Cybersecurity within the business world has continued to become more complex with the advent of telework. One of the factors that has facilitated remote work is the move-to-cloud, i.e. the migration (partial or total) of the information system hosted on physical servers administered within the company to dematerialized servers whose outsourcing is done remotely most often via web interfaces. The democratization of online productivity suite such as Google Workspace has freed employees from geographical constraints to allow them to work regardless of location and often even hardware. It is not uncommon now to see consultants using the same PC for both personal and professional use.
In my article on DevSecOps, I mentioned the need to move from perimeter security to integrated security in the application to better understand threats. The principle of zero trust, also called zero trust network access (ZTNA), is not new. It was formulated nearly 20 years ago in 2003 by the Jericho Forum. Several factors explain its current rise:
- the digital transformation of companies is dictated by the arrival on the labor market of “digital natives”, this generation having always known the use of the Internet and for the youngest of them smartphones.
- the ransomware threat is now recognized by the general public and studies by large groups such as IBM only confirm the increase in costs produced by these attacks.
- the generalization of clouds (Google Cloud Platform, Amazon AWS, Microsoft Azure etc.) have transformed technical architectures, reduced the servers hosted on premise in the company and reduced the relevance of VPNs.
Principles of application
The National Institute of Standards and Technology (NIST), a division of the United States Department of Commerce, published the “800-207 Zero TRUST Architecture” specification in August 2020, which defines 7 principles on which a Zero architecture is based. Trust (ZTA):
- All data, network services and equipment are considered resources, which must be secured by design.
- All communications are secured regardless of network location.
- Each attempt to access a resource is checked and evaluated according to the security policy defined by the organization. Authentication and systematic access control must be based on previously defined authorizations.
- Access to a resource is subject to a dynamic access policy taking into account several factors such as the identity of the client, the state of the service requesting access (installed versions, certificates, etc.), behavioral attributes (analysis of the equipment, discrepancy observed in relation to the current use recorded, etc.) and finally the environmental attributes (network location, attacks recorded, etc.).
- The organization must set up a real-time monitoring system, aimed at controlling the proper functioning of the information system and reporting any anomalies or interruptions that would cause it to run a high security risk (example of a security operational center (SOC))
- Authentication and authorization mechanisms are dynamic and can be strengthened before access is granted with the implementation of MFA (multi-factor authentication)
- The company provides constant security supervision by collecting as much information as possible on the current state of resources, the network infrastructure and communications in progress on it (example of the implementation of a SIEM – Security Information & Event Management).
A Zero Trust strategy is therefore composed of a multitude of bricks allowing to superimpose the layers of security and complicate the task of the attackers. Whether these bricks are methodological (risk analysis is an essential prerequisite), procedural (Identity and access management (IAM) makes it possible to manage the authorizations of its users to its information system and to implement the principle of least privilege for its applications) or techniques (like a cloud proxy replacing traditional VPNs), zero trust encompasses a multitude of tools to secure new digital uses.
This is not a fashion effect in cybersecurity but the modernization of existing tools to adapt to user usage (respect by design of the GDPR) and external threats (better responses to ransomware threats). One can nevertheless wonder if the multiplication of acronyms around this strategy does not end up harming it?