Starting Zero Trust Without Spending a Dime

Originally published by CXO REvolutionaries.

Written by Brett James, Director, Field Product Management, Zscaler.

Changing infrastructure is generally the first draw for any enterprise zero trust initiative, separating resources on the network that traditionally had carte blanche access to anything it could ping. NIST, other government agencies, and industry bodies point towards the policy enforcement point (PEP) as the gateway device or service that performs this separation, gating access based on different authentication and authorization requirements, depending on the sensitivity of the resource.

But zero trust is much larger than just a change in infrastructure. For some, it means covering all angles of business and technology, removing implicit trust from processes, and forcing verification where once one assumed “things should be ok.”

Even though everyone within the IT and security industries sees the need for zero trust to combat today’s malware and ransomware threats, not everybody has the resources or the business backing to do it full-scale.

I will cover five little-to-no-cost “zero-trusty” type policy and administration changes that any IT organization can take to start down the zero trust path.

Protect admin accounts

Assume breach is one of the core tenets of zero trust. Don’t give the attackers a leg up by making privileged accounts easy to steal after they have breached your network.

1. Separate admin accounts with enforced MFA (you should have done this a decade ago!)
2. Enact a policy dictating that server and network admins need to administer their systems from administrator jump boxes or Privileged Administrator Workstations (PAWS) that are locked down and have common attack vectors mitigated (e.g., no or limited internet access plus MS Office, PDF file, and email access actively denied).
3. Enforce that policy by denying local logon rights to admin accounts on normal workstations.

Admins will have a hard time adjusting to this policy, but it is just too easy to steal the hash of an admin account from a compromised workstation, even if protected by physical MFA.

Harden workstations and reduce lateral movement threats

Though this topic is common knowledge, some policies go further and assume that the workstations will be breached. The intent is to make it much harder for an attacker to move laterally. Call it a zero-trust move, but more from a logical standpoint.

1. Removing local administrator rights from user workstations can be difficult but must be considered.
2. Configure workstation firewall policies such that only Client-to-Server communications are permitted. Windows firewall is set to the Public profile at all times, blocking inbound connections, even from other corporate workstations and servers.
3. Only allow the assigned user to log on locally to the workstation, not highly populated groups like Domain Users.

These will require adjustments to many different procedures you may have, like the helpdesk connecting to an employee's machine for support, whether it be through a remote desktop or connecting to WMI or C$ shares. Though this makes support easier, it also enables attackers and the proliferation of ransomware. For auditing and shipping logs purposes, consider pushes from the workstations instead of pulls from a central repository.

Managed workstation policy

Apart from traditional VPN access, many enterprises allow access to corporate materials from unmanaged devices, whether grandma’s PC or their own mobile device. These policies should be rethought as it opens the door for stolen credentials to be used to gain access to resources. Make this access more difficult and expensive by ensuring corporate credentials can only be used on registered, managed devices. VIPs and execs especially won’t like this, but they must consider themselves targets of attacks and abide by this policy. This is zero trust towards users and handling of their credentials.

Make social engineering more difficult

Many recent attacks started with an enterprise helpdesk employee or contractor gaining access through a social engineering effort: “I forgot my password and lost my MFA device...”

Policies enforced through workflow automation tools are integral to removing any discretion allowing a first-line support person to be tricked. Ensure that second-level approvals are required for any account resets allowing elevated access. More here on this topic. Zero trust towards human discretion and for the person on the other end of the phone.

Aggressive patching

Assume breach again. If an attacker can’t gain access or move laterally throughout the network via stolen credentials, the next step for them is to look for vulnerabilities. An aggressive patching strategy ensures published vulnerabilities cannot be used to gain access or move throughout the network once breached. Though different strategies need to be adopted depending on the types of devices, the message is the same: Early and often, balancing risk to the business of something breaking and risk of the device or service being compromised.

An example strategy for end user devices is as follows:

1. An early adopters group receives patches on day zero
2. A stage-2 pilot group receives patches on day three
3. The rest of the users receives patches on day seven

The key to success is the pilot group being large, dispersed amongst different departments, and most of all IT-friendly to cover as much application capability testing as possible. Support for the cause can be raised through offering these people a carrot, in the form of the latest and greatest devices, first upgrades to new OS’, software upgrades, etc.

Wrapping it up

Though the reason for starting a zero trust transformation journey is much bigger than just to combat ransomware, that is the sole reason why many enterprises start the journey, and the good news is that many steps down this path can be taken without spending any cold-hard cash, we just need to change our network perimeter security ideals that we’ve lived with for the past 20-30 years.