How the Secret Service Handles Zero Trust
There's a popular phrase among devotees of the Perl programming language: "There's More Than One Way To Do It." (TMTOWTDI) This phrase neatly captures the ethos of Perl, which is to free programmers from the confines of syntaxes and algorithms, allowing them think about a problem from any angle they like, yet still achieve good results.
Like programming problems, there are many ways to implement a Zero Trust architecture -- NIST SP800-207 gives several high-level options for the approach but stays away from specifying the details. And also like in programming, the performance and maintainability of a Zero Trust Architecture is highly sensitive to your implementation choices.
Cybersecurity is full of jargon and technical details that can obscure what's really going on. I find that mapping cybersecurity concepts to their analogues in the physical world can help me think more clearly about solutions and architectures. Often, I find that the limitations in the physical world have corresponding limitations in cyberspace, so examining how they're overcome in the real world can shed light on how they should be tackled in cyberspace.
So when it comes to Zero Trust, it's helpful to look for examples of how this is done in the real world. One great example is the security for one of the highest value assets - the President of the United States. The Secret Service is very good at protecting the President - even if they don't obsess about building a secure infrastructure for the President.
Traditional network security appliances are for creating borders
Today's network security is built into the network infrastructure, using boxes. Firewall, VLAN, and VPN functions are all implemented in some appliance, usually at the perimeter of the network. The physical equivalent to this is a checkpoint, like what you'd find at a border crossing.
In fact, some of the networking terms are identical to their physical border-crossing counterparts: perimeters, de-militarized zones, etc. That's actually on purpose, for the same reasons I mentioned above.
Network security is used here to define a border between inside and outside. Everything inside is to be trusted, while the outside needs to be inspected before it can be let in. Makes sense?
For Zero Trust, traditional network security has an infrastructure problem
The question Zero Trust poses is: if you assume that malicious actors are already inside ("assume breach"), how can you protect assets and data?
If we think about the physical world, it's obvious that traditional border-focused security isn't enough. Strong border security can keep bad actors out of the country, but it doesn't protect us from bad actors who roam our streets and neighborhoods.
Well, when something physical is important, we take extra precautions to protect and lock it down. If you want to protect your house, you can't just drop a full border checkpoint in the front yard.
And this brings us to the first realization: it is very hard to implement Zero Trust security controls with traditional network security appliances. Even if we could do it, the cost and difficulty of dealing with the infrastructure changes makes it incredibly prohibitive. Those network security appliances are built to solve a different problem.
So how does the Secret Service handle Zero Trust for the President?
Let's look to how things are done in the real world. When our most critical assets and resources need bulletproof security, how do we implement it?
The images below illustrate the concept. (click the slider to advance)
What you don't see in the picture is "traditional" infrastructure security. There's no monorail in a secure underground tunnel. There are no customs checkpoints along the sidewalk.
You see, it isn't feasible to just rip up the road and install fixed security, even for the President. It would cost too much, take too long, and would inconvenience the citizens of Washington, DC.
In the same way, it's costly and inconvenient to apply traditional network security methods to deploy Zero Trust security.
Real-world Zero Trust uses overlay security
What you do see is overlay security. "Overlay" means that the security controls leave the asset and infrastructure unmodified. Pennsylvania Avenue is untouched - it continues to serve its main function - supporting the flow of traffic. The Presidential limousine "segments" the asset from the surrounding environment for isolation, while Secret Service personnel enforce access policies to the asset based on identity and authorization.
This is bulletproof security, yet doesn't change the existing infrastructure. Notice that the security controls are attached to the asset. Not only are they enforcing the tightest possible security perimeter around the asset, but they also move with the asset.
The takeaway for Zero Trust implementation
Applying these observations to networking, we can see that you could create a Zero Trust perimeter around an application with infrastructure - for example, applying a VLAN or firewall for isolation, and using a VPN in the corporate network for access. But we can also see it would take significant effort to plan and execute, and once built, would be very difficult to move the asset to another datacenter or cloud later. To streamline the effort, we might make tradeoffs like a coarser segmentation boundary, which could negate some of the security benefits.
In contrast, taking an overlay approach makes Zero Trust security easy to set up, easy to maintain, and easy to optimize.
Zentera's overlay approach is:
- Transparent to the application, avoiding having to recompile or change any application settings
- Transparent to compute infrastructure (hypervisor), so that security controls work the same on bare metal, in the datacenter, or in the public cloud
- Transparent to network infrastructure, so that security controls can be added to applications in existing brownfield networks
- Software-defined, so security controls can rapidly adapt to meet changing operational security needs
By following our recommendations to start small Zero Trust coverage as a software-defined network security overlay, Zentera customers have successfully implemented Zero Trust for selected high value assets, such as product source code and development environments, databases containing sensitive information, and expensive OT devices in manufacturing environments. With that base in place, they have been able to expand the scope and coverage to put the organization on a path to achieving Zero Trust everywhere.
Zentera's CoIP Platform follows these same overlay principles to make Zero Trust fast to deploy and cost-effective. If you'd like to learn how, schedule a session with one of our solution architects.