Three Network Weaknesses that Zero Trust Addresses
Zero Trust is a network security concept that aims to protect enterprise assets. Under Zero Trust, organizations should not automatically trust anything inside or outside traditional perimeters. Before granting access to assets, organizations should require the verification of anything and everything that tries to connect. Zero Trust also includes the continued evaluation of sessions throughout the entire duration of the connection.
Software Defined Perimeter (SDP) is the most advanced implementation of a Zero Trust strategy. Before allowing any connection to hidden assets, SDP implementations use a single packet to establish trust via a separate control and data plane. This enables organizations to defend new variations of old attack methods that are constantly surfacing. Implementing SDP improves the security posture of businesses that face the challenge of adapting to increasingly complex attack surfaces.
The following common weaknesses are inherent in how networks are architected today, giving rise to the need for a new way of thinking about security. Learn how Zero Trust and SDP address these issues below.
1. Connect First, Then Authenticate
In network installations that utilize the Transport Control Protocol (TCP), access is allowed prior to authentication. Since there are no foolproof gatekeepers to challenge identity claims, access control mechanisms can be bypassed. Despite any encryption efforts that may be in place, authentication, authorization, and token-based access control systems may have multiple flaws. This ‘connect first, then authenticate’ method can be prone to malicious activity.
SDP Perspective: None of these techniques are effective at preventing attacks. A Zero Trust implementation requires immunity from all layers of attack on network, hosting, and application platform infrastructure. An SDP requires authentication prior to access to resources.
2. Monitoring Endpoints is Compute, Network, and Human Resource Intensive
AI endpoint monitoring cannot yet correctly detect or prevent unauthorized access, as current AI typically relies on non-evolving simple behavioral models. Isolation of protected resources can be compromised over time by capturing identity details, understanding authorization mechanisms, and spoofing authentication credentials. Detecting new avenues of ingress with fraudulent intent requires a combination of performance monitoring, pattern analysis of transaction data, and analysis provided by security specialists. Relying on endpoint monitoring alone still leaves enterprises vulnerable to undetectable attacks.
SDP Perspective: For highly confidential data, the best method of security is to prevent attacks before they occur. An SDP Zero Trust deployment can deny risky transactions based on a single packet analysis revealing a lack of positive identification. The connection is immediately dropped if the requestor is not authenticated.
3. Packet Inspection Has No User Context
Packet analysis happens at the application layer. Therefore, incursions can happen prior to detection. Network single packet inspection to identify connections are successful within bounds. However, these methods are only as secure as TCP/IP and TLS protocols and application code. The fundamental challenge with inspecting packets is the problem of identifying the user from the source IP. While some attacks such as DDoS and malware may be detected using existing techniques, the vast majority of attacks such as code injections and credential theft require a context to detect, as they are performed at the application layer.
SDP Perspective: On the other hand, SDP does have packet inspection end user context. With an SDP Zero Trust deployment, dropped packets gathered at SDP gateways can be forwarded for out-of-band inspection and analysis. Combined with network data, a risk profile can be detected before ingress.
CSA’s SDP and Zero Trust Working Group is dedicated to validating and protecting the devices and connections on a network. Their research publication SDP and Zero Trust shows how SDP can be used to implement Zero Trust Networks and why SDP is applied to network connectivity. Access the publication here.
Nya Alison Murray
Oscar Monge Espana
Gerardo Di Giacomo