Going from Zero to Zero Trust Security
Several recent events have made Zero Trust security a mandate for companies, governments, and non-profits. The US Government has taken a decisive leadership in this area as depicted by the following initiatives.
The Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) [1] has produced technical guidance documents in its endeavor to help the U.S. government towards a Zero Trust architecture.
Moving the U.S. Government Towards Zero Trust Cybersecurity Principles https://zerotrust.cyber.gov/
Federal Zero Trust Strategy https://zerotrust.cyber.gov/federal-zero-trust-strategy/
Zero Trust Maturity Model https://zerotrust.cyber.gov/zero-trust-maturity-model/
Furthermore, it is soliciting feedback from the industry. [zerotrust@omb.eop.gov deadline September 21, 2021]
This will serve as a very efficient blue print for other countries to follow in our unified attempt at thwarting threat actors and associated nation states. We at AccuKnox will be providing important feedback in the areas of Zero Trust Run-time Application and Data Security.
Very rarely have we seen such “board room to boiler room” imperatives in the Cybersecurity industry. Hence, we thought it would be useful to visit some of the key approaches in our quest to Zero Trust.
John Kindervag coined the term Zero Trust in 2010 while he was at Forrester Research and laid out the following tenets:
1. The network is always assumed to be hostile
2. Assume threat actors are already inside your network
3. Network locality (segmentation) is not sufficient for deciding trust in a network
4. Every device, user and network flow is authenticated and authorized
5. Policies must be dynamic and calculated from as many sources of data as possible
6. The device is no longer the border. A user/service’ identity is the net border
7. Containers, serverless and cloud are the new disruptors of traditional security architecture
With the proliferation of BYOD (Bring Your Own Device), SAAS and Remote Work, Google came up with a variant of this, BeyondCorp [2] in 2014.
1. Securely identifying the device — Device inventory database, device identity
2. Securely identifying the user — User and group database, Single sign on
3. Removing trust from the network — deploying an unprivileged network
4. Inventory based access controls
Now that we find ourselves in the post-Solarwinds world where ZeroTrust has become an existential necessity, it is quite prophetic of John Kindervag to have come up with these concepts in 2010!
Enforcing ZeroTrust Cybersecurity with Enterprise Assets involves a similar process as outlined below:
Practical aspects of deploying ZeroTrust is non-trivial and far more challenging. Security professionals have to explicitly white list all acceptable policies and do it on a continuous basis leading to the “Myth of Sisyphus” phenomenon:
AccuKnox is a comprehensive Zero Trust Security framework and to this goal, provides 2 important components:
1. Policy Management Framework
2. Anomaly Detection Framework
[1] Policy Management Framework
The Policy Management framework as depicted in the figure below provides the following facilities:
1. Policy discovery
2. Policy recommendation to support compliance frameworks (PCI, GDPR, HIPAA, CCPA, etc.)
3. Policy authoring/editing
4. Policy Preview, Stage, Audit to understand impact
5. Enforce and Report
6. Monitor to ensure Continuous Compliance
[2] Anomaly Detection Framework
Variational Autoencoder (VAE) [3] is an artificial neural network architecture introduced by Diederik P Kingma and Max Welling. It belongs to the family of probabilistic graphical models and variational Bayesian methods.
AccuKnox leverages VAE to detect runtime anomalies in Kubernetes environments.
VAE trains the model with process event observed over time for a specific container and generates reconstruction errors for events that looks anomalous.
In summary, it is useful to borrow a page from US political history to understand Zero Trust.
AccuKnox provides a comprehensive framework for enforcing Zero Trust in Enterprises.
References:
[1] Zero Trust Government Cyber Plan
[3] Variational Auto Encoder (VAE)
Author
Nat Natraj is the co-founder/CEO of AccuKnox. AccuKnox provides a Zero Trust Run-time Kubernetes Security platform. AccuKnox is built in partnership with SRI (Stanford Research Institute) and is anchored on seminal inventions in the areas of: Container Security, Anomaly Detection and Data Provenance. AccuKnox can be deployed in Public and Private Cloud environments.
Natraj can be reached at n@accuknox.com (@N_SiliconValley)
Asif Ali, is the co-founder / CTO of AccuKnox. Asif is a seasoned “hands on” Cloud Native techie with track record of shipping cutting edge products/solutions. Asif can be reached at a@accuknox.com
Visit www.accuknox.com or follow us on Twitter (@accuknox)