Zero Trust

Understanding

Understanding

IntroductionZero TrustZero Trust EnvironmentZero Trust ArchitectureZero Trust Design PrinciplesData, Assets, Applications & Services (DAAS)Protect SurfaceSegmentation GatewayMicroperimeterMicrosegmentationAsserted IdentityLeast-privilege AccessGranular Access ControlTrust LevelsData ToxicityThe 5 Steps to Implementing
Zero Trust
Zero Trust Policy (Kipling Method)Zero Trust Maturity ModelSoftware Defined Perimeter (SDP)Continuous Adaptive Risk and Trust Assessment (CARTA)
© 2023 Palo Alto Networks, Inc.
All rights reserved.
menu

Zero Confusion for
Zero Trust Terminology

Cybersecurity vendors across the industry have latched on to marketing buzzwords like “machine learning” and “AI” to captivate their target audience. Their latest buzzword: Zero Trust.

With the needs of today’s modern organizations, it’s no surprise that Zero Trust has become deceptively complex. Use this guide as a means to decipher Zero Trust terminology, and understand what Zero Trust is, and just as important, what Zero Trust isn’t.

To learn how to successfully deploy
Zero Trust within your organization using the 5-step methodology
DOWNLOAD THE WHITEPAPER

Zero Trust

Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating trust from your organization. Rooted in the principle of “never trust, always verify,” Zero Trust is designed to prevent lateral movement. No matter which technology or vendor you use to deploy Zero Trust, the strategy remains the same.

Zero Trust Environment

A Zero Trust environment is the end-state of your Zero Trust architecture, consisting of a protect surface containing a single DAAS element. In most cases, given the state of cybersecurity technology, the protect surface will be protected by a micro-perimeter enforced at Layer 7 with Kipling Method policy by a segmentation gateway. This could be deployed across your enterprise – in your data center, public cloud, private cloud, branch office, etc.

Zero Trust Architecture

Your Zero Trust architecture is the compilation of the tools and technologies used to deploy and build your Zero Trust environment. This technology set will vary depending on the differing needs of your business and the different use cases in which you choose to extend Zero Trust, such as to the cloud or endpoints. The architecture is completely bespoke, not derived from a single universal design. Instead, the architecture is constructed around the protect surface. Ultimately, your Zero Trust architecture should leverage network segmentation, prevent lateral movement, provide Layer 7 threat prevention and simplify granular user access control.

Zero Trust Design Principles

There are four design principles of Zero Trust:

  1. Define business outcomes: Focus on what the business is trying to accomplish. By focusing on business outcomes, security can be seen as an enabler rather than an inhibitor.
  2. Design from the inside out: Understand what you need to protect, focus on that and design outward from there.
  3. Determine who/what needs access: Once you understand what needs to be protected and is most critical to the business, you can determine who or what should have access and build appropriate policy.
  4. Inspect and log all traffic: Inspect all traffic for malicious content and unauthorized activity, and log through Layer 7, both inside and outside, across the network and cloud environments.

Data, Assets, Applications
& Services (DAAS)

The data, assets, applications and services, or DAAS for short, are all the things that either traverse or users access from within your organization. Each of these must be considered when defining a protect surface. Examples of DAAS elements include:

  1. Data: payment card information (PCI), protected health information (PHI), personally identifiable information (PII), intellectual property (IP)
  2. Assets:  SCADA controls, point-of-sale terminals, medical equipment, manufacturing assets, internet of things (IoT) devices
  3. Applications: off-the-shelf or custom software
  4. Services: DNS, DHCP, Active Directory®

Protect Surface

A protect surface contains a single DAAS element. The DAAS element in your protect surface is highly sensitive and critical to your business. You will have multiple DAAS elements that are critical to your business, resulting in multiple protect surfaces. The protect surface is orders of magnitude smaller than the attack surface and, because it is a single area of focus, is always knowable.

Segmentation Gateway

A segmentation gateway, more commonly known as a next-generation firewall, provides granular visibility into traffic and enforces additional layers of inspection and access control with granular Layer 7 policy that takes into account who the user is and whether or not they should have access to a particular resource. When used in Zero Trust, a segmentation gateway creates a microperimeter around the protect surface to monitor traffic, stop threats and enforce granular access control across north-south and east-west traffic within your on-premises data center and multi-cloud environments.

Microperimeter

A microperimeter is what is generated around a protect surface in policy. This creates a point of control that ensures only known allowed traffic and legitimate applications have access to the protect surface. A microperimeter should be placed as close to the protect surface as possible and move with it.

Microsegmentation

Microsegmentation is the act of creating a microperimeter by enabling granular access control, whereby users, applications, workloads and devices are segmented based on logical, not physical, attributes.

Asserted Identity

The asserted identity is the validated and authenticated “who” that should be accessing a resource.

Least-privilege Access

Most users are given too much access to too much data that is not essential to their job function. Least-privileged access is the principle in which users, systems, applications, processes and devices are given only enough access to perform their required jobs for their respective roles or functions.

Granular Access Control

Granular access control is the explicit defining of who can have access to what part of a network, or system resource, and what they can do with that access in policy.

Trust Levels

Trust is binary. In the context of Zero Trust, when determining what should and should not have access to a protect surface, you consider whether something is “trusted” or “untrusted.” There are varying levels of trust. To say something is trusted less is essentially saying that it is untrusted

Data Toxicity

The concept of data toxicity refers to sensitive data that is “toxic” to your organization and has a negative impact on the business if exfiltrated, such as actions from legal and regulatory entities. Every organization has both toxic and non-toxic data. Examples include intellectual property, personally identifiable information (PII), patient health information (PHI) and credit card holder data (PCI).

The 5 Steps to Implementing Zero Trust

1.
Define the protect surface: Identify your most critical data, assets, applications and services
2.
Map the transaction flows: To properly design a network, it’s critical to understand how systems should work and how various DAAS components interact with other resources on your network. The way traffic moves across the network, specific to the data in the protect surface, determines how it should be protected.
3.
Build a Zero Trust architecture: With your protect surface defined and flows mapped, you can then begin to build your Zero Trust architecture.
4.
Create Zero Trust policy: Use the Kipling Method of writing context-based policy to determine who or what can have access to your protect surface.
5.
Monitor and maintain the network: Zero Trust is an iterative process. Inspecting and logging all traffic, all the way through Layer 7, will provide valuable insights into how to improve over time. This includes ways to make policies more secure, what should be included in a protect surface, and what the interdependencies of the DAAS are. Analyzing telemetry from the network, endpoint and cloud, while leveraging machine learning and behavioral analytics, provides greater insight into your Zero Trust environment and also allows you to very quickly adapt and respond.

Zero Trust Policy (Kipling Method)

Zero Trust policy determines who can transit the microperimeter at any point in time, preventing access from unauthorized users to your protect surface, and prevents the exfiltration of sensitive data. True Zero Trust can only be done at Layer 7. The Kipling Method of creating Zero Trust policy enables Layer 7 policy for granular enforcement so that only known allowed traffic or legitimate application communication is allowed. This method reduces the attack surface while also significantly reducing the number of port-based firewall rules. With the Kipling Method, you can easily write Zero Trust policy by answering:

  • Who should be accessing a resource? This defines the “asserted identity.”
  • What application is the asserted identity of the packet used to access a resource inside the protect surface?
  • When is the asserted identity trying to access the resource?
  • Where is the packet destination? A packet’s destination is often automatically pulled from other systems that manage assets in an environment, such as from a load-balanced server via a virtual IP.
  • Why is this packet trying to access this resource within the protect surface? This relates to data classification, where metadata automatically ingested from data classification tools helps make your policy more granular.
  • How is the asserted identity of a packet accessing the protect surface via a specific application?

Zero Trust Maturity Model

As with any strategic initiative, it’s important to benchmark where you are as you begin your Zero Trust journey and measure your maturity as time goes on and as improvements are made to your Zero Trust environment. Designed using the Capability Maturity Model, the Zero Trust Maturity Model mirrors the 5-step methodology for implementing Zero Trust and should be used to measure the maturity of a single protect surface.

1. Define The Protect Surface

+
INITIAL
+
REPEATABLE
+
DEFINED
+
MANAGED
+
OPTIMIZED
INITIAL
Discovery is done manually; only a small percentage of DAAS elements are discovered and classified
REPEATABLE
Application and user identification capabilities starting to be used; This includes starting to utilize automated tools, and pilot projects with those tools, to discover and classify data
DEFINED
The team is trained on how to classify data as it’s used; Processes are introduced to continuously mature protect surface discovery
MANAGED
Immediate visibility into newly online DAAS elements or as updates are made to existing DAAS elements and automatically classified into the correct or new protect surface
OPTIMIZED
Discovery and classification are fully automated

2. Map the transaction flows

+
INITIAL
+
REPEATABLE
+
DEFINED
+
MANAGED
+
OPTIMIZED
REPEATABLE
Flows are conceptualized based on what is already known
REPEATABLE
Traditional scanning tools are used
DEFINED
Flows are validated with system owners
MANAGED
There is visibility into what goes in and out of the system
OPTIMIZED
Transaction flows are automatically mapped across all locations

3. Architect a Zero Trust environment

+
INITIAL
+
REPEATABLE
+
DEFINED
+
MANAGED
+
OPTIMIZED
REPEATABLE
With little visibility and an undefined protect surface, the architecture cannot be properly designed
REPEATABLE
Protect surface is established based on current resources and priorities.
DEFINED
The basics of the protect surface enforcement is complete, including placing segmentation gateways in the appropriate places
MANAGED
Additional controls are added to evaluate multiple variables (e.g., endpoint controls, SAAS and API controls)
OPTIMIZED
Controls are enforced using a combination of hardware and software capabilities

4. Create Zero Trust policy

+
INITIAL
+
REPEATABLE
+
DEFINED
+
MANAGED
+
OPTIMIZED
REPEATABLE
Policy is written at Layer 3
REPEATABLE
Additional “who” statements are starting to be identified to address business needs; User IDs of applications and resources are known, but access rights are unknown
DEFINED
The team works with the business to determine who or what should have access to the protect surface
MANAGED
Custom user-specific elements are created and defined by policy, reducing policy space and number of users with access
OPTIMIZED
Layer 7 policy is written for granular enforcement; Only known allowed traffic and legitimate application communication is allowed

5. Monitor and maintain

+
INITIAL
+
REPEATABLE
+
DEFINED
+
MANAGED
+
OPTIMIZED
INITIAL
Visibility into what is happening on the network is low
REPEATABLE
Traditional SIEM or log repositories are available, but the process is still mostly manual
DEFINED
Telemetry is gathered from all controls and is sent to a central data lake
MANAGED
Machine learning tools are applied to the data lake for context into how traffic is used in the environment
OPTIMIZED
Data is incorporated from multiple sources and used to refine Steps 1-4; Alerts and analysis is automated

Software Defined Perimeter (SDP)

A software-defined perimeter secures all connections to services running on a network infrastructure at all layers, based on the level of security you define and establish. Devices and identity are given access on a need-to-know basis and must be verified before access is granted.
‍
SDPs are commonly associated with the BeyondCorp model. Zero Trust and BeyondCorp are not one and the same. The fundamental difference between Zero Trust and BeyondCorp is that BeyondCorp views trust as the goal, whereas Zero Trust views the absence of trust as the goal. BeyondCorp focuses on authentication of the user and device identity as well as enforcement through APIs. Once authenticated, users are given access to move anywhere within the system. Identity is consumed within Zero Trust but is not equivalent to Zero Trust. Another notable difference between the two frameworks is that controls for BeyondCorp are at Layer 3, whereas Zero Trust operates at Layer 7.

Continuous Adaptive Risk and
Trust Assessment (CARTA)

CARTA is a Gartner methodology that is broken up into two areas of focus: adaptive attack protection and adaptive access protection. It leverages similar concepts of Zero Trust but with different methodology. With the CARTA methodology, once a user has been granted access, the risk and trust levels are continuously monitored throughout the entirety of an interaction or session. Should the risk or trust levels change, the controls are adapted accordingly.

© 2019 Palo Alto Networks, Inc.
All rights reserved.