Zero Trust Architectures

My first job out of college, longer ago than I like to imagine, was at an office in Pittsburgh. The main door had a keypad and if you knew the code you could get into the office. Like everyone else, my desk had a workstation plugged into the network. If I wanted to print a document, I could find a printer on the network. Anyone's printer. Even the one in the CEO's office. If I wanted to collaborate on a document, I could make my drive available on the network and my teammates could access it and edit my file from their computers, or I could edit files on theirs.

For a later job a laptop was shipped to my house. It came with a small device with an LCD screen that displayed numbers that changed periodically. Even though I used my home internet connection, the laptop had a built-in VPN and was part of a network of computers that stretched from one side of the country to the other. Once I logged in to the laptop, the situation was largely unchanged from my earlier job.

These environments were built around a rather simple principle: Control access to the network. Like a medieval castle, they built a strong wall to keep out intruders, and carefully controlled the gates in and out.

This model has the advantage of being simple but is becoming increasingly impractical. There are ever more gates in and out of a network. As team members use their own devices from home, the level of control decreases. This applies equally to offices with wi-fi networks where employees, vendors, contractors, and even visitors connect their phones or other devices to the network.

On top of this, attacks are becoming more sophisticated. Not everyone is a cybersecurity expert and trusting that every person with access to your network will remain perfectly vigilant is a losing battle. Eventually someone's device or credentials will be compromised. What can you do to defend your data and assets when there are already intruders inside the castle?

That's where Zero Trust Architectures come in. Zero trust is a security paradigm. Instead of viewing your resources as secure inside a perimeter, it realizes that perimeters are illusory and imperfect. Instead, zero trust focuses on individual actions. If you ensure every transaction is secure then, by extension, all of your data and resources will remain safe.

To illustrate how this works in practice, I'll use examples from websites that I've worked on while with JBS. These practices not only increase security, but can also help avoid simple human errors, an important consideration for any business.

The first insight of zero trust is that not all accounts need equal access. It is common for websites to have "customer" logins and "admin" logins. For a very small business with a handful of employees this may be adequate but, in most companies, there will be employees with different roles who need to access different sets of resources. For example, an employee who handles logistics would need access to the available shipping methods and routes, but a customer service employee does not need this information. By setting up permissions so that only employees in logistics can access this section, we not only lessen the impact if a non-logistics account is compromised but prevent other employees from accidentally modifying something they do not understand.

Of course, there are some resources that customer service and logistics employees should both access, but even then, we can enforce different levels of access. The more fine-grained our controls, the better. It is useful for a customer service employee to see how much of a certain product is left at the warehouse, but he should not be able to change those amounts. On the other hand, someone in logistics should not only be able to see that information, but also to update it when necessary.

Providing fine-grained role-based access to resources can lessen the severity of security breaches and user errors. However, while you want to prevent access to functionality that a role does not need, you also need to ensure that each role has everything they do need for their job. Otherwise, you'll quickly end up with a system where employees work around your security measures, either by asking other employees to do something for them or even sharing accounts. Security that makes it impossible for an employee to do her job is not secure.

Of course, all of this depends on knowing who is accessing your system. For many website-based businesses, this is as simple as a username and password. Additional security can be provided with two-factor authentication, such as sending an email or text message with a one-time-code or using a device or program that does the same. In terms of zero trust, however, that authentication only tells us who is accessing our system at the time of login. Allowing long sessions can mean that the person accessing your system now is not the one who logged in a week ago. Think carefully about how to balance security with convenience when choosing an appropriate session length. It's possible to tailor this to the level of access, so that accounts with more access have shorter sessions, and thus smaller windows where they can be hijacked.

Behavioral analysis can make zero trust even more effective. Most of us are creatures of habit, so if an employee suddenly accesses your site at three in the morning from an IP address he's never used before, it might be worth putting more effort into verifying his identity.

And finally, be aware that even when using best practices, security breaches still happen. For that case, zero trust has one final recommendation: Log everything. Keep track of who logged in, what data they changed, and what actions they performed. This information can be helpful in many ways, but, especially when there is a suspicion of unauthorized access, being able to see the extent of a breach can help you make good decisions and reverse some of the damage.

While this overview has focused on using zero trust with a website, the same principles apply to any resource. By knowing who is accessing your data and carefully controlling each account's capabilities, you can avoid the worst dangers of a security breach. You may not be able to keep the invaders out of your castle, but at least you can make sure that doesn't also give them access to your vault.