Page 35 - Informatics
P. 35
Technology Update
Zero Trust Architecture
Framework to Strengthen Structural Security of Modern Enterprise
Edited by MOHAN DAS VISWAM raditional security in based on the concept of ed on a per session basis
trusted and untrusted zones. These zones are • Access to resources is determined by dynamic
Tdefined by physical or logical perimeter pro- policy - including the observable state of client
Zero Trust Architecture or ZTA tected by security devices like firewall. Any device/ identity, application, and the requesting asset -
user inside the perimeter is treated as trusted and and may include other behavioural attributes
is an infrastructure design is allowed access to internal resources by default. An • The enterprise ensures that all owned and associ-
example of such a design is a typical office network ated devices are in the most secure state possible
philosophy based on the local area network (LAN). Any device/ user inside the and monitors assets to ensure that they remain in
principle of ‘never trust, always office LAN is allowed access to the internal office re- the most secure state possible
sources like eOffice, eFiles, eHRMS, network printers, • All resource authentication and authorisation are
verify’. It debunks the typical or any other computer/ server within the LAN. This dynamic and strictly enforced before access is al-
design assumes that all devices/users within the of- lowed
‘castle-and-moat’ style perimeter fice LAN are genuine and authorised. It also assumes • The enterprise collects as much information as
that all programs running within these devices are possible about the current state of network in-
security and intends to handle safe and non-malicious. However, with high speed frastructure and communications and uses it to
internet access on these devices, we have seen time improve its security posture
newer threats of privilege and again that these trusted devices/ programs can
misuse, internal breaches very easily be compromised by the well-resourced Pillars of Zero Trust Architecture
adversaries to launch various attacks on the internal We need to understand the type of resources in
and lateral movement from resources like unauthorised access, data exfiltration, an IT ecosystem in order to be able to protect them
internal network control, etc. They take advantage of and move toward zero trust.
within the trusted inside. Zero the design which implicitly trusts anyone and every- Typically, an environment consists of people
one which happen to get an entry into the trusted
Trust Architecture de!nes a zone. (workforce), devices (workplace), network (work-ar-
ea) and servers (workload). A zero trust model has to
Zero Trust design principle aims to overcome
framework for structural cyber this weakness and create a design based on actual identify and separate these components and define
dynamic/adaptive policies around them. The pillars
security of modern enterprises. verification of devices/users and continuous moni-
toring of resource accessed by them. The first step
It combines some of the already is to identify and enumerate internal resources and
define micro-perimeters (also called Software-de- ZeroTrust
well known and established fined Perimeter or SDP) around them. The idea is Architecture
to verify each and every request for the resources,
security guidelines and continuously monitor and change access control
highlights them as the basic of policies based on change in access parameters. The
request for resources can originate from either the
tenets of the framework. internal LAN or remote workers using Virtual Private
Network (VPN). The concept of Zero Trust has been People (Workforce) Devices (Workplace) Network (Workarea) Servers (Workload)
there for a long time in silos. However, the term was
coined by John Kindervag in 2010, during his tenure
as a vice president and principal analyst for Forrester
Research, for the complete framework encompass-
ing various IT operation silos and technologies to
achieve new age structural security.
of ZTA as defined by Forrester’s Zero Trust eXtended
Tenets of Zero Trust model are as follows,
Zero Trust Architecture defines a framework for • Data security: encryption and secure access
Ashish Agarwal structural cyber security of modern enterprises. It Take a zero-trust approach to securing data by pro-
Sr. Technical Director combines some of the already well known and es- tecting the new, extended perimeter: classify and
ashish@nic.in tablished security guidelines and highlights them categorise data; authorise user and device access to
as the basic of tenets of the framework. The basic data; prevent data loss and exfiltration; and encrypt
tenets of the ZTA are enumerated below, emails and device data.
• All data sources and computing services are con- • Network security: prevent and contain breaches
sidered resources
Syed Hasan • All communication is secured regardless of net- on the network
Mahmood work location By segmenting access across your network, you can
Scientist-’C’ • Access to individual enterprise resources is grant- better isolate and control critical areas of your net-
hasan@nic.in work to contain breaches and prevent lateral move-
April 2020 informatics.nic.in 35
