On January 12, 2010 Google wrote a blog revealing to the world that it had been breached by attackers sponsored by a nation state. The attack is now known as ‘Operation Aurora’.[i] Subsequent investigations showed that many other enterprises and government organizations had also been breached by the same attackers. Among other things, these hackers were targeting source code repositories via software configuration management systems. Any entity that had already breached perimeter network security and had created a presence on an internal system could reach these systems.
As a result of these attacks, the network operations community came to discover that traditional, perimeter-based security was no longer enough. Google defined a new security paradigm which it called ‘BeyondCorp’. Principles of BeyondCorp are (1) Access to services must not be determined by the network from which you connect (2) Access to services is granted based on contextual factors from the user and their device (3) Access to services must be authenticated, authorized and encrypted.[ii]
Subsequently, IT and Security teams began to adopt micro-segmentation of the network with security controls between these segments to limit impact of breaches. Role Based Access Control ( RBAC) mechanisms were also put in place, which granted access on a need-to-know basis. The level of access was modified in real time based on dynamic risk information about users and their devices via continuous monitoring of user activity and device posture. Collectively these practices gave rise to the notion of Zero Trust with the mantra of ‘never trust, always verify’.
Gartner coined the term Zero Trust Network Access (ZTNA) to describe the idea that traditional network based implicit trust should be replaced with explicit identity-based trust. ZTNA calls for granular access to specific applications based on the identity of users and devices, along with other contextual attributes such as time/date, geolocation, and device posture.
With the advent of cloud computing in the mid to late 2000s, and the emergence of associated ‘as a service offerings – Software as a Service, Infrastructure as a Service, Platform as a Service’, traditional security operations model focused on enterprise datacenters was no longer sufficient. Rather than backhauling all traffic to a single choke point for internet connectivity, points of presence had to be dispersed closer to the users, cloud workloads, and SaaS applications. Gartner described this security delivery model as Secure Access Service Edge ( SASE), which it defined as including ZTNA capabilities along with other security functions delivered as a service in the cloud, such as Cloud Access Security Brokers ( CASB), Secure Web Gateways ( SWG), malware inspection, VPN, firewall, and data loss prevention.
Additionally, researchers at the National Institute of Standards and Technology (NIST) introduced the notion of Zero Trust Architecture (ZTA) in the NIST Special Publication 800-207[iii]. In their own words, “Zero Trust Architecture uses zero trust principles to plan industrial and enterprise infrastructure workflows.” The publication brings together lessons learned from various U.S. Government agencies and synthesizes them into an abstract model that organizations can adopt.
On Dec 13, 2020, almost a decade after Operation Aurora, FireEye blogged about a highly evasive attacker who had leveraged SolarWinds’ supply chain to compromise multiple global victims.[iv] Highly trained security teams with state-of-the-art tools and well-practiced security operations could not stop the hackers from establishing persistent backdoors. This demonstrated the need to evolve the notions of Zero Trust so that advanced threat activities of sophisticated hackers could be detected before data breaches or other harmful impacts were to occur.
While current ideas of Zero Trust that focus on users and their activities, and devices and their posture, along with continuous monitoring of the two to grant or revoke access to a resource, are essential, we must realize they are not enough. We need to extend the notion of ‘identity’ to include workloads along with users and devices. New capabilities must be created so that process and system call level characteristics and communication patterns of workloads are observed both in development and in run time, and anomalies are detected and reported to humans or automated mitigation systems. Both database workloads and business logic workloads must be identified and observed. These new capabilities will help organizations extend the principles of ‘never trust, always verify’ and ‘verify explicitly’ to include workloads and east-west traffic among them. National Security Agency ( NSA) advises organizations to ‘assume breach’ in their paper ‘Embracing a Zero Trust Security Model’.[v] The new techniques that monitor communication, process and system call characteristics of workloads will help organizations follow Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) model. In their draft of the Zero Trust Maturity Model[vi], written to help government agencies comply with the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity[vii], the Cybersecurity and Infrastructure Security Agency (CISA) includes Application Workload and Data as pillars in their foundation of zero trust.
The critical essence of Zero Trust is to have a mindset that assumes breach, and therefore continuously assess every communication, explicitly verify every user, device or service that engages in a communication, and allow least privilege to access any service or device. In the articles that follow in this series on Zero Trust, we will consider specific security incidents and explore how adoption of zero trust principles would have contained the impact of the breach.