ZERO TRUST NETWORK SECURITY MODEL
Presented by: Kirsten Bolinger and Ria Baldevia
JULY 2019
B O O Z A L L E N H A M I L T O N N O N - S E N S I T I V E
SECTION 1: WHAT IS ZERO TRUST?
SECTION 2: ZERO TRUST IMPLEMENTATION
SECTION 3: ZERO TRUST AND FEDERAL GOVERNMENT
SECTION 4: Q&A
AGENDA
1Booz Allen Hamilton Non-Sensitive
WHAT IS ZERO TRUST
• Definition- A security concept in which centers on a belief that an organization should not
automatically trust anything inside or outside of their perimeter and instead must verify everything trying to connect to its systems granting access.
• Zero Trust Fundamentals- Fundamental #1: The network is always assumed hostile.- Fundamental #2: External and internal threats exists on the network at all times.- Fundamental #3: Network locality is not sufficient for deciding trust in a network.- Fundamental #4: Every device, user, and network flow is authenticated and
authorized. - Fundamental #5: Policies must be dynamic and calculated from as many sources of
data possible. 2Booz Allen Hamilton Non-Sensitive
ZERO TRUST FRAMEWORK ARCHITECTURE
• Zero Trust Segmentation Platform- Represents multiple technologies and could be in
multiple locations- Defines the internal trust boundaries- Enables secure network access and controls traffic
flow- Continuously monitors for threats
• Trust zones- Each zone attached to an interface is a “microcore
and perimeter” (MCAP)- Resources within each MCAP share similar
functionality and attributes- All traffic is inspected and logged between zones and
within zones
• Management Infrastructure- Switching fabric is placed around the segmentation
platform
3Booz Allen Hamilton Non-Sensitive
Palo Alto Networks: Zero Trust Approach
ZERO TRUST RELATIONSHIP CIRCLE
4Booz Allen Hamilton Non-Sensitive
Users
TrafficApplications
Device
LEARN AND ADAPT
INSPECT AND LOG
ZERO TRUST DATA POINTS
5Booz Allen Hamilton, Inc. Non-Sensitive
DEVICES Device authentication
• X.509 certificates that are binded with TPM
Device renewal
• Re-image/rotation of devices
• Local/remote measurement
Inventory management
• Catalogue devices and their properties to establish expected behavior
• Inventory database should specialized to accommodate high change rates that virtualized/containerized environment experience
Configuration Management
Device trust signals
• Time Since Image
• Historical access
• Location
• Network Communication Patterns
USERSZero Trust networks identify and trust users separately from devices
Private PKI is preferred over Public PKI
User directory maintenance is critical to the safety of zero trust networks to ensure the right users are allowed on the network
Authentication/Authorization
• Sensitivity of applications and the user’s trust score determines the level authentication needed
• Coarse grain authentication/authorization
• Fine grain authentication/authorization
See something, say something
• Zero Trust networks works best with a collaboration between users and the security team
Building trust in applications, the following three assertion must be made:
• Source code that is built is the code we intended to build
• Build process/configuration is that which intended
• Build itself was performed faithfully, without manipulation
Limit human involvement in the application pipeline so attack space is minimized
• Building software artifacts
Application upgrade only policy
Limit the set of resources that can access a deployed application through usage of isolation
Message authenticity is a requirement in the Zero Trust network
• Encryption is bonus
Mutual TLS authentication is preferable for client/server interactions or heterogenous environments
Server/server interactions IPSec is preferable
Network filtering
• Host filtering
• On host firewalls is preferred
• Bookend filtering
• Egress filtering used to harden the Zero Trust network
• Intermediary filtering
• Devices other than the sender/receiver can and should be participate in filtering traffic
APPLICATIONS TRAFFIC
ZERO TRUST MATURITY PHASE
6Booz Allen Hamilton, Inc. Non-Sensitive
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Verify for trust Gain visibility
Enable adaptive possibilities
Inspect devices for trust Zero trust
COMMERCIAL IMPLEMENTATION
7Booz Allen Hamilton Non-Sensitive
GOOGLE’S BEYONDCORP
8Booz Allen Hamilton, Inc. Non-Sensitive
Unprivileged Network
Public Network
SSO
Access Proxy
RADIUS
Access Control Engine
User/Group database
Pipeline
Trust Inference
Device Inventory Database
Certificate Issuer
802.1x
Google Building
PRINCIPLESConnecting from a particular network must not determine which access you can access
Access to service is granted based on what we know about you and your device
All access to services must be authenticated, authorized, and encrypted
NETFLIX’S LISA
9Booz Allen Hamilton, Inc. Non-Sensitive
AWS or Data Center
Internet
Firewall ACLs
Switch Private VLANs
User Network Security Stack
IDP and 2FA
VPN with Health Checks
Private Resource
PRINCIPLESTrust Identity and Health
No Trust in the office network
Device isolation
ZERO TRUST IN THE FEDERAL GOVERNMENT
10Booz Allen Hamilton Non-Sensitive
U.S. FEDERAL GOVERNMENT ZERO TRUST EFFORTS
11Booz Allen Hamilton Non-Sensitive
• President’s Management Agenda- Zero Trust is a driver in the Federal IT Modernization push
• Federal CIO Council- ACT-IAC is evaluating zero trust from a technical, policy, and procurement
perspective- Sponsoring an interagency working group to define a Zero Trust effort focusing on
reference architecture, Zero Trust pilot
• Department of Homeland Security - Trusted Internet Connection 3.0
• Department of Defense- Test Pilots- Policy
Q&A
12Booz Allen Hamilton Non-Sensitive