All endpoints and resources connected to your organization's network are vulnerable to exploitation by malicious actors. Traditional security measures have rapidly become insufficient to shield against evolving threats. Perimeter security considerations alone are not enough, given remote workers and the advancement in malware. Network security now encompasses both the network itself, and the periphery, since you can not implicitly trust the users, processes, and systems on the network or from wherever users are remotely connecting from. This includes identity, applications, and data.
Organizations are increasingly moving towards zero trust networks. Zero trust means nothing is trusted by default, and everything is continuously verified. The principles of zero trust security require you to transition to a design where policies evaluate each access request from every network-connected device before establishing a secure and encrypted connection, regardless of where the device resides. The process of implementing a zero trust network requires a careful redesign of the network, reconfiguration of policy, rewriting of operational procedures, and retraining of users. Fortunately, the journey to a zero trust architecture can be implemented based on an incremental approach and starts by assessing the current state.
Effective implementation of zero trust requires a thorough network security assessment. This article guides the readers through the steps of assessing an enterprise network through the lens of the zero trust maturity model.
What is the Zero Trust Maturity Model?
The US General Services Administration (GSA) defines the original zero trust model as consisting of five critical pillars
- Application workloads
The Cybersecurity and Infrastructure Agency (CISA) further builds on the five-pillar model and adds the concepts of analytics and automation for a total of seven pillars. CISA also grades the pillars on a maturity scale from traditional, initial, advanced, all the way up to optimal maturity levels, in what is known as the zero trust maturity model. CISA recommends that all organizations aim to achieve optimal zero trust in all pillars.
An organization can use the CISA zero trust maturity model as a starting point to assess where they fall in each pillar and to understand what is required to reach the optimal level of zero trust. This is where network security assessment comes in. You assess the maturity of your current environment against the zero trust maturity model to prepare a roadmap or action plan that gets your organization to zero trust faster.
Network Security Assessment Checklist
You can use the below network assessment checklist to focus the security assessment and identify weaknesses.
Without proper identity controls in place, zero trust cannot exist. Users must be identified via authentication, authorization, and accounting (AAA) processes in order to delegate the appropriate access level and track their movements on the network. Key network security assessment criteria for identity are outlined below.
At the traditional level in the zero trust maturity model, identity is accomplished by username/password authentication. Passwords alone are no longer secure enough to secure accounts. Too many common attacks are the achilles’ heel of single-factor password-based authentication. The main attacks involve simple credential theft, such as:
- Credential theft via website impersonation
- Use of weak passwords that can be guessed with dictionary attacks
- Theft of passwords through social engineering
- Stealing the credentials to one system, and then using the same credentials on other systems where unique passwords should have been used but were not.
Other attacks like pass-the-hash are also fatal flaws in single-factor password-based authentication.
Some organizations adopt Multi-Factor Authentication (MFA), requiring users to provide two or more different types of authentication factors to access a system or service, in order to strengthen identity. Users provide something they know, like a password, and something they have, like an MFA key or One-Time Password token (OTP) from a mobile app. But, MFA alone isn’t sufficient to reach the optimal identity level on the zero trust maturity model. Organizations require additional steps like periodic validation with rules-based policies and automated analysis of system access logs.
The expression “continuous validation” refers to periodically and automatically re-authenticating and re-challenging a user. You can use intrusion detection and intrusion prevention systems (IDS/IPS) and security information and event management systems (SIEMs) to
- Aggregate log and session identity data
- Identify unusual patterns through machine learning analysis
- Alert an administrator if something is out of the ordinary
- Configure your security tools to respond automatically to abnormal identity patterns
Centrally Managed SSO
Users often struggle to keep track of and manage various passwords for numerous systems. To ensure a robust zero trust design, it's important to integrate a centrally managed single sign-on solution (SSO) or federation that works seamlessly with all the organization's applications. This allows users to simplify their login process and securely access the necessary systems.
Devices are the next focus in your network security assessment. The main criteria for device security in the zero trust maturity model are visibility and compliance.
You should aim to have a complete inventory of all network devices and constant device security monitoring and validation. You can organize devices into categories like company-owned or personal bring-your-own (BYOD) devices. Corporate-owned devices should be fully managed by a Mobile Device Management platform (MDM) that can always enforce security policies on the devices. You should also install robust endpoint protection security software.
Data access from devices should be based on real-time risk analytics. For example, MDM devices should have more access rights than BYOD devices. BYOD devices should be authenticated via third-party apps or Wi-Fi onboarding processes and be granted limited network access with compliance enforcement. Similarly, there may be other “gray area” devices like a heating or air conditioning controller managed by an outside company. It is imperative to identify and segment them so they can access only what they need to complete their work.
The next stage of the network security assessment does a deep dive into the network environment to assess what security measures are in place vs. what should be.
Traditionally, large macro segmentation was used to separate specific categories of network traffic. The segmentation was often not primarily for security but for performance, and usually, there was very little internal or external traffic encryption. Ideally, the objective is to design the network with:
- Fully distributed ingress/egress micro-perimeters
- Machine learning-based threat protection
- Encryption of all traffic end to end
You should define ingress/egress network traffic policies with micro-perimeters and basic analytics to move towards zero trust. Achieving this is no easy task, but you can do it using the right combination of network security policy, segmentation, TLS certificates, PKI, and authenticated end-to-end encryption technologies. You can use tools like:
- VPN tunnels
- Next-gen layer seven firewall policies
- NetFlow, and other traffic analysis
Zero Trust Perimeter Extensions
There are third-party tools that can seamlessly create an optimal zero trust environment by bringing the concept of fully distributed ingress/egress micro perimeters to the individual device, resource or application they are installed within. They effectively extend the zero trust perimeter wherever the device, application, or resource is located. It would be worthwhile for administrators to investigate the tools available in the market if they don’t have significant resources and time to implement custom solutions independently.
Network security assessment must also evaluate the security posture of your organization’s applications regardless of if they are hosted on-premise, in the cloud, or via a hybrid model.
Regular Security Testing and Analysis
If everything is secure except the application, it is like locking all the windows in a house but leaving the front door wide open. Many improperly coded applications are vulnerable to SQL injection or cross-site scripting (XSS) attacks. Although well-coded applications with proper input validation may be mostly immune to SQL injection and XSS, they are still vulnerable to bugs in third party software and potentially bugs in their own code. To mitigate security risks, you should deploy a web application firewall (WAF) on the access path of critical applications.
Application Access Control
Traditionally, you may have limited access to the public IP address of your applications or enforced VPN connections as a prerequisite. This approach is difficult and unsustainable to manage with a hybrid or remote workforce. Hence, organizations should implement modern application access methods that do not require VPN connections. For example, you can install software on the remote device that allows continuous identity validation and authentication to the application over a secure TLS-encrypted channel. It is important that application access control policies are centrally managed. This will prevent a scenario whereby an inconsistency in the level of access control leaves a particular application vulnerable due to an oversight by a systems engineer in administering the policy, or a poor implementation by an app developer.
This pillar of the network security assessment gauges how the organization handles data and where they fall on the spectrum of the CISA zero trust maturity model. At a minimum, you should implement:
- The principle of least privilege access controls for data
- Encryption at rest for all data stored on-premise or in the cloud
Classification and Encryption
To ascend to the optimal level of the zero trust maturity model in the data pillar, you must categorize, classify, and encrypt your data at rest and in transit from end-to-end. You can also configure your IDS/IPS, SIEM, or a firewall with IDS capability to use algorithms and machine learning AI to identify and thwart any attempted data exfiltration. Public keys and security certificates play a crucial role in data encryption. Your administrators should regularly review them to ensure they are up-to-date.
Data Backup Policies
It is important that an administrator reviews the backup policies for data, as backups are the last line of defense if all else fails. At a minimum, you should use a 3-2-1 backup strategy with three backup copies on two different forms of media and one off-site. As an enhancement to the classic 3-2-1 backup standard, the zero trust model requires going one step further to include one immutable cloud backup on geo-redundant storage. Using the same account credentials for data access and backup is typical, increasing the risk of all copies being lost or encrypted with ransomware. The answer to this is the 3-2-1-1 standard where the last 1 is an immutable backup that can’t be altered.
Every device and software on your network generates network health data in various formats. Examples include:
- Syslog messages from servers, switches, and other network infrastructure devices.
- Authentication and deauthentication packets sent by wireless devices.
- Event logs from network tools and software
Analytics aims to give the network administrator a well-tuned picture of the network that facilitates proactive responses to potential problems. But, it is a delicate balancing act as too much data and alerts can overwhelm and drown out important information. Analytics tools cut through the noise and provide administrators with an actionable, real-time picture of the network environment. We provide some tool recommendations below.
Security Information and Event Management
Security information and event management (SIEM) tools allow you to aggregate, normalize, and find abnormal patterns with logs and other alerts. SIEM renders a graphical picture of various statistics gathered from logs useful to an administrator when diagnosing or troubleshooting a problem.
NetFlow is a protocol developed for monitoring network flow and collecting IP traffic information. You can configure NetFlow on core network devices to get a picture of the volume and type of traffic traversing your network. This can help identify the source of attacker traffic, block malicious traffic, and mitigate DDoS attacks.
Vulnerability management and threat intelligence are also part of analytics. Organizations use tools like vulnerability scanners to identify and correct their systems' vulnerabilities. You can also use them to collect and analyze data and mitigate potential security threats to the organization.
Automation is an underlying and complementary component of other zero trust maturity model pillars. The administrator conducting the network security assessment has to determine ways to use automation to augment security in the organization. We give some suggestions below.
You can automate and deploy security policies in Active Directory groups, configuration baselines, and mobile device management. Another example is automating user group membership based on the principle of least privilege.
Threat Detection and Response
Automated threat detection is a two-step process:
- Collect data and find patterns that warrant a response using SIEM
- Configured your IDS/IPS tools to automatically mitigate detected threats before they escalate
For example, if a known malicious IP address tries to brute force your application, the IPS adds a rule to the firewall to block access.
You can configure anti-virus solutions with heuristic algorithms to automatically block suspicious payloads before they run potentially malicious software like ransomware. Automating downloads of antivirus security updates at frequent intervals is also a good idea. \
Additionally anti-virus solutions and host based firewalls also help prevent malicious applications from launching attacks by blocking outbound access from unknown applications, or applications attempting to perform unauthorized network operations.
Where possible, you should automate patch management tasks like deployment, installation, and checking for the latest updates. The faster patches are applied, the less attack surface area available to an adversary.
The zero trust maturity model breaks down zero trust into pillars and incorporates a scale to transition from traditional to optimal security controls. To achieve zero trust, you must conduct a thorough network security assessment and create a roadmap to strengthen your security posture. If you have not already assessed your network security capabilities, you should consider assessing all areas of your network, including identity, device, data, applications, and the network environment. Additionally, you must look for analytics and automation. Once you have fully evaluated your network security, you will better understand how cutting-edge tools like ZTMesh offer centralized granular control and allow the incremental implementation of zero trust architecture. Consider leveraging a tool with this capability and build the bridge to a zero trust network in a seamless and manageable way.