Zero Trust Security – The Technical Discussion

Tuesday, November 02, 2010

PCI Guru


With the cultural issues out of the way, let us discuss some technical details. 

Given the state of security technology and where security leadership sits these days, I question if Zero Trust can be implemented.

Essentially, with a ‘Zero Trust’ approach, we are talking about DMZs.  However, instead of our usual externally facing DMZs we are also talking about DMZs that are internally facing. 

These are no ordinary DMZs, these are highly monitored and controlled DMZs with IDS/IPS, NAC, full logging and everything else required to ensure security. 

These technologies are not for the faint at heart as they require a lot of planning in order to get them right.

Where a lot of organizations get things wrong is that they believe that all of these security technologies are like a Ronco Showtime Rotisserie oven, you just “Set it and forget it.” 

If only security worked that way, but it does not.  As a result, one of the first stumbling blocks organizations interested in Zero Trust face is staffing since Zero Trust will require a significant amount of attention both from a security perspective and from their help desk. 

I do not think that we are talking about a significant increase in security and help desk personnel, but the existing staffing levels are likely to be insufficient in a Zero Trust environment.

The next issue that I see is from the technology itself.  Most security technology is designed for Internet facing use, not internal use. 

While these solutions can be used internally, they tend to create issues when used internally because of their severe responses to any perceived attacks. 

As a result, in order to use these solutions, security professionals have to turn off or turn down certain features or functions because they get in the way of getting business done.  Then there are the applications themselves. 

I cannot tell you how frustrated I get with vendor and in-house developers that cannot tell you from a networking perspective how their applications work. 

As a result, security professionals are required to do extensive research to figure out what ports/services an application requires, if they even do such research. 

That then results in what we tend to see on internal networks with internal DMZs, lots of ports/services open into the DMZ because they do not want the application to break.  In a Zero Trust approach, this is not acceptable.

Then there is logging and the management and maintenance of log data.  It still amazes me the amount of push back I still receive on logging and the management of log data.

Security professionals and managers complain and complain about the amount of data that needs to be retained and the length it needs to be retained.  Hello! 

This is the only way you will ever know what went wrong and how it went wrong so that you can fix it. 

But the security information and event management (SIEM) industry has not helped things by delivering solutions that can cost as much as a large Beverly Hills mansion and are as easy to implement as an ERP system. 

While there are open source solutions, the usability of these solutions are questionable at best.  Unfortunately, the PCI DSS is mandating that log data be reviewed at least daily. 

In order to get that done, merchants either cannot afford or do not have the time to invest to meet this requirement.  As a result, there is a lot of frustration that what merchants are being asked to do cannot be done. 

Yet, log information capture and review is possibly one of the most important aspects of an organization’s security posture.  Because if you do not stop an attack with your firewall and IPS, the only way you know that is from your log data.  Damned if you do, damned if you do not.

So a merchant implements all of the necessary technologies and procedures to make Zero Trust a reality.  Is that merchant more secure?  If a merchant makes such an investment, the reward will likely be improved security. 

But it will take continuous effort to keep Zero Trust running and that is where all organizations run into trouble with security initiatives. 

It takes consistent execution to make security work and people and organizations these days lose interest in things they think are fixed and so security gets swept to the back burner. 

As a result, it takes strong leadership to keep security off of the back burner.  Without that leadership, security will fall into a rut and an incident will occur that will make security a front burner topic again.

So while I think Zero Trust is probably the approach we should all work towards, it will take a lot of effort to make it a reality.

Cross-posted from PCI Guru

Possibly Related Articles:
Policy Vendor Management Trust Leadership
Post Rating I Like this!
Anthonie Ruighaver Zero trust is not new, and zero trust is not the same as distrust either. So, accepting that monitoring of employees does not mean that you distrust them, is essential to maintaining a trust relationship.

Treating your internal networks as insecure is also not new. Using VPN's on internal networks has become more common over the past decade.

What is new, is trying to make your inward facing DMZ so highly secure. As most security really is about cost, increasing preventive security on such a scale may not be optimal. 100% prevention is not achievable and certainly not with pure technical solutions. So, often it is OK to have incidents, if they are detected early and can be controlled cheaply before major damage occurs.

I do agree with the need to have more logging enabled, but logging is only one aspect of situational awareness. Furthermore, standard logging is rarely adequate as well, so you will have to be clever about using additional detective controls to improve situational awareness.

To reduce maintenance cost, I would also not automatically install a full blown IDS to protect the DMZ. I would prefer a more Defense in Depth approach with detective controls in the insecure parts of the internal network, to detect intrusions before they can compromise the DMZ.

And, such a DiD approach will also include feedback loops to your employees, to ensure that your monitoring of employees will actually help improve their behavior.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.