The Zero Trust Approach to Important Control Planes
Although zero trust as a concept has been around for over 10 years, it is only recently that it has been recognized and accepted as a leading strategy for securing modern enterprise. In this blog, we set out how we approach zero trust from a practical perspective with particular emphasis on how it will impact on our end user colleagues.
Zero Trust Key Concepts
Zero trust, as a set of design ideas and principles for a security architecture allows for numerous interpretations about how to approach an efficient and safe implementation.
There are a number of control points at which assessments should be made. It is important to realize that humans, devices, and applications all have specific checks to which they must be subjected to confirm trustworthiness.
The key concept is that the network perimeter, by itself, is not a factor in determining trustworthiness. The basic assumption is that there is no difference between an access request being made to a resource that is either on our network or in another environment such as a public cloud provider. Controls have to be employed on the assumption that every network is untrusted.
So, in a completely untrusted world, where are the control points that determine access?
Cisco’s Zero Trust Security 3Ws: Workforce, Workload, Workplace
Cisco has developed a model for translating zero trust ideas into practice. We refer to this as the 3Ws approach: The Workforce, the Workload and the Workplace.
These are outlined as follows:
Workforce: Any interaction between end users and information systems. Validation must include both the identity of the user, preferably using biometrics and a secure enclave/TPM (trusted platform module) if possible, and the access device.
Common challenges involve restricted availability of authentication methods and difficulty in gaining visibility of non-managed devices.
Workload: Interactions between applications and services. Attackers can hijack the pathways used by legitimate applications to send malicious traffic across a network. It is important to assess this traffic and assure it is legitimate. It’s also important to inspect processes to ensure they are legitimate.
Common challenges are usually related to the scale of an environment, and a lack of knowledge of what legitimate traffic looks like and gaining visibility into what services are legitimate and essential.
Workplace: Interactions between devices in the environment. In the IoT world, device counts are skyrocketing, and so are their capabilities. Security is often a secondary concern for manufacturers, so it falls to the customer to ensure these devices’ communications are appropriate and secure.
Common challenges are often, again, related to the scale of the problem and difficulty in defining what is legitimate.
The diagram below shows some of the most important control points, and outlines Cisco’s 3Ws model for discussing zero trust.
These control points enable a policy-based decision when access is requested. These policies take into account the risk level of the resource that is being accessed as well as the conditions of the access. So, a high-risk resource will require a higher level of examination and approval before access is granted.
Now to look at this area in a bit more detail.
The Workforce Control Points
The Workforce is represented by the two control points at the top left of the diagram. It is critical that organizations verify user identities using strong authentication, and that they verify devices with equal rigor. A failure in either area can lead to equally serious breaches.
We need to be able to build a complete picture of the access based on a set of parameters. This must include non-managed devices as well as managed ones as they are inevitably a part of any environment, whether officially permitted or not.
The annals of cybersecurity are particularly filled with attacks that were facilitated by devices that didn’t have their data stores encrypted, devices that didn’t have their firewalls enabled, and devices that didn’t even have a viable password.
These are all easy things to validate during an authentication, and most are even easy enough for end users to remediate themselves, given a little bit of guidance. Yet, many organizations don’t check these things, or if they do, they only do it on devices that they own.
If any of these parameters is not in an acceptable state, then even if we are certain of the end user’s identity, access should be blocked. This is where “2FA” truly becomes “MFA.”
When we set these parameters in a granular fashion and match them to individual applications and services (and not based on network location), then MFA begins the transformation into zero trust.
The Importance Of the User
Often overlooked, or seen as a “nice to have” is user experience. Security professionals often see the ability to block/deny actions as paramount. They are prone to seeing security solutions as zero-sum: either the user complies with the rules or their access is denied.
The reality is more complex. In the age of cloud, users are not always constrained by the tools they are provided by their organization. If the barrier to accomplishing a given task with the provided tools is too high, they simply find their own tools. So, the problem of Shadow IT is born.
As we drive security to the endpoint and ask the user to validate themselves and the devices they are using, we are also including them in the security process.
When designing the solution, user experience is NOT secondary for end users or for administrators.
Centralized administration is also key. Agility is an important capability to have when adapting to changing circumstances, and centralized administration delivers it. Distributed policies and fragmented management create gaps and oversights. It also adds hidden costs to the management and maintenance of any such solution.
A proper solution is designed to interfere in the user’s life as little as possible, and to allow the user as much control over their experience as possible.
Cisco relies on Duo to deliver these key administration and user experience capabilities.
The solution is designed to integrate flexibly so that “rip and replace” is never a requirement, and that customers can begin their journey to zero trust wherever they want.
In order to ensure compatibility from legacy systems all the way to the modern day, we need support for RADIUS, LDAP, and SAML 2.0. When combined with Cisco ISE, we can also reach even low-level switches and routers communicating via TACACS (Terminal Access Controller Access-Control System). This is in addition to our native plugins for SSH (secure shell) and numerous popular IAM (identity and access management) applications like Sailpoint.
Beyond making the Duo deployment itself more hassle free, it also reduces the risk of larger IAM transformation projects. Customers aren’t forced to align their IAM choices to their security choices. Instead, their choice of a best-of-breed security solution in Duo also frees them to make a best-of-breed choice in the Identity Management space.
“When speaking to CISOs about zero trust one of the most common responses is to ask where they should start. Having a clear architecture is the best way to define your starting point.” — Richard Archdeacon, Advisory CISO, Duo
The Five-Step Journey to Zero Trust
Every company is different, and so there is no single “right” way to get started with zero trust. Even within the workforce, we can divide the journey into five distinct steps.
Step 1 - User Verification
The journey begins with establishing user trust: Using multi-factor authentication to confirm user identities. If we cannot be sure of user identity, we definitely should be blocking access to a protected application. Duo supports at least eight different methods of authentication; from traditional hardware tokens, to modern WebAuthn biometric authentication.
Key Outcomes: Increased compliance through the discovery and control of users, whilst ensuring consistency & ease of use remain a priority.
Step 2 - Device Visibility
One automatic side effect of protecting applications with Duo is device visibility. One can receive security value at each step along the way and allows for gentler rollouts.
Duo’s experience in the market has repeatedly shown that, even in proofs of concept, there are often orders of magnitude more devices present in customer environments than customers realize. This often comes from contractor and personal devices, and is usually a surprise to customers who either don’t do device management or who only do it via MDM.
This generally leads to a desire to gain further visibility into the trustworthiness of these devices.
Key Outcomes: Discovery and visibility of what and how many devices are accessing corporate applications, providing an accurate view of device security posture.
Step 3 - Adaptive, Contextual Policies
Once we can verify both users and devices, we want to ensure that our policies are appropriate for the applications they’re meant to protect, and granular enough to meet security requirements.
This can be done at the group, application, or global levels and often includes a combination of all three.
Key Outcomes: Rules to control access to assets aligned to risk and sensitivity, closing security gaps without disrupting workflow.
Step 4 - Ensure Device Trustworthiness
Once we see these devices, we need to empower administrators to control, if not the devices themselves, what they can do within the environment. In doing so, we need to deal with personal devices, and we need to do it in a way that doesn’t push users towards using shadow IT solutions.
Duo does this with both agentless checks and a non-privileged Device Health Application that assures users that it cannot and will not make changes to their devices without their permission.
Key Outcomes: Control over device access, securing BYOD strategies, reducing risk from unknown and unmanaged devices.
Step 5 - Zero Trust
Each step along the journey has brought us to a point where we can safely do access control based on users, their devices, and their behavior. When we have confidence in these control points, we no longer need to consider a user’s network location as part of their trustworthiness.
This allows us to provide access to both internal and external applications from anywhere. To make this easier, we can use a reverse proxy to allow users to reach internal applications without having to be part of the network.
Key Outcomes: Providing and securing access to all applications regardless of location, increasing business agility as well as overall security posture.
NCSC Zero Trust Architecture Principles
Aligning to the Zero Trust Architecture Principles as proposed by the National Cyber Security Centre (NCSC)
The NCSC has published 10 principles to help guide organizations when planning their transition to a zero trust architecture.
Duo developed the five-step journey above over two years ago and aligns particularly well to these principles.
NCSC Zero Trust Architecture Principles
Step 5, Duo Beyond
“Implementing a zero trust approach for your business colleagues will be a transformation over time. Creating a step-by-step approach reduces any program risk and provides a way of reflecting business outcomes” — Richard Archdeacon, Advisory CISO, Duo
The Next Step
It can be difficult to know where to determine where one is on this journey and what the next steps are, both technically and strategically.
We’ve put a lot of work into helping customers make this determination of where they are and where they’d like to go.
Cisco is in a great position to help guide you on your own zero trust journey and is able to run workshops tailored to your own requirements.
Learn more by visiting Duo Zero Trust Security.
Try Duo For Free
With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.