blog and definitely will come back very soon. I want to encourage you continue your great work, have a nice morning!

Latest News

  • Becrypt continues enthusiastic support of the National Cyber Security Centre’s CyberFirst programme

    Becrypt continues enthusiastic support of the National Cyber Security Centre’s CyberFirst programme ...Read more

    21/06/2019

  • Zero Trust networks with zero hype - an overview of real world deployments

    An overview of the NCSC CloudClient project in the context of Zero Trust network characteristics ...Read more

    21/06/2019

  • Measured Boot & Measured Execution for Device Health

    Using Measured Boot & Measured Execution with Remote Attestation to measure Device Health with Paradox OS ...Read more

    21/06/2019