Whilst the concept of Zero Trust (ZT) networks is gaining broad popularity and acclaim, elements of the approach have been quietly adopted and applied within some sensitive government IT environments. The ever-dissolving corporate perimeter has been a driver for the ZT concept. However, for certain areas of government, it is more a case of not completely trusting a perimeter, even where it can be identified. Instead, building a defence-in-depth architecture offers better protection and detection capabilities than conventional IT architectures.
Here, I have captured some insights gained from working with government sector adopters of network models that reduce implicit trust, influenced by the ‘CloudClient’ project, run by the UK National Cyber Security Centre (NCSC).
Defining Zero Trust
The first rule of dealing with a recently popularised phrase, is that no one will agree on an exact definition – perhaps as there are too many different solutions to the problem! The Zero Trust Network, or Zero Trust Architecture model, was created in 2010 by John Kindervag, a principal analyst at Forrester Research. Kindervag emphasised that organisations should not automatically trust users or assets, irrespective of location.
As technology and real-world ZT deployments have evolved, the main characteristics of the ZT approach and how these may continue to adapt, should be considered. Managed entities should no longer be implicitly trusted – be that a device or user – just because they are, for example, connected to an internal network. This leads to two responses; seeking to have greater trust in the identities managed and having greater control over how resources are accessed. The relevant tools and techniques include device identity management, health monitoring, user identity and access management, service segmentation, and traffic inspection.
The desired objectives include having confidence in the identity and integrity (health) of a device, combined with the verification of a user’s identity at a granular service level, when a service is accessed. This is underpinned by robust security mechanisms that are, as far as possible, transparent to the user and easy to manage.
NCSC CloudClient – A brief history
The NCSC’s predecessor initiated a research project a few years ago, which incorporated many characteristics of ZT networks. The objective of the CESG CloudClient project was to facilitate the secure sharing of IT infrastructure across government. This would enable an employee of one department to securely access their online services from collaborating organisations. The project required that the health of devices could be measured and validated across organisational boundaries, with a high level of assurance.
This was to ensure that no organisation’s security posture was reduced through collaboration, and that user identity management would automate the delivery of defined service components.
Building the resulting architecture started with a security-focused operating system, optimised for accessing online services – effectively a secure platform to launch a browser. Adopting a browser-based operating system simplifies the process of validating device identity or health, as it becomes viable to cryptographically validate all firmware, operating system and application software components. This is typically problematic for full-blown general-purpose operating systems.
The project resulted in the end-to-end implementation of a Remote Attestation protocol for a desktop environment. This was compliant with the relevant Trusted Platform Group open standard, using a Trusted Platform Module as a hardware root of trust. At a high level, this means that an organisation can be confident in not only a device’s identity, but its integrity. A device in a known healthy state indicates that no malware or unauthorised software is present.
The CloudClient architecture utilises the Security Assertion Mark-up Language (SAML) authentication protocol. This enables collaborating organisations to exchange authentication parameters, as part of a federated device identity model. This also allows web services to be published that can create end-to-end encrypted sessions with 3rd party devices, at the same level of confidence as internally managed devices. Two factor user authentication is implemented using physical smartcards, with associated policies defining granular authorised service access.
A real-world deployment
Although CloudClient was a research project, its successful outcomes were subsequently adopted across a number of UK government departments. Fully aligned with government’s ‘cloud first’ policy, the ‘cloud client’ model allowed a number of security benefits to be derived by optimising end user devices for cloud access.
However, in addition to security, the need to optimise usability proved a key driver for user adoption. Even in some of the most sensitive government environments, security today needs to be as automated and transparent as possible, whether that is single sign-on, timely certificate management or automated patching. These are all necessary characteristics of a well-designed ZT architecture.
Security operation overheads can also be reduced through the ‘cloud client’ model, as a lightweight and secured OS can significantly change the security event monitoring landscape. Minimising the software stack with a browser-based model reduces security auditing ‘noise’ from endpoints, whilst cryptographically enforced health checks provides a very low-volume high-value audit profile. This can offset the potential for increased network traffic logging and inspection, as advocated by the ZT model.
With the NCSC and wider UK government’s preference for commercial off-the-shelf products, Becrypt has productised the project’s outputs. This was in the form of an end-user device platform called Paradox (no formal endorsement by NCSC implied).
When moving to cloud and online services, there is a temptation to focus on the benefits that the chosen cloud-based infrastructure can offer. CloudClient demonstrated how security, cost and flexibility benefits could be extended to the end user device infrastructure. It becomes difficult to justify a general-purpose OS when the endpoint needs little more than a browser; it’s easier to implement ZT-enabling controls.
However, few organisations would be standardised on all architectural components of CloudClient, or similar architectures across the entire enterprise. This has been demonstrated by assessing where Paradox has subsequently been deployed. The pre-requisites to adopting a browser-based OS, such as Paradox, typically include deploying to ‘greenfield’ environments, although this can include new software roll-outs to existing hardware. Furthermore, projects typically need to be targeting ‘cloud native’ communities, or those accessing online applications.
To date, Paradox has been deployed to secure desktops, laptops and kiosks, with a range of use cases. These include enabling standard enterprise access to Office 365, to the more specialised examples of SOC hosting and control of 3rd party supplier access. These examples demonstrate the shift towards a Zero Trust model.
With a heritage of creating UK National Cyber Security Centre (NCSC) certified products, Becrypt is a trusted provider of endpoint cybersecurity software solutions. Becrypt helps the most security conscious organisations to protect their customer, employee and intellectual property data. It has an established global client base which includes governments (central and defence), wider public sector, critical national infrastructure organisations and SMEs.
As one of the early pioneers in disk encryption software to today being first to market with a unique desktop operating system, Becrypt continues to bring innovation to endpoint cyber security technology. A recognised cyber security supplier to governments around the world, Becrypt’s software also meets other internationally accredited security standards. Through its extensive domain and technical expertise, Becrypt helps organisations optimise the use of new cyber security technologies and its flagship security solution Paradox delivers a highly secure platform for the modern age.