Drawbridge Networks Blog The Zero Trust Model: Should we be taking information security advice from Congressmen?

Last week a Congressional Subcommittee released a report detailing their investigation into the OPM breach, arguably the worst computer security incident in American history. Among the Committee's recommendations is that Federal information security efforts should be reprioritized toward a Zero Trust Model. Read this:The OPM data breaches... illustrate the challenge of securing large, and therefore high-value, data repositories when defenses are geared toward perimeter defenses. In both cases the attackers compromised user credentials to gain initial network access, utilized tactics to elevate their privileges, and once inside the perimeter, were able to move throughout OPM's network, and ultimately accessed the "crown jewel" data held by OPM. The agency was unable to visualize and log network traffic which led to gaps in knowledge regarding how much data was actually exfiltrated by attackers... Agencies should move toward a "zero trust" model of information security and IT architecture. The zero trust model centers on the concept that users inside a network are no more trustworthy than users outside a network...In order to effectively implement a zero trust model, organizations must implement measures to visualize and log all network traffic, and implement and enforce strong access controls for federal employees and contractors who access government networks and applications.Frankly, we're somewhat surprised to see such a cogent statement about information security coming from a Congressional report. When Washington policy makers aren't busy threatening to prevent the global coordination of information about security threats, they're proposing overly broad backdoor requirements for all kinds of encryption software that law enforcement will never need to access.Despite all those missteps, we happen to strongly agree with this particular piece of advice, and not just for Federal agencies, but for any organization that faces the threat of sophisticated attacks. Perhaps it helps that one of the authors the report, Representative Will Hurd, has a background in Computer Science. But more importantly, the Zero Trust Model is an idea that really came out of Forrester Research, who have been promoting it for several years. Forrester outlined their ideas in a public comment to NIST in 2013, which was referenced by the Congressional Report about OPM.Forrester provides a perfect metaphor for the typical enterprise network - it's "like an M&M, with a hard crunchy outside and a soft, chewy center." They point out that once an attacker gets past the perimeter defenses in most computer networks, they have access to all of the resources in the network. If organizations are going to be resilient against sophisticated attackers, they have to anticipate that compromises are going to happen, and take steps to architect their networks to limit the impact of those compromises.However, operating an internal network with a true zero trust footing is easier said than done. We build firewalls for a reason - to limit the complexity of the attack surface that our organizations present to the Internet, so that we can focus our efforts on protecting the remaining surface. Treating every enterprise application as if it is directly connected to the Internet might be a great goal in theory, but in practice security teams are stretched too thin already. The challenge is to find a reasonable middle ground. Where that middle ground is drawn depends greatly on the kinds of tools that we have at our disposal and the reach they give our teams.I won't repeat all the points made in Forrester's comment - it's only 18 pages - but two themes in particular stand out for us - the need to log and inspect all internal network traffic, and the need for internal network segmentation based on a least privilege strategy. Better internal segmentation helps reduce the exposure that key applications have to the internal network - doubling down on the value of firewalling rather than pretending it doesn't exist. The logs make incidents possible to investigate - if you can't see lateral movement within your network there is little that you can do in midst of an incident to stop it. At Drawbridge Networks, our mission is to build new technology that makes the hardening of internal networks easier, more cost effective, and more secure. There are three key capabilities that we bring to the table that we think make it significantly easier for organizations to achieve better internal segmentation and logging.Microsegmentation for the Whole Enterprise: Most Microsegmentation technology is designed specifically around protecting cloud workloads. Although protecting the cloud is important, workstations are important too. Many incidents begin by compromising an end user workstation either through spear phishing, infected USB drives, or another vector. Attackers are adept at pivoting from an initial workstation compromise to gaining credentials that provide broader access to the network. Therefore, if you want to protect a whole network, workstations need to be a part of the picture. Total Internal Network Visibility: While Forrester argues that many organizations log internal network traffic, we're not sure we agree. Some internal traffic might be logged at key points, but few organizations today have total endpoint to endpoint visibility. In addition, our product provides process and user context for network traffic that you can only get from an endpoint agent.True Least Privilege Segmentation: Building effective network segments is hard work, and doing it with physical switches is expensive. The consequence is that even relatively well segmented networks are not truly locked down to a least privilege level. Our software enables segments to be configured on the fly, and we can build network segments based on user groups rather than IP addresses or physical switch configuration. Two employees with different job functions can be sitting on the same physical network segment and have network level access to different servers based on their job function. That capability affords truly granular, least privilege segments that enable employees to access the systems they need to do their jobs, and nothing more.These three capabilities ultimately have to do with amplifying your security team's reach. If segmentation becomes easier and visibility becomes easier, you can afford to do more to lock down your internal network than what you are doing today. You might not reach an ideal state of operating as if the perimeter doesn't exist, but you can find a middle ground that is closer to the ideal. In practice this may be the difference between an incident, and a data breach. That is the difference that we want to make. - Tom Cross, CTO