Zero Trust Architecture – Over a decade in the making

Graham Thompson   ·   Thursday, May 27th, 2021

Information Technology is a funny thing. You think it moves quickly, but it really doesn’t.

Let’s take a look at two examples of this.

Emergence of the Cloud

Cloud computing (in its present form) has been around since 2008.

Well, it goes back to 2006, but I’m using 2008 because that’s when AWS EC2 was changed from a beta service to a full public offering.

That’s 12 years to mass adoption in 2020.

Network Access Control (NAC)

Before we get to Zero Trust, we have to discuss a technology called Network Access Control (NAC), because this functionality is a component of Zero Trust Architecture.

Essentially, NAC was the first control to address device authentication.

This technology allowed an administrator to inspect the security status (e.g. patch level) of a device and quarantine the device if required. NAC was released around 2005. Like every technology, it has evolved through the years.

2009: ‘Zero Trust’ enters the room

Zero Trust Architecture (ZTA) was first brought up in 2009 by John Kindervag of Forrester Research.

There’s actually a kind of funny story.

When I saw this, I proposed it as a session to a friend that was running a conference.

I told him I thought it would be an interesting talk. He said that nobody is going to care about a network zoning discussion.

Thing is, we were both right.

I was right because I was correct in seeing ZTA as being a huge deal, but I was too early.

My friend, although mistaken in his belief that ZTA was just a fancy label slapped on existing network zoning, was right because it was just too early and wasn’t on anyone’s radar.

2014: Google launches Beyond Corp

Now we fast forward a few years. It is said that Google was the first to implement a Zero Trust environment. They did this with what they called Beyond Corp in 2014. Its mission was pretty simple.

Here’s what the Google website says itself: “BeyondCorp began as an internal Google initiative to enable every employee to work from untrusted networks without the use of a VPN”.

Looking at the documentation on the BeyondCorp website, the framework was pretty clear back in 2014. This is shown in their document labeled “BeyondCorp: A New Approach to Enterprise Security”.

In it, the following components were implemented in order to support the concept of enabling access to users without a VPN:

1. Securely identifying the device

Core concept to implementing ZTA. Authorization based on both device and user.

1. Device Inventory Database
2. Device Identification

2. Securely identifying the user

Single Sign-On has been instrumental in Google boosting their success against spear-phishing campaigns.

1. Users and Groups
2. Mandatory Single Sign-on

3. Remove the concept of an internal network being trusted

Restrict East-West movement without inspection and ditch the idea of the perimeter being the be all and end all of security.

1. Implement Unprivileged Network
2. 802.1x Authentication

4. Externalized applications

Ditch the VPN by putting apps on the internet.

1. Internet-Facing Access Proxy
2. Public DNS Entries

5. Implementing inventory-based access control

Least privilege based on both user and device

1. Trust Inference for Devices and Users
2. Access Control Engine

53: Pipeline into the access control engine

These bullet points just highlight key items from the referenced document.

There’s lots of other great documentation on the Beyond Corp website that I referenced earlier as well.

The key take-away: User and device authentication. (Remember that I said we had to discuss NAC as part of Zero Trust Architecture?)

Why the focus on authentication?

Check out this statistic from CrowdStrike: Over 80% of all attacks involve credentials use or misuse in the network.

What does a ZTA approach do?

It ensures people can do what they need to do and nothing more

Limiting the ability for credentials to be guessed or reused by implementing MFA and then restricting access to the device sounds like a great idea to me!

Fast forward to 2020: NIST releases SP 800-207

In 2020, NIST released a Special Publication (800-207) focused on Zero Trust Architecture. This document informs Government departments of ZTA and a reference architecture for them to follow in pursuit of implementing the various components of a Zero Trust Architecture. This forms the required foundation for departments to follow less than a year later.

Essentially, the major component missing in the Beyond Corp paper from the NIST 800-207 document is logging and data feeds. This telemetry helps make enhanced decisions surrounding access decisions.

So again, 12 years for this approach to start gaining mass adoption.

Less than one year later… the U.S. government mandates Zero Trust Architecture

April 2021 sees the United States Government has released cyber security guidance in the form of a Trusted Internet Connections (TIC) (3.0) that includes ZTA as the core of a strong security posture.

May 2021 sees President Biden announcing a new Executive Order for the Federal Government to start taking cyber security a lot more seriously.

Aside from a bunch of notification requirements (which feed into a Zero Trust environment), the Executive Order (EO) states that Federal Government agencies have 60 days to develop a plan (with scheduling of dates) for implementation of a ZTA in accordance with NIST standards (e.g. 800-207).

The EO also states that Multi-Factor Authentication (MFA) be implemented in 180 days.

Why the wait?

Why did it take so long for ZTA to start gaining mass adoption? Difficulty from both a cultural and a technological perspective.

Just imagine telling your boss that you want to move all applications into the cloud so you can ditch the VPN.

Does that seismic change happen by flipping a switch?

Not at all.

I think the only reason why it’s gaining traction now is because the pandemic forced companies to change their approach.

Without Covid-19, you wouldn’t have been able to pry that VPN away from management.

Why? Because that’s what they’ve always used, works just fine, so why change it?

From a Government perspective, ZTA implementation requirements were accelerated because of the Supply Chain attacks that lead to the Federal Government Data Breach of 2020. I think this was the Big One that forced ZTA detractors to reconsider their position.

If trusted software (e.g. Solarwinds, Microsoft, VMWare) is the source of a compromise, you gotta ask who is watching the watchers? See, ZTA is more than just a single component in restricting East-West traffic. Much more. In fact, this is why I created a whole discussion paper that covers ZTA at a high-level.

Recap: Zero Trust Architecture through time

So, to recap, here’s the rough timeline of Zero Trust Architecture:

2005 – Network Access Control introduced

2009 – Forrester promotes Zero Trust Architecture

2014 – Google publishes Beyond Corp based on Zero Trust

2020 – NIST publishes SP 800-207 – Zero Trust Architecture Document

2021 – President Biden issues Executive Order forcing Federal Departments to plan for, and schedule ZTA implementations. Many items are heavily cloud-related.

2021 – You start understanding ZTA components and how they all connect. Become a ZTA leader in your company and profit.

Learn more about cloud security and Zero Trust Architecture

Download our free discussion paper for a deeper dive into ZTA.

Also, check out our Certificate of Cloud Security Knowledge (CCSK) and Certified Cloud Security Professional (CCSP) training programs, both of which offer what you need to give your cybersecurity education the boost it needs to stay on top of ZTA best practices.

Your career will thank you for it!