Author: Kabir Sikand, Product Manager, Networking and Services
Bio: Kabir is based in NYC and is the Product Manager for Networking and Services at Tailscale. He’s been in the network security, serverless, and internet intelligence spaces for 8+ years. In his free time, Kabir enjoys music, skiing, and travel.

Organizations of all sizes have made zero trust adoption a top priority. As they have integrated cloud computing, ephemeral environments, and more into their workflows they’ve had to move beyond their legacy tooling to ensure developers retain agility without compromising security. There’s a perception that zero trust requires a big-bang approach, but implementing that magnitude of change across your organization invites risk. Instead, opt to incrementally adopt zero trust across your private networks.

What is zero trust, anyways? 

Zero Trust Network Access, or ZTNA, is a network security framework and practice that requires organizations to eliminate the automatic trust traditionally inherent within their internal networks (it is often associated with the concept “never trust, always verify”). Instead, trust is systematically assessed with every single resource request, taking into account both the identity & roles of the accessing user and the attributes/security stature of their device. This approach focuses on securing resources regardless of a user’s location or access pattern, shifting away from “traditional” network perimeter-based models.

The pillars of zero trust 

The essence of ZTNA lies in its identity- and context-based secure access, where trust is never assumed and must be established every time an access request is made. It centers around a few pillars:

1. Least-Privileged Access 
2. Connectivity 
3. Continuous Verification 
4. Active Assurance 
5. Discovery 
6. Adaptive Policy Engine 

Least-Privileged Access 

The concept of least-privileged access is simple: users and services should only have access to exactly the resources they need, when they need them, with only the permissions and access patterns that are needed to do so. What does this mean in practice? Generally, this means the policy engine must be able to enforce role or attribute based access controls across every resource an organization owns.

By implementing a micro-segmentation practice alongside this, organizations can create separate security zones for different types of granular network resources (not just IP addresses), such as servers, databases, serverless clusters, and user workstations. Each zone is protected by its own set of security controls and policies, preventing unauthorized access by users or devices and reducing the impact of a potential breach. Implementing attribute-based access controls alongside a strong micro-segmentation practice can help organizations implement granular down-to-the-resource level controls over access patterns, to ensure least-privileged access.

Connectivity 

In any zero trust environment, connectivity to every resource an organization uses is paramount. Traditional solutions use a combination of application gateways, man-in-the-middle reverse proxies, software-defined wide area networks, VPN concentrators, and similar “edge network” solutions. Most of these solutions have a common paradigm: the control plane enforces policy on the devices that also are responsible for providing network connectivity, and they’re often placed regionally to maximize performance and reliability. Regardless of the connection mechanism, the key tenets of connectivity in a zero trust practice are that:

• All connected machines must be accessible by the control plane’s policy enforcement points.
• Reliability and uptime are important to maintain for critical infrastructure. ● Performance should be non-disruptive to business tasks.
• Connection mechanisms should provide a consistent end-user experience, no matter where they are.

Continuous Verification 

Continuous verification constantly evaluates user identities, device security, and other risk factors throughout a session to ensure ongoing trustworthiness. By adopting this approach, organizations can proactively detect and mitigate potential security breaches and enforce organizational policy, minimizing the risk of unauthorized access and data breaches. Here are some key strategies to consider:

• Phishing-Resistant Multi-Factor Authentication (MFA): In a zero trust network, it is essential to adopt phishing-resistant MFA solutions that eliminate easily compromised factors. Cryptographic solutions that bind user identities with devices can provide a higher level of security and reduce the risk of unauthorized access.
• Device Security Controls: Organizations should enforce security policies that require devices to meet specific health criteria, such as having up-to-date security tools, active firewalls, disk encryption, and biometric authentication capabilities.
• Integration with Security Ecosystem: Integration allows for effective communication between different security components, amplifying the impact of existing cybersecurity investments.

Active Assurance 

When making and enforcing policy decisions, it’s also important that the policy engine outputs data using a combination of logging, monitoring, and analysis. This data can often fuel alerting mechanisms that can inform an organization about active incidents, emerging threats, indicators of compromise, and even behavioral changes to access patterns. Generally, the goals of this step are:

• Identify and mitigate active security incidents
• Record an audit trail of past events for future investigations
• Generate new policy to prevent future incidents of this pattern

Discovery 

A zero trust network is only as strong as the network it is protecting, and that network is constantly changing. A holistic zero trust implementation includes monitoring and discovery of assets on the network, and uses this feedback loop to bring those resources into the policy engine. This detects instances of shadow IT, which over the past few years has proliferated as a difficulty at organizations of all sizes.

Adaptive Policies 

The main component of a ZTNA architecture is a policy engine that interacts with “things you need to access” and “the people that need to access those things”. And this policy engine continuously verifies that the people and devices that need to access resources can access those resources, based on a bunch of inputs like who the user is, what their role is, what device they’re connecting from, the state of that device, the state of that user, and external inputs from intelligence sharing communities.

Getting started can feel like an insurmountable task

It doesn’t have to be! Assess the risk across your company, or start with your team.

Tailscale recommends implementing your zero trust solution for a small internal use case, validating it, and using it for remote access within a small environment. Gradually, you can bring this pattern to your whole business unit or organization, without the need for a lift and shift project. Beginning with access to applications, data, and workloads within a business unit or team is often the easiest way to start. Because your team has control over ingress of your resources and the users or services trying to connect to those resources, a zero trust solution can start with these internal resources.

A zero trust practice does not mean you need a secure access edge or a VPN concentrator. Remember, zero trust is a paradigm, not a set of technologies.

###

Join me at KubeCon + CloudNativeCon Europe this March 19 – 22 in Paris and visit booth G17 to chat about addressing Kubernetes security in multi-cloud environments.