Zero Trust – Lion bars and LANs

I’d be lying if I said, “they don’t make networks like they used to”. Sadly, we’re still making networks exactly like we used to, and that has to change.

Traditional networks are built with a hardened internet-facing exterior firewall, and a trusted LAN interior for your users and systems. Crunchy on the outside, and chewy in the center, just like Lion bars [1]. The ‘moat-and-castle’ design was a solid design, but was based on assumptions that haven’t aged well:

• The internet is full of bad people. (Still true!)
• Most of your staff are in AN office.
• Your office LAN and WiFI are safe spaces.
• You can trust your people and their devices on your network.
• All the apps used by Your staff use are hosted in Your own datacentre.

Well, times change. Remote access is now commonplace. Users are generally well intended but their devices are often compromised. Their devices attack the network from the inside without their knowledge.

Similarly, the widespread use of cloud services and cloud-based apps means the network perimeter now extends into multiple cloud providers. The network perimeter has been stretched so far it’s almost like …. there is no perimeter anymore.

The concept of zero-trust has been around for quite some time, but adoption has been slow. When I first heard of zero-trust, it sounded extreme and unachievable. It seemed just another new Gartner-defined trendy buzzword.

I’ve changed my mind since then. Although the name still irks me. Like Neo – I’ve taken the red pill. But the good news is that zero-trust is a journey – no company matures overnight from ‘lots of trust’ to ‘ zero-trust’. All zero-trust solutions start with a simple but powerful core principle:

Zero-trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.

Implicit trust based on network location baked-in to our systems – so much so that we don’t even see it any more. Removing implicit trust requires a big shift in our mindset, processes, and network designs. How often have you heard the phrase “No need for a firewall rule – they’re coming from the LAN” or, “just use the default credentials, it’s only accessible from the LAN”. Ouch.

Microsoft defines zero-trust with three principles:

1. Verify Explicitly: We traditionally grant access because a user is on the LAN or a VPN. Zero trust says no! You should use explicit and frequent (re)authentication and (re)authorisation based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

2. Use Least Privilege Access: Limit user access, and especially privileged access, with just-in-time (JIT) and just-enough-access (JEA) and risk-based adaptive policies.

3. Assume Breach: By assuming that the network has already been breached you can limit the blast radius by segmenting the network and access to it.

European financial entities and their partners are now required to comply with DORA, the EU’s Digital Operations Resiliency Act. DORA has focussed in on lateral-traversal. It assumes at least one of your systems will be breached, and shifts focus to ‘containing’ potential contagion.

” …financial entities shall design the network connection infrastructure in a way that allows it to be instantaneously severed or segmented in order to minimise and prevent contagion.. “

More than 75% of the traffic in a modern data centre happens with the data centre itself. This ‘East-West’ traffic is rarely, if ever, inspected – it flows freely within the data centre. You cannot manage what you cannot measure, although endpoint and network detection and response (EDR/NDR) solutions are starting to shed ‘some’ light on internal traffic flows.

DORA now mandates that you ensure your critical flows are mapped and protected from this ‘internal threat’. It will be hard to address the DORA requirements without using a micro-segmentation solution, although DORA doesn’t explicitly make reference to micro-segmentation.

Trusting ‘the LAN’ or ‘the VPN’ was all you needed at one point – but those days are gone. I hope I’ve convinced you that this isn’t enough for the modern world.

Take a moment to consider how removing implicit trust might change how you design and run your network. This isn’t just a DORA thing and not just for the ‘big players’. Each small step you take toward zero-trust will improve your security posture.

I’ll dive deeper into the ‘how’ of zero-trust, identity-based access, and micro-segmentation in later posts. In the mean time you can arrange a chat with me to discuss DORA, NIS2, zero-trust or micro-segmentation.

[1] I’m off to buy a Lion bar.. it’s been too long. Mmmm .. crunchy.