The ideas behind zero trust security architectures are not new but instead have continuously evolved since their inception in the early 2000s. When the ‘cyber kill chain’ is considered in terms of what the ‘bad guys’ get up to, the traditional idea of a corporate network perimeter is no longer effective. Once this is breached, reconnaissance (which can be over a long period) can lead to lateral movement, subsequent intrusion, and potential data breach or sabotage. Moreover, with the prevalence of cloud services usage and shifting work practices due to hybrid working, the notion of a perimeter is somewhat blurred. Implicit trust (‘once you are in, you are in’) must be replaced with the need to challenge and build trust from zero at every relevant juncture with the security architecture.
The guiding principles behind zero trust security
- Always verify explicitly – authenticate and authorise often.
- Assume breach – design your security architecture to be resilient in that any intrusion is limited in its reach (limit ‘blast radius’).
- Start from zero trust and build upwards – so as not to assume trust (or retain implicit trust’) but instead dynamically build trust from the ground up.
These guiding principles extend towards every part of the security architecture, across people (identity), devices, app services, server infrastructure, networks, and data. The security controls applied may be familiar (e.g. role-based access control, least privilege, defence in depth, attack surface reduction and hardening, vulnerability management, threat monitoring and response) but over the years have evolved with increasing sophistication in their application. Recognition of the workload and its context has been a significant advance – where security controls only grant access requests that are justified in terms of the authorised workload and requestor, with a just-in-time approach (granted only when needed and then revoked afterwards).
The optimal zero trust security architecture is not static but one where trust is continually evaluated, taking into account known workload patterns so that security controls can ‘open up’ or ‘close in’ as and when required. Another key aspect of this adaptive capability is the ability to facilitate orchestration via web APIs or other means to perform response actions – for example, if suspicious activity is found at an endpoint, action may be taken to isolate the end-point or access to a sensitive database could be temporarily suspended.
Identity is a fundamental building block within a zero trust security architecture. Strong authentication and appropriate access authorisation are required not only for end-users signing in but also for app services and device endpoints. Data storage resources should only be permitted to be accessed by authorised App services. Device end-points should be hardened and have malware protection installed. Proof of identity of the end-user signing in can be proven at varying strength levels. An example of high proof level might have the end-user engaging in multi-factor authentication with biometric binding to claims belonging to a verified identity. This would typically involve ownership of a mobile device that has cryptographically verified claims on a valid identity (from an authorised issuer), and the face of the person present is verified biometrically matched with that from validated credentials (e.g. passport photo).
The extent of challenges within the user journey should be related to the level of security risk mitigation. While we may not mind the level of user friction in being challenged when making a mortgage application for a house purchase, we expect to see more relaxed security controls for more mundane, everyday transactions. To this end, one might model the concept of user personas – where we might have social media, banking, family and work personas, all requiring varying levels of user identity proof and application of security controls that strikes an appropriate balance between user experience and security risk.
How does decentralised identity fit in zero trust security?
The main theme of decentralised identity is the placement of the user at the centre of being in control of their own credential data. This fits in well with the zero trust security narrative in that there is strong user authentication within mobile devices, with just-in-time presentation of claims to verifier parties on a need-to-know basis. This ‘economy’ of presentation of personal data is in stark contrast to the unnecessary exposure of personal data when presenting whole identity document scans (e.g. passports or driver’s licenses) when only partial information is required to assert a claim (e.g. over 18). The potential for decentralised digital identity solutions to provide zero-knowledge proofs will further enhance the privacy of citizens – typical use cases may prove to a verifier that a person associated with a verified identity is a UK citizen, eligible for voting or within an age range without disclosing any personal information.
The emergence of digital identity as a ubiquitous solution will require convergence of applied technology, user acceptance and establishment of legislation and identity trust framework governance. Such governance will provide the legal framework for the acceptance of digital identity proofs. Further momentum in successful adoption will be catalysed by increased consumer confidence and adoption of open standards that will permit digital identity solutions to interoperate within countries and also cross-border. Within the UK, we have the UK Government Digital Identity Trust Framework programme that will be shaped by the forthcoming digital identity legislation as part of the Data Protection and Digital Information Bill 2022. Within the EU, there is the emerging eIDAS2.0 regulation which aims to introduce an interoperating European Digital Identity Wallet (EDIW) solution by 2023. Both trust frameworks intend to embrace both public and private sectors. User acceptance is a key area that a successful trust framework will have to address. Within user experience, this will require addressing inclusivity issues and balancing user friction with perceived benefits.
In summary, the journey for zero trust security architectures over the years has taken it from the basic premise of dispensing with implied trust, applying security controls to people (identity), devices, app services, server infrastructure, networks and data, evolving to a contextually aware, dynamic approach where trust is continually evaluated, and orchestration of responses allow for adaptive security controls. Identity management is present throughout and centre stage to this approach, where there is strong authentication of users, app services and devices. With decentralised digital identity, we have the exciting prospect of bringing identity management into the 21st century, with the potential of providing seamless user experience and convenience whilst maintaining the level of security and privacy that is in harmonisation with the zero trust security architecture approach and GDPR.
Get more content like this straight to your inbox!
Subscribe to stay up to date.