For want of a better term, the ‘Cyber Security Industry’ has for many years now followed a terminology based, trending pattern attempting to achieve robust solutions to accommodate protection of digital assets – a following which, by inference drawn from the multiples of successful cyber-attacks which have occurred against, supposedly well-defended deployments do tend to leave a hanging question in the air when it comes to trust! The latest security terminology to fall into the cyber-security solution dictionary is that of Zero Trust – but just what does this amount to in a purist definition of the overarching operational objectives? According to cloudflare the definition of Zero Trust is as follows:
“Zero Trust security is an IT security model that requires strict identify verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. Zero Trust Network Access (ZTNA) is the main technology associated with Zero Trust architecture; but Zero Trust is a holistic approach to network security that incorporates several different principles and technologies.
More simply put, traditional IT network security trusts anyone and anything inside the network. A Zero Trust architecture trusts no one and nothing.
Traditional IT network security is based on the Castle-and-Moat concept. In Castle-and-Moat security, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default. The problem with this approach is, once an attacker gains access to the network, they have free rein over everything inside.”
ZTNA: This is the technology which makes it possible to implement a ZTNA Security Model. “Zero Trust” is an IT Security Model (as you can see, we have a shift here back to the past terminology of IT Security) that assumes threats are present both inside and outside a network. Consequently, Zero Trust requires strict verification for every user and every device before authorizing them to access internal resources.
The Castle-and-Moat Concept: It is worthy of note to consider the recent compromise of the trustworthy TPM (Trusted Platform Module) component born out of its methodology of insecure communication protocols with the related chipset of the motherboard. The successful attack against the trusted TPM technology in this case applied an indirect route to overcome the chip-based Castle-and-Moat security schema. Here, the research team employed an approach of not attacking the well defended and technologically protected TPM Chip (say, Fort Knox within the Castle-and-Moat ), but instead focused on the way the TPM Chip communicated with the other associated components in the secure-life cycle process – going after the not to protected Armoured Car – an approach which accomplished a successful compromise of the TPM, thus far a trusted security component by multiples of global organisations which was compromised in under 30 minutes!
It may thus be suggested at this juncture that the trusting the concept of Zero Trust is fraught with potentials to allow a state of trusted compromise to occur, or to be embed with the trusted organisational infrastructure. Thus, the fact is, no matter how loud the verbal utterance of the term Zero Trust is announced, the simple case for an argument is based on the size and complexity of the multi-faceted, conjoined technological environment which presents an enormous challenge. Thus, to promote the conceptual balanced approach of the ZTNA model toward a more robust state of trustworthiness, steps should be taken to look to complimentary value-add areas which can accommodate and underpin robustness of the Zero Trust concept – enter:
Certifications
Standards
Certifications: The first element of underpinning to the concept of Zero Trust and the ZTNA, is to look toward the value of the NCSC (GCHQ) product Certifications, in which the trustworthiness of the trusted components to be employed, and relied upon in the overall security schema have been robustly, and independently evaluated, tested, and proven to do what they say of the tin – unlike, for example trusting an a hard-drive based encryption approach say, based on TPM and BitLocker which have not been evaluated as to what the real-worth of their presumed trusted security model may actually be. But what do I know? Well, in this capacity I have been fortunate enough to have seen this system perform at close quarters with engagements to assist multiples of security vendors to achieve certification, one of which was iStorage who were awarded Certified Product Status through the CPA (Commercial Product Assurance) Program – See Image 1.
Image 1 – CPA Statement of Conformity
An argument of course may be that the price tag of a trusted product may be much higher than that of an alternative, untrusted substitute which has not been through the costly process of evaluation under the wing of the NCSC; or it is much more cost prohibitive than that of the, say, BitLocker TPM approach to delivering a suggested, trusted encryption solution! But of course, the counter argument here is, if there is a desire to run toward the concept of Zero Trust, it may be worth investing in what is a known trusted product to set the scene of robust trustworthiness though the application of independent, qualified robust testing and evaluations as an additional building block which represents robust trust in the delivery of a Zero Trust environment objective.
Standards: As the last, and longest serving Chair of the DTI (Department of Trade and Industry) ISO/IEC 27001 Steering Committee, I clearly have a longer-term vested interest in this area of security underpin and have along the years assisted multiples of Government and Commercial organisations though the ISO/IEC 27001 process to be awarded Accredited Status under the ISO/IEC 27001 Standard. The value here is twofold:
Following and applying the pre-planned, defined Control Objectives enables the organisation to deliver their Mandated Security Posture to accommodate an increased level of trust, thus moving closer to the conceptual state of the Zero Trust model
To provision and inspire confidence in the trustworthiness in the organisational approach to delivering and supporting the overall Security Posture, building in confidence within their Third Party, Associates and Client engagement space – inspiring Zero Trust by demonstrating the robustness of Security Control Objectives
Thus, by following and applying the mandated underpin of the robust application of planned, predefined, documented Control Objectives to deliver the operational Security Posture as outlined within the scope of the ISMS (Information Security Management System) is yet another Building Block upon which a trusted Zero Trust posture may be better positioned
Conclusion:
To be clear, I am not for one moment suggesting that if an organisation embraces NCSC Certified Products or follows the route of Security Objectives born out of the ISO/IEC 27001, or for that, any other such standards such as TOGAF, they will achieve a complete trusted Zero Trust, or ZTNA deployment. However, what I am saying is, if the conceptual state of a trusted Zero Trust, ZTNA environment is being sought, to underpin such an operational environment with trusted Building Block products and applications which have been independently verified, along with a standardised, mandated approach to deliver the overall security posture can only lead to a higher level of confidence and trustworthiness in the approach taken toward that trusted Zero Trust operational state. I guess it’s a bit like driving a high-performance vehicle at 100 mph (where you can) for a continued period – for me I want a set of trusted, branded tyres on the car, and not a set of remoulds which look good on the outside – if you take my drift!
On the 29 September 2021I, I will be taking part in the UNLOCKS ZERO TRUST SC Media event on in which the concept of Zero Trust will be considered from all angles – I hope you will be able to join us to both listen, and to participate to take this conversation of trust to the next level.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.