NIST 800-207A: Implementing Zero Trust Architecture
Zero Trust
- Zero Trust is a security model that assumes a motivated attacker is already in the network and focuses on minimizing the damage they can do.
- Identity-based segmentation is a key component of Zero Trust that isolates workloads at the identity layer using tamperproof cryptographically verifiable identities for users, devices, and services.
- The five runtime activities required for a minimal working definition of Zero Trust are:
- Encryption in transit for message authenticity and eavesdropping protection.
- Workload identity to identify the communicating workloads.
- Authorization of access per request.
- Incorporation of end-user credential and authorization decision.
- Implementation at every single hop in the infrastructure.
Identity-based Segmentation
- A service mesh can be used to implement identity-based segmentation by intercepting all traffic in and out of an application and enforcing policy.
- Identity-based policies are better suited for highly dynamic environments like the cloud compared to traditional network-based policies.
- Identity-based policies can help reduce the complexity of managing pairwise firewall rules by introducing identity-aware gateways.
- Identity-based policies are easier to understand and change compared to network-based policies, enabling faster policy updates.
- Organizations can start implementing identity-based segmentation in subsets of their infrastructure before expanding to more advanced patterns.
- Stacking identity-based policies with network-based policies helps bound an attacker in space and time, limiting their ability to pivot and the blast radius of their attacks.
- Ephemeral credentials, such as service credentials with short expiry times, further enhance security by reducing the window of opportunity for attackers.
Implementing Zero Trust
- The speaker discusses the challenges of implementing zero-trust security, particularly in large-scale environments.
- They emphasize the importance of consistency in security measures and recommend starting with a monolith architecture for smaller organizations.
- For larger organizations, the speaker suggests using libraries to implement the necessary controls and gradually adopting a service mesh as the organization grows.
- They also mention techniques for limiting the blast radius of service mesh deployments and upcoming features that can make service mesh adoption more accessible.
Service Mesh Security
- The speaker highlights the importance of agility and security in network policies and argues that a service mesh can provide tighter boundaries and better security than traditional network policies.
- They acknowledge the potential risks of centralized control in a service mesh and suggest regular security audits and centralized code bases to mitigate these risks.
- Service meshes have robust security practices, such as Linkerd and Istio, ensuring a higher level of assurance for the overall system.
Identity and Authorization
- Prior art exists in the form of SPIFFE (Secure Production Identity Framework for Everyone), which is used by service meshes for application identity.
- Application-level identity or service identity provides more power and flexibility for authorization decisions, but it requires handling encryption in transit and may have higher runtime costs.
- RBAC (Role-Based Access Control) is commonly used for authorizing service-to-service access in Istio, but other schemes like Open Policy Agent (OPA) can also be implemented.
- The speaker recommends using Next Generation Access Control (NGAC), as defined in SP 800-204B, for modern service-to-service access control.