Defining Zero Trust
With phrases as popular as Zero Trust, there is often lack of agreement on the exact definition – perhaps as there are too many claimed solutions to the problem! The Zero Trust model was created in 2010 by John Kindervag, a principal analyst at Forrester Research. Kindervag emphasised that organizations should not automatically trust users or assets, irrespective of location.
As technology has evolved, it is perhaps best to think in terms of the important characteristics of the Zero Trust approach, and how these may continue to adapt. The key point remains that you should no longer implicitly trust a managed entity - be that a device or user - just by virtue of them being, for example, connected to an internal network. This leads to two responses:
Seeking to have greater trust in the identities managed; and,
Having greater control over how resources are accessed.
The desired outcomes include having confidence in both the identity and integrity (health) of a device, combined with the identity of a user that can be verified at a granular service level when a service is accessed, all underpinned by robust security mechanisms that are, as far as possible, transparent to the user and easy to manage.
The tools available to achieve these outcomes include:
Device Identity Management
Device Health Monitoring
User Identity & Access Management
Service Segmentation
Traffic Inspection
NCSC CloudClient – A brief history
The predecessor of the UK National Cyber Security Centre (NCSC) initiated a research project a few years back that incorporated the characteristics of Zero Trust networks. The objective of the CESG CloudClient project was to facilitate the secure sharing of IT infrastructure across government, allowing an employee of one department to securely access their online services from collaborating organizations. The project required that the health of devices could be measured and validated across organizational boundaries with a high level of assurance, to ensure that no organization’s security posture was reduced through collaboration, and that user identity management would automate the delivery of defined service components.
The first building block of the resulting architecture was a security-focused operating system optimized for accessing online services - effectively a secure platform to launch a browser.
Adopting a browser-based operating system simplifies the process of validating device identity or health, as it becomes viable to cryptographically validate all firmware, operating system and application software components – a task that is problematic for a full-blown general purpose operating system.
The CloudClient project resulted in the end-to-end implementation of a Remote Attestation protocol for a desktop environment compliant with the relevant Trusted Platform Group open standard, using a Trusted Platform Module as a hardware root of trust. At a high level, this means that an organization can be confident in not just the identity of a device, but its integrity. A device in a known healthy state indicates that no malware or unauthorized software is present.
The CloudClient architecture utilizes the SAML (Security Assertion Mark-up Language) authentication protocol that allows collaborating organizations to exchange authentication parameters as part of a federated device identity model. This allows web services to be published that can then create end-to-end encrypted sessions with 3rd party devices at the same level of confidence as internally managed devices. Two factor user authentication is implemented using physical smartcards, with associated policies defining granular authorized service access.
A real world deployment
Whilst CloudClient was a research project, its successful outcomes were subsequently adopted across both UK government departments and private sector organizations within the Critical National Infrastructure. Well aligned with a ‘cloud first’ policy, the ‘cloud client’ model allowed a number of security benefits to be derived by optimizing end user devices for cloud access. However, in addition to security, the need to optimize usability proved a key driver for user adoption. Even with some of the most sensitive government environments, security today needs to be as automated and transparent as possible, whether that is single sign-on, timely certificate management or automated patching. These are all necessary characteristics of a well-designed Zero Trust architecture.
Security operations overheads may also be reduced through the cloud client model, as a light-weight and secured OS can significantly change the security event monitoring landscape. Minimizing the software stack with a browser-based model reduces security auditing ‘noise’ from endpoints, while cryptographically enforced health checks provide a very low-volume high-value audit profile. This can offset the potential for increased network traffic logging and inspection as advocated by the Zero Trust model.
With NCSC and wider UK government’s preference for commercial off-the-shelf products, Becrypt has been able to productize the project’s outputs in the form of an end user device platform called Paradox (no formal endorsement by NCSC implied).
Lessons learned
The CloudClient program and subsequent real-world deployments have shown how a standards-based approach can be adopted to combine both device health and identity management with user identity management to provide granular access to services. Beyond security the model also demonstrated how the typical cloud benefits of security, cost and flexibility can be extended to the end user device infrastructure. When moving to cloud and online services, there is a temptation to focus on the benefits that the chosen cloud-based infrastructure can offer, but when the endpoint needs little more than a browser, it becomes difficult to justify a general-purpose OS, and easier to implement Zero Trust enabling controls.
To date, Paradox has been deployed to secure desktops, laptops and kiosks with a range of use cases from standard enterprise access to O365, to the more specialized examples of SOC hosting and control of 3rd party supplier access, providing varied examples of the shift towards a Zero Trust model.
US
UK