- Asserted identity
- Identity is always an assertion of the abstraction of a user on a network. The identity system “asserts” that a device is generating packets under the control of the asserted.
- Attack surface
- An attack surface of an organization is made up of all of the different elements where a threat actor can attempt to exploit weaknesses to obtain unauthorized access into an environment. One strategy for security involves reducing your organization's attack surface; however, in practice this is difficult to do since many services require access to the Internet and consequently the whole world can be an attack surface.
- Bring your own device (BYOD)
- Many organizations allow employees to bring their own consumer devices into the organization to access company resources or services. For many security teams BYOD comes with the challenge of applying security controls to all the various types of personally owned devices.
- Cloud access security broker (CASB)
- Many organizations are not able to obtain the same visibility into or control over cloud-based services. CASB services use proxies or API integrations to assist security teams with providing security controls into cloud-based services.
- Data, applications, assets, and services (DAAS)
-
DAAS is an acronym that stands for data, applications, assets, and services, which define the sensitive resources that should go into individual protect surfaces. DAAS elements include:
- Data—This is sensitive data that can get an organization in trouble if it is exfiltrated or misused. Examples of sensitive data include payment card information (PCI), protected health information (PHI), personally identifiable information (PII), and intellectual property (IP).
- Applications—Typically these are applications that use sensitive data or control critical assets.
- Assets—Assets could include IT (information technology), OT (operational technology), or IoT (Internet of Things) devices such as point-of-sale terminals, SCADA controls, manufacturing systems, and networked medical devices.
- Services—These are sensitive services that are very fragile that your business depends upon. The most common services that should be protected in a Zero Trust manner include DNS, DHCP, Active Directory, and NTP.
- Data toxicity
- Data toxicity is the doctrine that sensitive data becomes “toxic” to your organization if it has been stolen or exfiltrated from your networks or systems into the control of malicious actors. This exfiltration leads to a negative impact on the business. The data has become toxic as its theft leads to lawsuits or regulatory action on the organization. Every organization has both nontoxic and toxic data. An easy way to recognize toxic data types is to remember the 4Ps of toxic data: PCI (credit card data), PII (personally identifiable information), PHI (patient health information), and IP (intellectual property). Most toxic data falls into this simple framework.
- DevOps
- DevOps is a software development philosophy that shortens the software development life cycle by continuously and rapidly deploying software updates and results in higher-quality, more innovative software.
- Endpoint detection and response (EDR)
- The previous generation of antivirus used file hashes as signatures to identify malware, requiring huge amounts of human effort to identify malicious code, but this approach led to attackers modifying code to evade detection. EDR takes a different approach, applying machine learning to identify how malicious code interacts with the operating system and allows investigators to identify and correlate security events on endpoints and take action on those alerts.
- Granular access control
- Granular access control is the outcome of an explicitly defined Zero Trust Kipling Method Policy statement. Multiple access control criteria provide fine-grained policy for access to a protect surface, making it substantially more difficult to perform a successful attack against that protect surface.
- Identity
- Identity is the validated and authenticated “who” statement that is part of the Kipling Method Policy assertion: “Who” should have access to a resource?
- Identity and Access Management (IAM)
- Identity and Access Management are the organization-specific policies and controls that help manage the life cycle of an identity through its journey from creation to removal. Typically there are four areas where organizations manage identities: authentication, authorization, user management, and directory services. In addition, individual identities may inherit permissions from groups, so managing groups of users is also important to an IAM program. The most critical part of an IAM program is the governance of how identities are managed and how policies are created and changed.
- Internet of Things (IoT)
- Many of the devices on a network today aren't desktops or laptops where a human is the primary source of activity. Cameras, card readers, printers, building control systems, personal mobile devices, personal assistants, TVs, gaming devices, and wearables all may attempt to connect to the company network.
- Kipling Method Policy (KMP)
-
Zero Trust policy is created using the Kipling Method, named after the writer Rudyard Kipling, who gave the world the idea of Who, What, When, Where, Why and How in a poem in 1902. Since the idea of WWWWWH is well known worldwide, it crosses languages and cultures and allows easily created, easily understood, and easily auditable Zero Trust policy statements for various technologies. A KMP determines what traffic can transit the microperimeter at any point in time, preventing unauthorized access to your protect surface, while preventing the exfiltration of sensitive data into the hands of malicious actors. True Zero Trust requires Layer 7 technology to be fully effective. The Kipling Method describes a Layer 7 Zero Trust granular policy.
Using the Kipling Method, you can create Zero Trust policy effortlessly by answering the following questions:
- Who should be allowed to access a resource? The validated “asserted identity” will be defined in the Who statement. This replaces the source IP address in a traditional firewall rule.
- What application is the asserted identity allowed to use to access the resource? In almost all cases, protect surfaces are accessed via an application. The application traffic should be validated at Layer 7 to keep attackers from impersonating the application at the port and protocol level and using the rule maliciously. The What statement replaces port and protocol designations in traditional firewall rules.
- When defines a time frame? When is the asserted identity allowed to access the resource? It is common for rules to be instantiated 24/7, but many rules should be time limited and turned off when authorized users are not typically using the rule. Attackers take advantage of these always-on rules and attack when approved users are away from the system, making the attacks more difficult to discover.
- Where are the locations from which a resource will be accessed? Where are the resources located? Where defines the position of a specific location, object, or device. The Where statement replaces the destination IP address in traditional firewall rules. The geolocation of a resource should always be known, and impossible travel rules will alert administrators to spoofing attempts.
- Why are we protecting this resource? The classification of a resource as public, private, secret, or top secret should be aligned with the controls. Many applications mix multiple types of data within the same protect surface, so it is critical to have an inventory that includes compliance requirements, privacy impact, intellectual property, and business considerations.
- How will the resource be protected? This can include all of the controls that should be applied to the protect surface, including encryption and decryption, URL filtering, sandboxing, signatures, anomaly detection, etc.
- Least-privilege access
- Least-privilege access asks the question “Does a user need to have access to a specific resource to get their job done?” We give too much access to most users based upon the broken trust model. By mandating a least-privilege, or need-to-know, policy, the ability of a user to perform malicious actions against a resource is severely limited. This mitigates against both stolen credential and insider attacks.
- Managed Security Service Provider (MSSP)
- Because of the challenges of hiring or retaining security staff, many organizations have turned to MSSPs to provide security consulting, SOC, forensics, and incident response, among other key service needs. One of the main benefits of an MSSP is that it has the ability to correlate data from attacks against hundreds or thousands of customers across various industries. It is important to note, however, that an organization can't outsource the responsibility or accountability of security, so there should be an owner of security inside the organization.
- Microperimeter
- When a segmentation gateway (SG) connects to a protect surface and a Layer 7 Kipling Method Policy is deployed, then a microperimeter is placed around the protect surface. The microperimeter ensures that only known approved and validated traffic has access to the protect surface, based upon policy. One architectural principle of Zero Trust is to move your SG as close as possible to the protect surface for the most effective preventative controls enforced by the microperimeter.
- Microsegmentation
- Microsegmentation is the act of creating a small segment in a network so that attackers have difficulty moving around and accessing internal resources. Many networks are “flat,” meaning that there are no internal segments, so if an attacker gets a foothold in the network, they can move around unnoticed to attack resources and steal data. A microperimeter is a type of microsegment. The microperimeter defines a Layer 7 boundary for protections of a DAAS element. Some organizations may choose to use Layer 3 microsegmentation technology inside a microperimeter.
- National Institute for Standards and Technology (NIST)
-
NIST is a U.S. government entity that creates and publishes standards across many different industries. The philosophy of NIST is that through creating standards, organizations can better innovate and compete in a global economy. NIST has created a number of indispensable standards when it comes to cybersecurity, including the ones mentioned in this book:
- 800-53—Security and Privacy Controls for Information Systems and Organizations
- 800-61—Computer Security Incident Handling Guide
- 800-84—Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
- 800-171—Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- 800-207—Zero Trust Architecture
- Operational technology (OT)
- Increasingly, sophisticated threat actors have moved from targeting user desktops or laptops to targeting the control systems that help manage factories, buildings, oil pumps, or smart cities. OT systems interact with the physical environment of an organization and are often a blind spot for security teams.
- Policy engine
- A policy engine was proposed in NIST SP 800-207 to help focus Zero Trust implementations around the concepts of least privilege and identity. In theory, a policy engine could help organizations provide just-in-time access to resources where authentication is happening continuously.
- Privileged access management (PAM)
- One of the biggest targets inside an organization are its privileged accounts like Active Directory Domain Admin accounts. If compromised, these accounts can allow an attacker to take any action they choose inside an organization and it becomes increasingly difficult to remove an attacker after they have obtained one of these accounts. PAM tools help protect these accounts and assist organizations in auditing and tracking admin activities to help detect a compromise.
- Protect surface
- The protect surface is the opposite of an attack surface. An attack surface is massive and includes the entire Internet while a protect surface is limited to systems under your control. A Zero Trust strategy focuses on applying tailored controls to protect surfaces rather than attempting to manage a huge attack surface. Each protect surface contains a single DAAS element. Each Zero Trust environment will have multiple protect surfaces.
- Secure Access Services Edge (SASE)
- With the rise of remote access required after the onset of the 2020 pandemic, many organizations wanted to ensure that workers could work from anywhere while enforcing the same levels of security on user devices. SASE tools can take many forms but often come as an agent that limits network access to a device based on policy, provides for remote browser isolation when accessing the Internet, proxies access to cloud services.
- Secure web gateway (SWG)
- One of the most common ways of infecting a computer with malware is to have a user click a malicious web address that downloads malware to the user's computer. SWGs help protect users from visiting these malicious websites by acting as a proxy for outbound user traffic from an organization to enforce company policies.
- Security Information Event Management (SIEM)
- Threat actors will commonly attempt to hide or destroy any evidence that a system has been compromised. For logs that remain on a compromised system, this is easy for an attacker to accomplish. In response, security teams now send logs to a centralized logging server that maintains a forensically secure copy of these logs in the event an organization experiences a breach. SIEM tools will typically parse and normalize log data that allows these systems to help correlate suspicious activity and alert admins when malicious activity has been detected.
- Security Operations Center (SOC)
- Many organizations choose to employ a SOC to provide 24x7 monitoring of security telemetry from SIEM systems, network detection and response tools, or API integrations with an organization’s, EDR, SOAR, SWG, CASB, PAM, or SASE tools.
- Security orchestration, automation, and response (SOAR)
- SOCs typically gather inputs from many different sources and require analysts to review information from multiple systems for investigations and then take action in many different additional systems to respond to threats. SOAR systems rely on playbooks designed by organizations to correlate specific types of activity and then create automated responses based on those detections, reducing the time it takes to respond to a threat from hours to seconds.
- Segmentation gateway (SG)
- A segmentation gateway is a Layer 7 gateway designed to segment networks based upon users, applications, and data. Segmentation gateways are the primary technology used to enforce Layer 7 policy in Zero Trust environments. Segmentation gateways can be physical (PSG) when used in traditional on-premise networks, or virtual (VSG) when used in public or private clouds. Next-generation firewalls traditionally function as segmentation gateways when they are deployed in Zero Trust environments.
- Software as a Service (SaaS)
- SaaS is the model of selling software that is delivered to a user through a cloud-based platform rather than the typical licensing model of installing the software on a user's computer. The SaaS model has the advantage to customers in terms of speed of delivery, while software companies benefit from only supporting the current version of the software rather than many legacy versions. The challenge of SaaS for security teams is the lack of visibility and control over user activity in this model, and many organizations choose to implement a CASB in order to get this control back.
- Trust levels
- The existing cybersecurity paradigm is based upon a broken trust model where all systems external to the corporate networks are considered “untrusted” and those inside the corporate networks are known as “trusted.” It is this flaw that undergirds Zero Trust. Trust is a human emotion injected into digital systems for no technical reason. It is not measurable. Trust is binary. All successful cyberattacks exploit trust in some manner, making trust a dangerous vulnerability that must be mitigated. In Zero Trust, all packets are untrusted and are treated exactly the same as every other packet flowing across the system. The trust level is defined as zero, hence the term Zero Trust.
- Web application firewall (WAF)
- A traditional firewall is used to manage policies at an IP or TCP/UDP port level. These traditional firewalls lack awareness of what happens at the application layer of a session and can't protect from web-based attacks like SQL injection or cross-site scripting. In contrast, a WAF operates only at the application layer and provides signature-based rules to stop common OWASP attacks as well as enforcing input validation on sites or detection of credential stuffing attacks where threat actors use compromised passwords to attempt to access sensitive resources.
- Zero Trust
- Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating digital trust from your organization. Rooted in the principle of “never trust, always verify,” Zero Trust is designed as a strategy that will resonate with the highest levels of any organization yet can be tactically deployed using off-the-shelf technology. Zero Trust strategy is decoupled from technology, so while technologies will improve and change over time, the strategy remains the same.
- Zero Trust architecture
- Your Zero Trust architecture is the compilation of the tools and technologies used to deploy and build your Zero Trust environment. This technology is fully dependent upon the protect surface you are protecting, as Zero Trust is designed from the inside out, starting at the protect surface and moving outward from there. Typically, the protect surface will be protected by a Layer 7 segmentation gateway that creates a microperimeter that enforces Layer 7 controls with Kipling Method Policy. Every Zero Trust architecture is tailor made for an individual protect surface.
- Zero Trust environment
- A Zero Trust environment designates the location of your Zero Trust architecture, consisting of a single protect surface containing a single DAAS element. Zero Trust environments are places where Zero Trust controls and policies are deployed. These environments include traditional on-premises networks such as data centers, public clouds, private clouds, endpoints, or across an SD-WAN.
- Zero Trust Network Access (ZTNA)
- Created by Gartner in 2019, the term ZTNA refers to a category of tools that help facilitate providing secure access to private networks through authenticated access. This term helps broaden the definition of remote access through older technologies like virtual private networks (VPNs) to secure web gateways (SWGs) or Secure Access Service Edge (SASE) agents.