Zero Trust and Dynamical Perimeters based on Identity

NIST has recently published the final version of SP 800 207 “Zero Trust Architecture” which is a recommended reading.

This gives me the opportunity to consider how vastly the IT architecture has changed in the last 20 years. From the concept of a single IT physical perimeter, we now have multiple physical or virtual perimeters which can be dynamic due for example to Software Defined Networks or Cloud services.

But most importantly who and what is inside a perimeter, which can be even a single application, depends not only on the physical and/or virtual location of the device (both server and/or client) but on the identification / authentication / authorisation of the user and/or the device. So, given the proper identification / authentication / authorisation, a user and its device can be admitted inside a high security perimeter even when connecting from any network in the world. 

Moreover, authentication and authorisation are not “once for ever” but each, even tiny, perimeter should perform them again. This requires strong authentication processes which both authenticate the user and also her/his device and its security. Often this process can be done in two steps: the user authenticates her/him-self to the local (portable) device typically with MFA / Biometrics etc., and the device then manages the authentication to the remote services thus providing a simpler user experience.

This is the development we see every day in most major IT / Cloud services, and which, sooner or later, will also lead to decrease our dependency on the use of Passwords. 

Cloud, Network Security and SASE

We know very well that years ago we lost the concept of (security) network perimeter. Still too often we approach network security with the underlying idea of perimeter defenses: inside the permiter all is ok, and the “firewall” protects us from the outside world.

But in the current world of increasing Cloud / Software as a Service (SaaS) services and Software Defined Networking (SDN), it becomes increasingly impossible to manage IT security from the center of the traditional network and to deploy the protections on the edges. We need to manage the security of traditional and legacy applications, cloud applications, internal and mobile users, all at the same time and with a single approach.

From the networking security point of view this should require to look at our network as a (software defined) mesh of connections composed underneath by different backbones, trunks, local networks and VPNs. Security, access and privileges should be identity-driven and globally distributed on the network. This should imply that the preferred architecture to implement and govern such a security network should be cloud-based if not cloud-native.

If I understand correctly, this is, at least in part, the idea of the most recent approach to Network Security proposed by Gartner and called “Secure Access Service Edge – SASE” (see here and here for more infos).