Zero Trust - CompTIA Security+ SY0-701 - 1.2

00:01

In many networks, you'll find that once you're

00:04

through the firewall, the inside of the network

00:06

is relatively open.

00:08

People are able to move from system to system

00:11

without any type of checks or balances.

00:13

There are relatively few security controls in place

00:16

and this not only allows authorized individuals

00:19

to move anywhere they'd like, but also

00:21

allows unauthorized individuals and malicious software

00:24

to do the same.

00:25

But many security administrators are changing their network

00:28

to be zero trust.

00:30

This means that you have to authenticate or prove yourself

00:34

each time you want to gain access

00:36

to a particular resource.

00:37

This applies to every device on the network,

00:39

every process that's running, and every user on the network.

00:43

As the name implies, with zero trust nothing is trusted

00:48

and everything is subject to some type of security checks.

00:52

This means you might be using multi-factor authentication

00:55

during your login process, you may

00:57

be encrypting data that's stored and encrypting data

01:00

as it's traversing the network, there

01:02

may be additional system permissions

01:04

or additional firewalls that you're installing,

01:07

and there are a number of different security policies

01:10

and different controls that may need

01:12

to be added to create this zero trust environment.

01:15

One of the ways that we can start

01:17

examining and implementing zero trust on our networks

01:20

is taking our security devices and breaking them

01:23

into smaller individual components.

01:25

We commonly refer to this as separate functional planes

01:28

of operation.

01:29

So whether it is a physical device, a virtual device,

01:32

or a security process that's running in the cloud,

01:35

we can apply these different control planes

01:38

to every single one of these security controls.

01:41

Broadly speaking, we can look at these

01:43

as having two different planes of operation.

01:46

One of them is the data plane.

01:48

The data plane is the part of the device that is performing

01:51

the actual security process.

01:54

So this might be a switch, router, or firewall

01:57

that's processing frames, packets,

01:59

and network data in real time.

02:01

The data plane on these devices is processing any forwarding,

02:05

network address translation, routing processes,

02:08

or anything else that helps move data from one

02:10

part of the network to another.

02:12

But of course, all of this movement of data

02:15

needs to have some type of management and control,

02:18

and we perform that control in the control plane.

02:21

This is where we manage all of the actions that are occurring

02:24

in the data plane.

02:25

This means we may be configuring policies or rules for a device

02:29

to determine whether data may be traversing the network,

02:32

or maybe we're setting up a forwarding policy,

02:35

or understanding how routing may be configured.

02:37

So any time you're referencing a routing table,

02:40

you're looking at a firewall rule

02:42

or understanding how Network Address Translation should

02:44

be handled are configuring in the control plane.

02:48

One way to get a better understanding of the data

02:50

plane versus the control plane is

02:53

to see how this might be implemented

02:54

on a physical device.

02:56

Here we have a physical switch and we

02:59

want to be able to break out the different planes of operation.

03:02

Down at the bottom of the switch are

03:04

all of the different interfaces that

03:06

are used to move data from one part of the network to another.

03:09

And as we've already seen, all of the traffic

03:11

that we're forwarding all happens on the data plane

03:14

of the device.

03:15

But of course, this device needs to have configurations,

03:18

there needs to be network address settings or changes

03:21

to how data might be trunked, and all of those changes

03:24

would take place in the configuration of the device

03:27

under the control plane.

03:29

Of course, this separation of data plane and control plane

03:32

is not just specific to physical devices.

03:35

You might have a virtual switch or a virtual firewall

03:38

that can also be separated into these two different planes.

03:42

This same separation also applies to cloud-based security

03:45

controls.

03:46

For zero trust, we not only need to implement

03:49

additional security controls, but we

03:51

need to be a lot smarter on how we evaluate those security

03:55

controls.

03:55

For example, we can implement a technology

03:58

called adaptive identity.

04:00

This is where we are examining the identity of an individual

04:04

and applying security controls based

04:06

on not just what the user is telling us,

04:08

but other information that we're gathering

04:10

about this authentication process.

04:12

For example, we might want to look

04:14

at the source of the requested resources.

04:17

Perhaps someone who is requesting

04:19

data that's located in the United States

04:21

is using an IP address that's in China.

04:24

And if that occurs, we may want to perform additional security

04:28

to really confirm that this user is who they say they are.

04:31

This might also include an examination

04:33

of the relationship of this person to the organization.

04:36

So are they an employee?

04:38

Are they a contractor?

04:39

Do they work full-time or part-time?

04:41

And of course, all of this goes into the evaluation

04:44

of this authentication process.

04:46

We also want to look at things like physical location,

04:49

the type of connection that's in place,

04:51

IP addresses, and anything else that can help us identify

04:54

information about this user.

04:56

Once we examine all of these different variables,

04:59

we can have our systems automatically

05:01

create a stronger authentication,

05:03

if it's needed in this particular case.

05:06

Another way to control this trust

05:08

is to limit how many places can be

05:10

used to get into the network.

05:12

So you may want to limit entry points

05:15

to only being people that are inside of the building

05:17

or connecting through a VPN.

05:19

There may be no other methods to gain access

05:22

to this particular network.

05:24

And once you have all of this information in place,

05:26

we can now start creating what's called a policy-driven access

05:30

control that examines all of these individual data points,

05:33

puts them all together, and then decides

05:36

what type of authentication process

05:38

should be used to truly understand

05:41

if the person trying to identify themselves

05:43

is really that person.

05:46

Another good way to qualify the identity of a person

05:49

is to understand where they're connecting from,

05:52

and very broadly, we categorize these as security zones.

05:56

This allows us to expand from something that is simply

05:59

a one-to-one relationship where a user is logging into a server

06:03

and instead looks at the overall path of the conversation.

06:07

These security zones look at where we're connecting from

06:10

and examine where we're trying to connect to.

06:13

So this may be on an untrusted network

06:15

and we're trying to connect to a trusted network,

06:18

or maybe it's an internal network or external network.

06:21

And if you wanted to have even more granularity,

06:24

you could create separate VPN connections

06:26

or separate groups of different departments

06:29

within your organization.

06:30

This allows you to now start setting rules

06:33

on what zone has access to all of the other zones.

06:37

For example, you might want to have a rule that automatically

06:40

denies access if someone is coming from an untrusted zone

06:44

and trying to communicate to a device that's

06:46

in a trusted zone.

06:48

We can also use these zones to create an implicit trust.

06:51

For example, if someone is in our corporate offices,

06:55

they might be in a trusted zone.

06:57

This user in the trusted zone may be accessing data

07:00

on a database server that's in our data center

07:03

and the data center exists in the internal zone.

07:06

This might allow us to create some policies that

07:09

says if anyone's communicating from the trusted zone

07:11

to the internal zone, that portion of the communication

07:15

is implicitly trusted.

07:17

To be able to set these policies and procedures

07:20

along this pathway, we need to have something in place

07:23

that allows us to create an enforcement of these policies.

07:27

This is our Policy Enforcement Point

07:29

and any subjects and systems that

07:31

are communicating through this network

07:33

will be subject to evaluation by the Policy Enforcement Point.

07:38

These subjects and systems commonly are in users,

07:42

they are individual processes running on a system,

07:44

or they may be applications that are in use.

07:47

You can think of this Policy Enforcement Point

07:49

as a gatekeeper.

07:51

All of the traffic traversing the network

07:53

must pass through the Policy Enforcement Point

07:55

so that we can make decisions on whether we would like to allow

07:59

or disallow this traffic.

08:01

And although this Policy Enforcement Point

08:03

is shown as a very broad abstraction in this diagram,

08:07

you can think of this as multiple devices working

08:09

together to be able to provide identification

08:12

of the users and the traffic.

08:14

The Policy Enforcement Point doesn't provide the decision

08:18

on whether traffic should be allowed or disallowed.

08:21

Instead it gathers all of the information about the traffic

08:24

and provides that to a Policy Decision Point.

08:27

This Policy Decision Point is responsible for examining

08:31

the authentication and making a decision on whether that should

08:34

be allowed on the network.

08:36

Your Policy Engine is looking at all of the requests that

08:39

are coming through, it examines the request

08:41

and compares it to a set of predefined security policies,

08:45

and then makes a decision on whether that

08:47

is granted, denied, or revoked.

08:50

The Policy Administrator's job is to take that decision

08:53

and provide that information to the Policy Enforcement Point.

08:56

There may be access tokens or credentials that

08:59

are created as a result of these policy decisions

09:02

and all of those credentials are then

09:04

sent to the Policy Enforcement Point

09:07

using this Policy Administrator.

09:10

Now we can put all of this together

09:12

to create a single zero trust model, which

09:15

starts with our subjects and systems

09:18

communicating from an untrusted zone over the data plane

09:21

and communicating through the Policy Enforcement Point.

09:25

If there is a policy enforcement that needs to take place,

09:28

this enforcement point will provide that

09:30

to the Policy Administrator, which then communicates

09:33

to the Policy Engine to make the decision

09:35

about whether this traffic is allowed.

09:37

That result is then passed down to the Policy Administrator,

09:40

which provides that to the Policy Enforcement Point.

09:43

And if this traffic is allowed, the Policy Enforcement Point

09:46

then provides access to this trusted zone,

09:49

and ultimately, the Enterprise Resource

09:51

requested by the subjects or the systems.