Getting to Ground Zero (Trust)
Zero Trust (ZT) focuses on the idea that one should always assume the environment has been compromised. The guiding principle of Zero Trust is to handle all resources, without trust, on both granular and global levels. In doing so, one is required to embrace a total buy-in of risk-based decisions in-lieu of assuming any resource is trustworthy despite following best practices or historically accepted security guidance. The traditional workflow of deploy, monitor, assess, wash-rinse-repeat has morphed into the next generation best practice of trust nothing and assume everything is potentially malicious. When digesting this ZT perspective, one could easily look at an environment and see an unending expanse of circular dependencies, of which none can be trusted. With the depth and breadth of different Zero Trust guidance, establishing a baseline for a ZT program becomes non-trivial.
ZT assumes no trust in any area of the infrastructure. If it were possible to have a basis for some level of "trust", that foundation would create an anchor for setting goals and mapping progress. Importantly, one should continuously monitor all resources, with priority around the accepted environmental anchors. Using this method of enabling ZT in an environment, once the anchors have been set, the focus moves to integration of new or existing technologies. Unlike the previous integration or security processes, anchoring your ZT program should begin with several solid foundational components. The base components all Zero Trust programs should key off are Network Time Protocol (NTP), Domain Name System (DNS), and Public Key Infrastructure (PKI).
Ideally, a complete Zero Trust environment would arrive in sealed containers awaiting network connections. However, in most cases, organizations are not performing a greenfield1 deployment. Many organizations will need to integrate into existing infrastructure which already provides NTP, DNS, and some form of PKI. While ZT integrations pose several challenges from a strategic perspective, deploying completely new infrastructure is likely not more secure than a well-developed integration plan for the same components. Furthermore, a true greenfield deployment may far exceed an organization's budget or implementation timeline. Ensuring the foundational components of NTP, DNS, and PKI are properly configured, secured, and monitored sets the groundwork for building an efficient and secure Zero Trust architecture.
The ordering of when DNS and NTP are deployed is critical as both are necessary for a fully functional, "trustworthy" PKI. Whenever possible, NTP and DNS should be deployed first, then PKI. NTP and DNS should be functional enough to support the instantiation of the PKI components. The implementation of DNS and NTP services may be iterative or may have other necessary components (i.e., Active Directory (AD)) to fully integrate within the environment. A secure process for building out PKI with these supporting services may include standing up temporary services of DNS and NTP. In cases where AD may be used, these temporary DNS and NTP services could be a step in the process as AD members typically use the AD server as their primary DNS and NTP. With this iterative method, the DNS and NTP services could be minimally configured and may be deployed with an immutable approach, such as containers. In either case, configurations should be managed during the deployments via version control.
Once DNS and NTP are deployed, the PKI components would follow. Enabling the Certificate Revocation List Distribution Points (CDPs) and/or Online Certificate Status Protocol (OCSP) responders afford any client or resource the ability to verify issued certificates. This is critical to any level of "trust" in the environment and a crucial step in achieving the desired Zero Trust outcomes. At this milestone, the only real "trust" available in the environment is active and can be used to redeploy DNS and NTP, with additional services following. Proceeding deployments could move to automation, security scanning, then on to other infrastructure services.
The outcome of this roadmap is not intended to ignore or diminish the need for other security measures, nor is it intended to infer scanning, monitoring, or modifications will be unnecessary post PKI deployment. Additionally, these components (DNS, NTP, PKI) should be deployed in a "trusted" environment, with controls around access and changes. The idea behind this plan is to enable the primary "trusted" components in any environment whereas other services can be initially configured with a proper trust relationship, even in a ZT environment. Without a properly configured PKI, it is not possible to manage or secure resources at virtually any scale.
A lower risk ZT environment begins with proper dissection and understanding of business needs. And as with any successful integration or deployment, planning is key. Detailing the foundational components and their integration points will highlight risks, needs, and pain points. Prioritizing the groundwork for Zero Trust will reduce cost and manpower, while ensuring the highest level of "trust" throughout the Zero Trust journey.
CyberPoint's NXZT Team has years of experience in PKI and extensive experience in integrating Zero Trust technologies. We have integrated PKI into more than 100 services within a single Zero Trust environment, including physical, virtual, and containerized instances. We have the experience to guide IT teams through the difficult task of employing a robust, full-coverage PKI deployment, even in difficult environments, such as Zero Trust. CyberPoint can move your environment in the right direction and build a solid foundation whatever Zero Trust goals you desire.
About CyberPoint's NXZT Team: Your Premier Partner for Zero Trust Security
Embracing ZT within your IT infrastructure demands a seasoned and proficient partner, and CyberPoint's NXZT Team stands at the forefront of ZT expertise. With a wealth of experience in the ZT domain, we specialize in conducting comprehensive assessments, meticulously evaluating your organization's existing network and creating detailed reports outlining the necessary adaptations to achieve ZT certification.
Contact NXZT
With CyberPoint's NXZT Team by your side, rest assured we will work with you to attain your Zero Trust goals. Whatever your Zero Trust aspirations may be, trust CyberPoint's NXZT Team to turn them into reality!
Contact us about how we can support your organization today.