What is Zero Trust?
Zero trust is a security model based on maintaining strict access control. It has risen in popularity since Forrester coined the term in 2010.
Initially, Zero trust referred an enterprise security architecture that relied on a trusted internal network protected by firewalls that enforce perimeter security. However, with enterprises adopting mobile and cloud technologies, the perimeter is becoming increasingly difficult to enforce. In addition, attackers have a variety of ways to get into the internal network. One of the main methods is breaching a user’s device that is allowed to connect to the enterprise network. Another flaw in the perimeter-based security model is the risk of insiders who act within the corporate perimeter.
As a result, enterprises are starting to move away from network perimeters into a Zero-Trust Architecture (ZTA). With ZTA, access is granted based on device/user credentials and not on the user’s presence in the corporate network. Based on the user’s credentials, the enterprise can grant access to a subset of enterprise resources and employees can work from any network without relying on a VPN connection. The architecture is called “Zero Trust” because the enterprise doesn’t automatically trust devices within the corporate perimeter. Instead, it verifies all devices/users.
The Zero Trust Model is Inherently Flawed
ZTA is definitely a great step in the right direction but it has a fundamental design flaw that is the result of a wrong assumption. ZTA’s underlying assumption is that the network can check the health of user devices and then trust them with access to enterprise resources. This might be true for some extremely locked-down devices. However, most enterprise user devices run operating systems like Windows and have a huge vulnerable code base, a wide variety of legacy applications/middleware, and access to risky malicious networks or internet resources. These devices can easily get compromised by determined attackers. Once a device gets compromised, the operating system can no longer be trusted as malware resides in the same operating system kernel and can tamper with operating system health checks.
This means that many enterprises that adopt ZTA still mistakenly trust user devices. This is a critical ZTA flaw as it allows attackers to breach a privileged user’s device and then ride the authenticated user’s session to do harm.
Furthermore, as ZTA creates a false sense of security, it encourages enterprises to allow access to corporate resources from personal/unmanaged/BYOD devices, relying on basic (and easily forgeable) health checks to prevent malware from getting in. This makes things worse, as personal/unmanaged devices have a higher probability of getting infected.
Achieving Zero Trust Network Security Nirvana
To close this gap in ZTA — and make ZTA a truly secure architecture — enterprises must ensure employees use trusted devices. By re-establishing trust in user devices, it is possible to let users access corporate resources anywhere. However, this is a challenging task, as enterprises still rely heavily on Windows (or other monolithic operating systems) and legacy applications that are vulnerable and untrusted. Making devices trusted again must also support the migration of existing devices, as solutions that require a fresh start with a new operating system or new devices would fail in any realistic enterprise environment.
One way to achieve trusted devices is by using Privileged Access Workstations (PAW). With PAW, users are provided with dedicated, extremely locked-down workstations that are the only machines with access to sensitive corporate resources (e.g., by planting a client certificate that identifies these devices and ensuring services are only granted to these devices). This method is expensive as it typically requires each user to have two physical devices – one for day-to-day/personal use and another for sensitive access. It is also counter-productive for users who need to context switch between devices.
There’s a better way. At Hysolate, we achieve this new ZTA architecture by splitting a user’s device into two segregated zones, each running in its own local virtual machine, on top of a bare-metal hypervisor. One VM is the unmanaged/untrusted VM and another is the privileged VM. The privileged VM runs a locked-down operating system and contains an inaccessible client certificate that vouches for the integrity of the VM. The ZTA broker would only allow privileged Hysolate VMs to have access to sensitive enterprise applications. It’s impossible for the end-user to access these applications from any other untrusted environment/device. With this architecture in place, the puzzle is complete and enterprises can really move to a secure-by-design architecture.