The now infamous SolarWinds hack highlights the vulnerabilities of a “supply chain attack” and how ZTA can help reduce the risk of such an incident. The National Security Systems Committee defines supply chain attacks as “attacks that allow the adversary to use implants or other vulnerabilities inserted before installation in order to infiltrate data or manipulate computer hardware, software, operating systems, peripherals (computer products), or services at any time during the lifecycle. “SolarWinds’ widely used software called Orion, which was used by many government agencies and large corporations, has been infiltrated By third parties Once inside the SolarWinds system, hackers inserted malicious code into the Orion software, which was then unknowingly installed via updates sent by SolarWinds.
Hackers exploited SolarWinds systems rather than SolarWinds customer networks, hitchhiking on the back of a software service that could deeply introduce malware into thousands of those customers. In a generalized, non-technical description, what I mean by system is the software and hardware of a business, while a network is about the connections of computers to each other and all connections facing the public Internet. A common example, as explained Ted claypoole, is a castle. The castle is protected by a moat which isolates it from the wider world (i.e. the internet), but once someone is in the castle, if there is no additional security measures, the intruder has the keys to the kingdom. Of course, there are guards walking around inside the castle, but unless something looks particularly suspicious, out of place, or weird, nothing is in question.
ZTA does not focus on a single moat protecting against the outside, but rather on a series of checkpoints to ensure that the access request is authenticated. Think of an airport where you first check in with the airline and they make sure your ID matches the name on the printed ticket, then the TSA checks your ID again and l The boarding agent scans your printed ticket. You’re already at the airport, but the airport has trust issues, which is why you rarely, if ever, hear people taking the wrong flight.
By decreasing, NIST reduces ZTA into seven tenants:
- First, all data sources and IT services are considered resources.
- Second, the location of the network alone is not a sufficient basis for determining whether an access request meets security requirements. It is not because the device is inside the moat that it deserves to be trusted.
- Third, access to individual resources is limited to one session per session. Basically, don’t let users leave the pantry door open as they will come back later; the dog still manages to find the treats in the meantime.
- Fourth, a dynamic access policy must take into account the identity, application or service of the user and the requested asset. This means that it allows a log type to be created to note software version, network location, time and date of the request, and installed credentials among a host of other attributes. An analogy here is how the insurance company makes you repeat your name, date of birth, and the last four of your social security number even though you’ve already typed it in and told the last two reps.
- Fifth, monitor and measure the health and security of all devices and applications. Some devices have inherent vulnerabilities or do not need the same access as others. For example, your phone that connects to your employer’s network should not be able to access the same company information as your laptop. The phone is a less secure device and may not be managed by the company.
- Sixth, authentication and authorization of resources are dynamic, strictly enforced, and continually reassess trust. This tenant can sacrifice efficiency and speed in the name of security. For example, asking users to authenticate their identity after two hours or when trying to open new documents. Companies can tailor these requirements to divisions or teams to help balance efficiency.
- Seventh, collect, evaluate, improve and repeat. A business needs to collect so much data on access requests, network traffic, and security posture in order to evaluate and improve policies.