NIST 800-207A: Implementing Zero Trust Architecture

25 Apr 2024 (7 months ago)

Zero Trust

Zero Trust is a security model that assumes a motivated attacker is already in the network and focuses on minimizing the damage they can do.
Identity-based segmentation is a key component of Zero Trust that isolates workloads at the identity layer using tamperproof cryptographically verifiable identities for users, devices, and services.
The five runtime activities required for a minimal working definition of Zero Trust are:
- Encryption in transit for message authenticity and eavesdropping protection.
- Workload identity to identify the communicating workloads.
- Authorization of access per request.
- Incorporation of end-user credential and authorization decision.
- Implementation at every single hop in the infrastructure.

A service mesh can be used to implement identity-based segmentation by intercepting all traffic in and out of an application and enforcing policy.
Identity-based policies are better suited for highly dynamic environments like the cloud compared to traditional network-based policies.
Identity-based policies can help reduce the complexity of managing pairwise firewall rules by introducing identity-aware gateways.
Identity-based policies are easier to understand and change compared to network-based policies, enabling faster policy updates.
Organizations can start implementing identity-based segmentation in subsets of their infrastructure before expanding to more advanced patterns.
Stacking identity-based policies with network-based policies helps bound an attacker in space and time, limiting their ability to pivot and the blast radius of their attacks.
Ephemeral credentials, such as service credentials with short expiry times, further enhance security by reducing the window of opportunity for attackers.

The speaker discusses the challenges of implementing zero-trust security, particularly in large-scale environments.
They emphasize the importance of consistency in security measures and recommend starting with a monolith architecture for smaller organizations.
For larger organizations, the speaker suggests using libraries to implement the necessary controls and gradually adopting a service mesh as the organization grows.
They also mention techniques for limiting the blast radius of service mesh deployments and upcoming features that can make service mesh adoption more accessible.

The speaker highlights the importance of agility and security in network policies and argues that a service mesh can provide tighter boundaries and better security than traditional network policies.
They acknowledge the potential risks of centralized control in a service mesh and suggest regular security audits and centralized code bases to mitigate these risks.
Service meshes have robust security practices, such as Linkerd and Istio, ensuring a higher level of assurance for the overall system.

Prior art exists in the form of SPIFFE (Secure Production Identity Framework for Everyone), which is used by service meshes for application identity.
Application-level identity or service identity provides more power and flexibility for authorization decisions, but it requires handling encryption in transit and may have higher runtime costs.
RBAC (Role-Based Access Control) is commonly used for authorizing service-to-service access in Istio, but other schemes like Open Policy Agent (OPA) can also be implemented.
The speaker recommends using Next Generation Access Control (NGAC), as defined in SP 800-204B, for modern service-to-service access control.