The Attack Vector: What Are The Basic Tenets of Zero Trust? How do they apply to AV systems?
You may have heard the terms “Zero Trust” or “Zerotrust” being tossed around in marketing materials, but what does Zero Trust really mean? Is it just a trendy word, or words?
The traditional castle and moat security model doesn’t work in modern cybersecurity as so many of us are now telecommuting and working in the cloud. A more recent paradigm called Zero Trust is trending.
The Zero Trust movement being lead in some part by the U.S. Government. In 2020 the director of DISA, the Defense Information Systems Agency, laid out three main tenets of Zero Trust, “Never trust, always verify; assume breach; and verify explicitly.”
THE LEAST PRIVILEGE PRINCIPLE
These tenets have evolved somewhat over the last couple of years, most agree that the Least Privilege principle is the best base for Zero Trust. The Principle of Least Privilege states that:
“Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur.“
-Excerpt from a 1975 Saltzer and Schroeder IEEE paper entitled, “The Protection of Information in Computer Systems” Section I. Basic Principles of Information Protection.
THE LEAST ROUTE PRINCIPLE
The Principle of Least Route is similar to Least Privilege, except it concerns the physical wiring and fiber optic data paths of a network. Least Route makes sure that a device should only possess the minimum level of network access that is required for its individual function. All networks should be segmented.
WHY ZERO TRUST?
What sets Zero Trust apart from Least Privilege and Route is the constant authentication of the user. This is a sticking point for many people so certain levels of trust and login confidence have emerged.
The most popular technique for implementing Zero Trust at login is multi-factor authentication. If a user or resource can “prove” they are who they say they are, they should be allowed access to what they need. However, if a user is offline for a few hours, then they should be asked to log back in using MFA.
So, circling back to our Zero Trust tenets, another way to list the main principles of Zero Trust could be:
- Apply Least Privilege (and Least Route when applicable)
- Verify Explicitly and/or using MFA
- Assume Breach
The last bullet is not meant to be fearful, but I admit it can seem a bit dramatic. Assume Breach? Isn’t that like assuming that a burglar is behind you every time you walk into your house? The answer is, YES.
Zero Trust assumes that credentials have been breached, that networks have been breached, every day. It does NOT mean you can’t trust your employees or coworkers! You just can’t trust their daily logins.
In AV systems, it means that all network devices require unique passwords, credentials should not be shared in files that can be accessed by anyone other than those people who need to access them. AV systems should require logins and MFA whenever possible and should enable logging for attribution.
The ZeroTrust for AV discussion doesn’t stop there, this is only the beginning. Is “zerotrust” one word, or two, “zero trust”? Well, is “cybersecurity” one word, or two, “Cyber security”? I think the jury is still out on both.