The Zero Trust model: from basic principles to deployment

Zero Trust model: Definition

The Zero Trust model involves reducing the trust granted to users to access an information system. This model responds to security needs that have increased with the practice of BYOD (Bring Your Own Device), and is likewise due to heterogeneous access to services that may be hosted On-Premises or in the Cloud.

Without the Zero Trust model, trust is granted by default to all users and devices within the company. In a Zero Trust model, nothing and no one should be trusted by default, applying this motto: “Never trust, always verify.”

Access control to information system resources therefore involves a dynamic and regular assessment of users seeking to access them. It also assesses the context, taking into account the criticality of the resource in question, whether it is the start of a session, an already authenticated session, or an ongoing session.

Access control is based on the implementation of an Attribute-Based Access Control (ABAC) model that allows the user, the resource, and the context (level of compliance with the security policy, time, location, etc.) to be controlled.

Principles such as need-to-know, least privilege, and segmentation must govern these assessments in order to grant or deny access to information system resources.

As ANSSI (the French National Cybersecurity Agency) points out: “The Zero Trust model must be included in a defense-in-depth strategy and should in no way be seen as a replacement for defense tools and best practices.” In other words, a Zero Trust model must be implemented on the basis of proven security and IT hygiene best practices. This model requires rigorous monitoring and a high level of cybersecurity maturity. If these basic security best practices are not in place (encryption, segmentation, supervision, detection, updates, etc.), the impact of Zero Trust will be very limited.

Furthermore, it is important to bear in mind that while the Zero Trust model does not prevent compromise, it does limit its impact. It reduces the risks associated with modern attacks like ransomware. Concretely, if attackers gain access to an information system, the Zero Trust model makes it more difficult for them to access the data they are trying to steal.

In short, for a Zero Trust model to be effective, the security of the entire workspace must first be ensured, notably through detection tools such as an EDR.
 

The role of an EDR in a Zero Trust model  

To effectively detect threats, an organization must ensure that their EDR provides access to telemetry data that will enable more effective investigations and a thorough understanding of incidents.

The combined action of Zero Trust + EDR contributes to better defense as the Zero Trust model allows resource access to be verified, and EDR monitors what happens on the information system after access.

Monitoring activity on the information system remains essential because, even with a Zero Trust model, the legitimacy of access is never 100% guaranteed. An attacker may have stolen credentials to access the information system, or a legitimate user may have been forced to perform illegitimate actions. Observing suspicious behavior and signatures enables intrusions to be detected.

Let’s now get to the heart of the matter with access control policies management in a Zero Trust model.

Zero Trust: Access control policies

For relevant and sustainable access management, an organization must keep the data sources on which access is granted up to date, and must also define access rules based on simple compliance criteria or trust scores.

Tools, trust scores, compliance criteria: the access control mechanisms must also be checked regularly to confirm their effectiveness and maintained to validate that they are still in line with the access control policy — just like IT equipment, which must undergo regular security testing.

More specifically, this involves creating and maintaining a map of applications, data, users, devices, and the flows between all these elements, and controlling access to them.

Finally, the availability and integrity of the access control functions must be given careful attention, as their malfunction can have a critical impact on the entire information system.

Here are some examples of best practices in terms of access control policy within a Zero Trust model: 

• Identify all access points (user, equipment, automation) in a unique and certified manner, and provide a second authentication factor via a private key associated with a certificate
• Protect the authentication secret (certificate) in a dedicated hardware component (e.g. a physical token)
• Avoid passive authentication mechanisms
• By default, consider personal devices to have a low level of trust with limited access open only to non-critical services
• Use only devices with a high level of trust for administrative access
• Implement cryptographic mechanisms to ensure the confidentiality, integrity, and authenticity of data once a user is authenticated
• Provide an IPSec VPN tunnel for privileged access and a Zero Trust proxy for users with access to public services exposed on the internet

As we can see here, the Zero Trust model is demanding in terms of access control management and requires the appropriate resources and tools.

And on a technical level, what are the principles of the Zero Trust model?

The main technical principles of the Zero Trust model

The Zero Trust model is based on several pillars, namely: rigorous management of information system security and the trust level of users and equipment, as well as protection of the resources and the network.

The infrastructure required for a Zero Trust model

The implementation of a Zero Trust model relies on the deployment of infrastructure designed to manage the following three elements.

Management of identities and credentials for information system users and devices and automation processes

Unique identity repositories, security attributes, and authentication mechanisms must be updated regularly, and authentication must be repeated periodically to maintain trust.

Management of assets and vulnerabilities in automated processes and equipment

Discrepancies between security policy and compliance must be monitored and, where possible, automated. This also applies to the management of updates and patches.

Security monitoring management

The collection and analysis of data related to security events, along with an alert system with few false positives is an essential prerequisite.

EDR is one of the key tools upstream of a Zero Trust model. It provides analysts with all the information they need to assess the threat, detect known and unknown threats, suspicious behavior, malware, and indicators of compromise.

The right architecture for a Zero Trust model

An organization must segment and compartmentalize its network to prevent lateral movement in the event of an intrusion.

The same applies to the control plan and data plan. Access to these resources must pass through a secure channel that respects confidentiality, integrity, and authenticity, with mutual authentication. Access chains must also be separated between administrative access and user access.

Finally, an organization must implement redundancy and synchronization mechanisms on control plane equipment to ensure continuous access control, and dynamic access control services must be segmented by use to limit the impact in the event of failure.

The level of trust in users and equipment

In a Zero Trust model, trust is central and is based on robust authentication mechanisms such as:  

• Multi-factor authentication for users to combat brute force attacks or phishing
• Cryptographic means or “challenge/response” mechanisms for authenticating automatic processes and equipmen
• Storage of credentials in a dedicated hardware environment
• Single Sign-On (SSO)
• The use of mechanisms such as Secure Boot UEFI or Measured Boot to verify the integrity and authenticity of the boot chain
• Verification of the integrity and authenticity of applications
• Etc. 
  
  

Resource protection

As mentioned earlier, to be effective, the Zero Trust model must be implemented on an information system that already complies with IT hygiene rules, including centralized updates, hardening of security configurations, adoption of EDR, etc. And this protection must be increased for equipment that allows access to any critical data.

In addition, networks must be secured using Software Defined Perimeter mechanisms (including, for example, VPNs), network partitioning, and application protection (Zero Trust proxy or reverse proxy)

Now, how do you implement a Zero Trust model?

Zero Trust model: Acquisition, development, and maintenance

To implement a Zero Trust model, an organization must:  

• Prioritize the use of standard protocols to limit dependence on solution providers and proprietary languages where applicable
• Verify the compatibility of resources with the ABAC model, or provide appropriate solutions in this regard
• Validate the security level of the solutions deployed on the information system (qualifications, certifications, etc.)
• Regularly test access control mechanisms and rules to identify and correct any issues that could compromise security or disrupt operations., and carry out configuration audits and intrusion tests
• Deploy the technical and human resources necessary for the Zero Trust model (experts, tools, support, etc.)
   

Prerequisites for a Zero Trust model

Before getting started, here are a few prerequisites for an organization wishing to deploy a Zero Trust model. The org must be able to:

• Keep access account repositories up to date (with the ability to automatically disable any access account considered compromised)
• Renew the secrets of different users and resources (via a key management infrastructure)
• Keep devices up to date
• Keep detection repositories up to date and actively monitor threats (Cyber Threat Intelligence)
• Protect the authenticity and integrity of attributes at rest and in transit (e.g., cryptographic mechanisms on file attributes and metadata)

Now that we have explored the main principles of the Zero Trust model and how it is deployed, let’s look at some key points to keep in mind to avoid pitfalls and make Zero Trust a real asset.

Zero Trust model: Points to watch out for

The availability, integrity, and authenticity of the data used to authorize or deny access is crucial. This ensures that users or devices have access to the right resources and, conversely, that access is not blocked due to an error.

Beware of the false sense of security that comes from blindly relying on a trust score. The calculation and assignment of this score must be reviewed and tested regularly to avoid false positives that could lead to wrongful authorization of illegitimate access.

Continuous evaluation of access requests can cause latency. It is therefore essential to ensure that the components used to perform access controls are correctly sized for the context and needs of the information system.

The expert’s view  

To sum up, the prerequisites for a Zero Trust model are:  

• Authentication: strict identity validation, with each endpoint or user proving their identity, e.g. via MFA systems
• Access granularity: it must be possible to determine precisely who can access what, when, how, and under what conditions — from a given geographical area, during defined time slots, etc.
• Least privilege: this is a fundamental principle; users should only have access to the resources they strictly need
• Segmentation: a micro-segmented system minimizes the risk of lateral movement
• Supervision: activities must be monitored to detect suspicious behavior 

“All these prerequisites mean that the deployment of a Zero Trust model remains accessible to organizations that are already mature in terms of security. However, if you are unable to apply it in its entirety, don’t hesitate to draw inspiration from Zero Trust model practices, as even when applied partially, they remain useful for strengthening security!”

Emeric Boit, Lead CTI – HarfangLab

Want to learn more about our solution and
how it can become a pillar of your efforts to ensure good IT hygiene?