Zero Trust Networking - Death to the VPN
Cloudreach head of EMEA, Chris Bunch, tells us about his introduction to the term "zero trust networking" and considers the hurdles that face its implementation in a typical business.
Whilst chatting to some of our GCP partnership team recently (thanks Robbie Clews), I stumbled across a term I’d not really dug into before: zero trust networking. A short investigation yielded information on a fascinating story with a major global enterprise allowing remote work, from any location, on untrusted networks. Sounds great, right? Read on.
What is a zero trust network?
If you only have time to read four words, the really short version is: "never trust, always verify".
Going further, it’s the polar opposite of the model that most of us probably use today in our organisations. Most workers have grown used to expecting an approach of some form of firewall construct, blocking access into our network from the outside world - with remote access only allowed by a secure VPN.
The issue with this, as I’ve highlighted previously in other security blogs, is that once the perimeter is breached, we’re generally bad at spotting this and a malicious actor can often reside for months within a corporate network, compromising system after system.
In the world of zero trust networking, access from within the network is treated just the same as access from outside the network - i.e. no one is trusted. As a result, this forces the implementation of validation of access requests 'live' for attempts to use any corporate resource, based on the user, their privileges and the nature of the device they’re using.
Where does zero trust networking come from?
Way back in 2009, Google was compromised by a shadowy Chinese entity in an attack known as Aurora. They lost valuable IP, as well as some targeted data relating to Chinese citizens. Many other household names were hit in this attack (it’s worth a read into the background if you have time).
The following year, Google created a concept called BeyondCorp, as they looked to prevent such attacks from hurting them again in the future. I suspect the other organisations involved were somewhat less proactive...
Around the same time, a Forrester analyst called John Kindervag coined the term "zero trust security" in a paper and started to bring the idea to the world more publically.
Both perspectives include similar concepts:
- A user’s network connection doesn’t determine the services a user can access
- Instead, access to services is determined by information about the user and their device
- Access to any service is always encrypted and least-privilege security is enforced
Is this really possible for my organisation?
Clearly, Google is a pretty sophisticated company (to put it mildly), but don’t forget they’re also one of the largest listed businesses on the planet - not some zany tech startup. Implementations are perhaps predictably slow elsewhere. 'Enterprise' and 'security', not leading to swift decisions? I know, I’m as surprised as you…
I would expect a lot more interest though, as the next few years progress. Indeed, there have been companies emerging in this space to help with implementations including Luminate and ScaleFT - the latter snapped up by Okta. The usual suspects in enterprise security, including PaloAlto, are also expanding offerings.
Google is making this as easy as possible for applications deployed in GCP, via their identity aware proxy service. As an aside, this remains one of the main reasons I love public cloud computing - the continuing drive from the major players to innovate and abstract complexity into a simple service.
The biggest hurdle?
This is a big change. You need clear role hierarchies across your organisation - which is typically tough in smaller companies, let alone large enterprises. You also need to carefully track user devices, and the services available in your network. From experience, most people do not know what infrastructure and apps they own (which is one reason Cloudamize was appealing to us). Once you know all of this, you need to define who can access what, and make sure everything is monitored and logged at all times.
This isn’t a small task.
Is that really the biggest hurdle?
Probably not, actually. The implementation itself is possible to do, with the aid of some smart people and the right software. Your biggest issue is most likely that you’ll spend the next five years debating with your security team if this is a good idea.
Expect to hear a lot more on this topic in the coming years, especially from Google. I recommend researching and considering it for your company. There’s a variety of resources from the GCP team here - https://cloud.google.com/beyondcorp/ - including many that go into a reasonable level of detail.
You could make your business more secure, and have your end users love you. What’s not to like? Let’s kill that hideously outdated assumption that everything inside your network is secure. Death to the VPN.