Most corporate networks are structured the same way: highly reinforced perimeter, and highly vulnerable interior1
“In the zero-trust model, every network and every user are considered hostile,” said Bryley engineer Myk Dinis. Windows 11 offers new ways of achieving zero trust, but Myk said, “baked into Windows is an easy-to-see instance of zero-trust. You have three default network security levels: private, work and public. Depending on which of those network types that you declare you’re in, right down the line it strengthens the firewall. So in a private network your firewall is going to be the least restrictive; it will allow the most access both ways. Work allows a little less access. And with public nothing’s allowed; everything has to be proven with certificates; public is built according to a zero-trust networking model.”
Zero trust is a radical shift in how we think about our networks. We began with computers unconnected – back then it was easy to be safe. But networks of computing devices have grown and grown as we’ve added PCs, laptops, phones, wifi routers, printers, CNC machines, IoT devices (like heating systems), etc. And because we could, we made all this stuff communicate easily – our expectations for ease-of-use have grown by leaps, too. How quickly frustrated we get when the machine doesn’t work!
Convenience Is Easy on Criminals, too
The crying shame of all the convenience we built into our networks as we just piled-on more and more endpoints is we put up a bunch of passwords that were not too hard for bad guys to steal, buy or guess. So what can an engineer do?
Myk Dinis said, “instead of trying to be as free and open with access as possible – making communication easy – with zero-trust you’re coming at the problem from the other end. You’re saying we’re trying to make sure that no one has access at all. And then we will dole out access one authorized, encrypted token at a time. Every time you access a resource, you have to authenticate. Every time you do anything, there has to be an audit trail and encrypted authentication. And conversely from users’ perspective, there’s no trust of the network they’re on [the network has a similar encrypted authentication protocol]. This is a much more complicated version of networking to achieve. It has the most restrictions on its users, but – one hundred percent – it has the highest security success rate.”
Attitude Shift from Shielding the Network to Checking and Rechecking Identities
At the information security industry’s 2019 RSA Conference, Paul Simmonds said zero-trust is “not about product, it’s about an attitude … it’s an architectural state of mind, [so] there’s more than one way to implement it.”2
With a traditional network model, “an attacker can compromise a single endpoint within the trusted boundary and then quickly expand foothold across the entire network … zero trust architectures leverage device and user trust claims to gate access to organizational data,” according to Microsoft3
Those trust claims are evaluated by a compliance agent and policies are used to apply the configured access restrictions based on the trust levels indicated by the compliance agent. Policies can be complex and based on “even hundreds of different trust signals. Examples of trust signals might be: an EDR agent that detected a suspicious or malicious behavior; a user logged in from an IP address with a poor reputation or sanctioned geo-location; a user account breached; a device lacking a company-generated digital certificate; suspicious user behavior and many more.”4
Windows 11 New Implementations
“The latest version of the operating system and software platform adds a variety of features, from support for the Pluton security processor and trusted platform modules (TPMs) to comprehensive features around Trusted Boot, cryptography, and code-signing certificates,” said David Weston of Microsoft. “Building in instead of bolting on makes deployment and management of zero-trust capabilities much simpler and efficient [and] having these [features] directly integrated in the OS enables Windows to provide key measurements in hardware increasing the trust and validity of measurements.”5
Zero trust is not easy to execute correctly, but this broad adoption from Microsoft is a good sign we’re moving from convenience-first to a more secure computing model, because when done right zero trust provides the best protection for your network and resources.
If you would like help integrating the zero-trust state-of-mind in your organization, Bryley has counselled on data protection planning and implementations since 1987. Please call 978.562.6077 or email ITExperts@Bryley.com.
1 https://medium.com/google-cloud/what-is-beyondcorp-what-is-identity-aware-proxy-de525d9b3f90
2 https://www.youtube.com/watch?v=tFrbt9s4Fns
3 https://www.microsoft.com/security/blog/2018/06/14/building-zero-trust-networks-with-microsoft-365/
4 https://www.techradar.com/features/zero-trust-what-it-is-and-what-it-is-not
5 https://www.darkreading.com/operations/microsoft-practical-zero-trust-security-windows-11