NIST 800-207A: Implementing Zero Trust Architecture

NIST 800-207A: Implementing Zero Trust Architecture

Zero Trust

  • Zero Trust is a security model that assumes a motivated attacker is already in the network and focuses on minimizing the damage they can do.
  • Identity-based segmentation is a key component of Zero Trust that isolates workloads at the identity layer using tamperproof cryptographically verifiable identities for users, devices, and services.
  • The five runtime activities required for a minimal working definition of Zero Trust are:
    • Encryption in transit for message authenticity and eavesdropping protection.
    • Workload identity to identify the communicating workloads.
    • Authorization of access per request.
    • Incorporation of end-user credential and authorization decision.
    • Implementation at every single hop in the infrastructure.

Identity-based Segmentation

  • A service mesh can be used to implement identity-based segmentation by intercepting all traffic in and out of an application and enforcing policy.
  • Identity-based policies are better suited for highly dynamic environments like the cloud compared to traditional network-based policies.
  • Identity-based policies can help reduce the complexity of managing pairwise firewall rules by introducing identity-aware gateways.
  • Identity-based policies are easier to understand and change compared to network-based policies, enabling faster policy updates.
  • Organizations can start implementing identity-based segmentation in subsets of their infrastructure before expanding to more advanced patterns.
  • Stacking identity-based policies with network-based policies helps bound an attacker in space and time, limiting their ability to pivot and the blast radius of their attacks.
  • Ephemeral credentials, such as service credentials with short expiry times, further enhance security by reducing the window of opportunity for attackers.

Implementing Zero Trust

  • The speaker discusses the challenges of implementing zero-trust security, particularly in large-scale environments.
  • They emphasize the importance of consistency in security measures and recommend starting with a monolith architecture for smaller organizations.
  • For larger organizations, the speaker suggests using libraries to implement the necessary controls and gradually adopting a service mesh as the organization grows.
  • They also mention techniques for limiting the blast radius of service mesh deployments and upcoming features that can make service mesh adoption more accessible.

Service Mesh Security

  • The speaker highlights the importance of agility and security in network policies and argues that a service mesh can provide tighter boundaries and better security than traditional network policies.
  • They acknowledge the potential risks of centralized control in a service mesh and suggest regular security audits and centralized code bases to mitigate these risks.
  • Service meshes have robust security practices, such as Linkerd and Istio, ensuring a higher level of assurance for the overall system.

Identity and Authorization

  • Prior art exists in the form of SPIFFE (Secure Production Identity Framework for Everyone), which is used by service meshes for application identity.
  • Application-level identity or service identity provides more power and flexibility for authorization decisions, but it requires handling encryption in transit and may have higher runtime costs.
  • RBAC (Role-Based Access Control) is commonly used for authorizing service-to-service access in Istio, but other schemes like Open Policy Agent (OPA) can also be implemented.
  • The speaker recommends using Next Generation Access Control (NGAC), as defined in SP 800-204B, for modern service-to-service access control.

Overwhelmed by Endless Content?