What frameworks do you find helpful for Zero Trust?

  • 1 September 2023
  • 1 reply

Userlevel 1

Since zero trust is not a concrete thing it’s a conceptual framework, what have you found useful for operationalizing the concept?


Best answer by Ben Sherman 5 September 2023, 22:01

View original

1 reply

Userlevel 1

ZeroTrust as a concept per NIST SP 800-207 publication  lays out some hard to operationalize asks, so pile-on your opinions/approaches/frameworks here. From my understanding, ZT starts with assuming the network is hostile (think about Lacework Attack Paths to the Internet), that organizations need to catalog people and devices (think about Lacework’s resource view pages) and build solid application-level boundaries (Lacework IaC and application/behavioral polygraphs) by managing fine-grained access and entitlements that can withstand an audit (Lacework CIEM). Although you might encounter this post from 2022, in 2023 Lacework has since added CIEM and from my perspective Lacework now offers an even better tool that can be added to any ZT framework. Per the Identity Security Alliance , they talk about 9 specific best practices required of any ZT organization (below). This assumes that identity is the new security perimeter because micro-segmentation and, DMZs, VPNs in the public cloud have broken all rules-based approaches used with end-point and firewall controls due to the volume of exceptions and changes made daily. Also, rules only ZT approaches can’t possibly account for all the unauthorized/insecure lateral movement security teams see *(and describe in breaches) every day. Lacework opted for a hybrid rules optional approach. Supported are the “never trust always verify authentication approaches,” where security software vendors have to provide a continuum of risks to also accommodate “just enough” (least privilege), “just-in-time” (zero standing privileges) asks using a a variety of checks where cumulative risks are considered. The key is continuously monitoring and flagging anomalies as they emerge; a Lacework differentiator. If identity were the new ZT boundary to achieve, then Lacework exceeds these 9 best practices:

  1. List and track all identity relationships in your cloud infrastructure. Lacework helps by enumerating admin privileges, listing out human and service identities, flagging 3rd party. Behind the scenes a security graph of permissions mappings is created so all can be continuously monitored.
  2. List and track activities to monitor access events and perform analysis of those events to determine the validity of permissions granted to identities. Lacework identifies which permissions are actually being used and which aren’t from logs. This is the quickest way to move toward a least privilege model by retiring unused identities and detecting over-entitlements (risks).
  3. Process logs to profile the activity of identities and detect anomalous behavior patters. Lacework profiles and baselines the behavior of each identity and objects associated with that access to understand net effective permissions and which part of the MITRE ATT&CK framework  in the cyber “kill chain” might be anomalous to trigger alerts. 
  4. Generate least-privilege permission configurations to replace over-permissive ones. Lacework suggests IaC to improve upon existing code (change it) and provides recommendations on what else needs to be changed to remain in compliance.
  5. Integrate the remediation of excessive permission to existing workflows. Lacework has now integrated with JIRA and has API hooks for most other ticketing systems such as ServiceNow so that the appropriate stakeholders can be identified if an account or code-snippet is flagged, a ticket can be assigned and remediations can be tracked as complete or in process. 
  6. Generate least-privilege policies on-demand as part of the CI/CD pipeline. Lacework fully supports Cloud Workload Protection in the shift left movement and can validate and block code and material found within repos from reaching deployment earlier in the IaC process. Forthcoming code analysis goes even further “left” to examine popular language and code IDEs.
  7. Manage Just-in-Time access to reduce standing privileges. Lacework exposes who has access to what cloud resources, the potential blast radius of that access if breached and association with exploitable vulnerabilities and risky activities and therefore can work with 3rd party access products to flag risk. E.g. Microsoft conditional access scores, PAM and IaC products to prevent/block/revoke access when appropriate.
  8. Secure the posture of identities to reduce their chance of being breached. Lacework detects and ranks risk of exposure be-it configuration or vulnerable identities that could be breached via the Internet or from weakly secured hosts internally. Behaviorally analysis against identity changes, anomalous or suspicious sys-calls are a lacework differentiator. Obviously static credentials residing on a host and exposed keys are flagged in Lacework scans, but the frameworks for ZT also require various levels of key rotation that are also monitored for compliance.
  9. Manage permissions versioning. Keeping track of security and DevOps change control can be complex, so Lacework iteratively adjusts scoring and thresholds for its anomaly reporting to accommodate changing policies and improved compliance. Without these controls, an organization won’t have the confidence to go least-privilege or zero trust.