BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage Articles What Developers Must Know about Zero Trust

What Developers Must Know about Zero Trust

Lire ce contenu en français

Bookmarks

Key Takeaways

  • Zero trust solves the problem of open network access by selectively allowing access only to the specific resources a user should be allowed to access
  • A key strategy for achieving continuous verification is Zero Trust Network Access (ZTNA)
  • Implementing zero trust can help with organizational skill shortages in SOC (Security Operations Center) or security analyst roles 
  • In a zero trust environment, developers must have a comprehensive understanding of how to secure every step of a requester’s interaction with the application, taking into account the current security context
  • The zero trust framework does not eliminate the need to continuously scan for vulnerabilities after each deployment, to ensure that application and backend systems remain protected and functioning

What Is the Zero Trust Model?

The zero trust security model is an approach to designing and implementing secure IT systems. The basic concept behind zero trust is "never trust, always verify". This means that users, devices, and connections are never trusted by default, even if they are connected to a corporate network or have previously been authenticated.

Modern IT environments consist of many interconnected components including on-premise servers, cloud-based services, mobile devices, edge locations, and internet of things (IoT) devices. A traditional security model that relies on protecting the so-called “network perimeter” is ineffective in this complex environment.

Attackers can compromise user credentials and gain access to on-premises systems behind the firewall.

They can also gain access to cloud-based or IoT resources that are deployed outside the organization’s control. A zero trust approach establishes micro-perimeters around protected assets, and uses security mechanisms like mutual authentication, verification of device identity and integrity, and access to applications and services based on strict user authorization.

Why Is Zero Trust Important?

Before the advent of zero trust, organizations used technologies like firewalls and virtual private networks (VPNs) to control access to networks and applications. The problem with these solutions is that once a connection has passed security checks, it is implicitly trusted, and has open access to the network. This allows both legitimate users and attackers access to sensitive data and mission critical resources.

To mitigate this threat, organizations implement multiple, complex layers of security to detect and block attacks, but attackers can still slip past these defenses. Zero trust solves the problem of open network access by selectively allowing access only to the specific resources a user should be allowed to access, according to granular access policies and the current security context.

What Are the Core Principles of the Zero Trust Model?

Implementing a zero trust security model requires incorporating the following principles into an organization’s security strategy.

Continuous Verification

Continuous verification is a key aspect of zero trust—it means there are no implicitly trusted devices, credentials, or zones. Several elements are essential to allow the continuous verification of various assets, including risk-based conditional access to maintain user experience and easily applied dynamic security policies that consider compliance requirements.

A key strategy for achieving continuous verification is Zero Trust Network Access (ZTNA) - a solution that enforces zero trust policies. ZTNA makes it possible to enforce the least privilege principle (PLP), so that users or service accounts can only access a resource if it is necessary for their role. This network strategy minimizes cybersecurity risks and protects organizations from internal and external threats. 

Microsegmentation

A zero trust network should implement microsegmentation to create multiple protected zones rather than a single security perimeter. This approach helps protect the different parts of the network separately, so one compromised zone does not threaten the rest of the network.

Least-Privilege Access

The principle of least privilege is key to zero trust. It involves granting each user or entity the minimum necessary access permissions, preventing exposure to sensitive network areas. The least privilege approach requires the careful management of user privileges.

Device Access Controls

Robust device access controls complement user access controls to ensure that devices cannot access the networks with the proper authorization. A zero trust system must monitor the devices attempting to access the network to minimize its attack surface. 

Lateral Movement Prevention

Lateral movement is an attacker’s ability to move between different network parts. Detecting attackers within a network is challenging even if the initial entry point is known because they could have moved to any part of the network. 

Zero trust solutions segment the network to restrict lateral movement and contain infiltrators. This approach ensures that quarantining the compromised account or device will eradicate the threat.

The actual components that carry out segmentation could be ZTNA, next-generation firewalls (NGFW) integrated with zero trust policies, or cloud security access broker (CASB), a type of mini-firewall attached to cloud resources. These tools can segment the network across several dimensions - a few examples are application segmentation, environmental segmentation, process segmentation, and user-based segmentation

Zero Trust Use Cases and Benefits

Zero trust has been an established standard for years, but it continues to undergo a formalization process to help organizations respond to the evolving threat landscape. The popularity of digital transformation and the growth of sophisticated network threats has pushed many organizations to adopt or refine their zero trust strategies. 

Zero trust security benefits all organizations, but it is especially important for organizations using hybrid or multi-cloud deployment models, unmanaged devices, legacy systems, or software as a service (SaaS) applications. In all of these cases, the organization has resources which are outside its direct control, or may not be compatible with the organization’s security policies and practices - zero trust can help establish a secure perimeter around these systems.

Zero trust is also critical for timely detection and response to common threat use cases, such as:

  • Ransomware attacks—a double-edged threat that executes malicious code and compromises identity.
  • Insider threats—a risk that increases with remote access and external users. 
  • Supply chain attacks—a risk posed by remote privileged users and unmanaged endpoint devices.

Implementing zero trust helps organizations compensate for challenges such as SOC (Security Operations Center) or security analyst skills shortages. Zero trust enables setting security policies at scale across hybrid environments, and uses automation to detect and respond to threats. This eliminates manual work and reduces the workload on overstretched security teams. 

It helps minimize the impact of security mechanisms on user experience while enforcing compliance with regulations and industry standards. Another advantage of zero trust is strengthening an organization’s insurance strategy in the face of rapidly evolving threats and insurance policies. 

Each organization has unique challenges given the highly variable business, security, and digitalization conditions. Zero trust is an adjustable strategy that can meet the specific security requirements of diverse organizations.

Zero Trust Reference Architectures

Making the transition to zero trust can be complex. Google and Microsoft are two organizations that have implemented zero trust at mega-scale, and created reference architectures to help others in the industry follow suit.

Google BeyondCorp

BeyondCorp is the Google implementation of zero trust. It builds on Google’s long experience, combining community ideas and best practices. BeyondCorp shifts the access control security layer from a monolithic perimeter to individual network users, allowing remote workers to access the network securely from anywhere without a conventional VPN.

BeyondCorp provides a series of best practices and concepts that can help any organization implement zero trust. It is also a commercial solution you can use to implement zero trust in an organization. The commercial solution is known as BeyondCorp Enterprise (replacing the previous version, BeyondCorp Remote Access). 

A key feature of the new version of BeyondCorp is that it adds zero trust features to Google Chrome. In addition to deploying agents on managed endpoint devices, organizations can extend the BeyondCorp architecture via the browser. Chrome’s updates include threat protection and embedded data features to help prevent accidental or malicious data leaks, malware infection, and other forms of network and device compromise.

BeyondCorp Enterprise also offers a continuous authentication feature that regularly authenticates all interactions between devices, users, and applications. Organizations can create and enforce access control policies to continuously verify authentication data, including user identity, device data, and IP addresses, revoking access immediately in case of a policy violation.

Third-party security providers can leverage the BeyondCorp Alliance program to develop zero trust products for this new platform. For example, Tanium (an endpoint security vendor) offers an integrated platform with BeyondCorp Enterprise, allowing the two products to exchange security information and increase an organization’s visibility into its environment.

Microsoft Zero Trust Model

Microsoft has published details of its internal zero trust implementation. This zero trust implementation solution focuses on enterprise-wide corporate services, such as Microsoft Office and line of business (LOB) applications. 

It works for devices that run on Windows, Android, Mac, or iPhone. The cloud mobile device management service Microsoft Intune manages the devices. 

The Microsoft zero trust model includes four stages:

  1. Identity verification—Microsoft protects networks by requiring two-factor authentication for remote access requests. Historically, the authentication method was a smartcard, but today it uses Azure Authenticator to enable mobile device challenges. Microsoft’s future aims include eliminating passwords in favor of fully biometric authentication.
  2. Device health verification—Microsoft uses Intune to enroll new user devices. A device health policy specifies which devices are healthy or require management (testing and patching for vulnerabilities) before accessing the major productivity applications such as SharePoint, Exchange, and Teams. Microsoft supports unmanaged devices via virtualized Windows applications and desktops for certain use cases.
  3. Access verification—Any access attempt to Microsoft services must be verified based on identity, device health, the overall security context (for example time of day and the user’s location), and other data from Microsoft’s Intelligent Security Graph. The innovative element here is that Microsoft can apply access verification regardless of how the user connected - whether they are accessing the corporate network directly, accessing over VPN, or connecting to resources over the Internet.
  4. Service verification—Microsoft proposes a future mechanism to verify services to ensure they are healthy before enabling users to interact with them. This function is currently in the planning phase.

Zero Trust Considerations for Developers

Zero trust shifts security responsibilities from the network perimeter to the application. The application itself has the ability to validate granular policies and ensure that each user accesses exactly the functionality and data they are allowed to, and no more. 

In a zero trust environment, developers cannot rely solely on simple API tokens for authentication and authorization. They must have a comprehensive understanding of how to secure every step of a requester’s interaction with the application, taking into account the current security context.

Application requirements in a zero trust environment

When developing applications in a zero trust security model, developers need to:

  1. Evaluate the full context of a session to determine overall risk..
  2. Determine critical factors for zero trust verification—the identity of the user, the status of the device making the request, the application function being used, and the data the request is trying to access. 
  3. Ensure that every request, even if it originates from within the network perimeter, undergoes approved security policies to allow, block, or restrict it. 
  4. Apply additional security measures such as multi-factor authentication, functional restrictions and enforcement of compliance controls. 
  5. Ensure that at all stages of the application lifecycle, access is granted only on an allowlist basis—in other words, access is only granted if explicitly allowed.

Steps one through three are typically handled via APIs to dedicated ZTNA tools, such as Perimeter81 or CrowdStrike Zero Trust.

Step four is typically handled by authentication solutions like Auth0 or Okta. In a large organization, these are complemented or replaced by enterprise identity services like Azure Active Directory.

Step five is implemented at the application layer - this the main contribution of application developers to zero trust.

Continuously testing for zero trust requirements 

Implementing the above is not enough. It is also necessary to test and verify that the application correctly implements authentication, authorization, and strong encryption of data. This requires:

  • Running static analysis on code at early stages of development to ensure that every user interaction has the appropriate calls to zero trust and authentication/authorization components. 
  • Running dynamic analysis on applications in test, UAT, and production environments and testing that user requests receive the appropriate security measures.
  • Performing fuzz testing and penetration testing to find and eliminate vulnerabilities introduced during the development lifecycle—such as missing authentication or incorrect application of security policies.

Managing third party risk

The zero trust framework also requires verifying the security of open source and proprietary components created by third parties. It is important for developers to understand what components are used in their project, what risks and vulnerabilities they present, and how to apply updates and fixes. 

Software composition analysis (SCA) solutions can help provide visibility into the open source components used in a software project, including transitive dependencies which can number in the thousands. For each open source library, these tools can identify security weaknesses, point out code quality issues, and also alert organizations to restrictive open source licenses that can create legal exposure. Learn more in this detailed guide to software composition analysis.

Third-party components are not the only source of risk. Development teams must monitor the entire software supply chain, including the development environment, continuous integration (CI) systems, deployment systems and staging environments, container repositories, and any other element involved in taking code from development stages to the production environment.

Shifting security left

Developers must incorporate security into their designs and codebases from the start. This is the best way to move from implicit trust to explicit authentication, strong identity and access control. This is why the move to DevSecOps—close collaboration between developers, security teams, and operations, is strongly supportive of zero trust adoption. 

DevSecOps teams can be instrumental in the implementation of zero trust requirements at all stages of the software delivery lifecycle. Applications built in a zero-trust framework can protect sensitive data and functionality even when perimeter controls fail. For example, even if the firewall, intrusion prevention system (IPS), and data loss prevention (DLP) tools are misconfigured, malfunctioning, or were compromised by attackers, the application will make a best effort to protect its assets.

Remember that the zero trust framework does not eliminate the need to continuously scan for vulnerabilities after each deployment, to ensure the application and backend systems are properly protected and functioning.

Conclusion

Developers today are much more than developers—they are expected to be security experts too. Organizations realize that the person best able to prevent the next security breach is a developer with security smarts, implementing secure coding practices from day one of a software project. This is a big responsibility, but also a big opportunity for developers, who can take a more central role in delivering value to customers.

I’m hopeful this article will help developers develop their security smarts and put their “zero trust glasses”—seeing code and software architecture through the lens of the zero trust model. This will help them not only develop more secure applications, but also improve their ability to “talk the talk”—communicate effectively and understand goals and strategy in a modern security environment.

About the Author

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT