acm-header
Sign In

Communications of the ACM

ACM News

Dialing the Trust Level Down to Zero


View as: Print Mobile App Share:
Part of Forrester Research's assessment of the Zero Trust Security Architecture sector.

Forrester Research recently concluded the Zero Trust Security Architecture can reduce an organizations risk exposure by 37%, and security costs by 31%.

Credit: Forrester Research

Twenty-first century cybersecurity has been steadily moving away from the "perimeter" mentality—authenticating users with passwords, then giving them free access to a computer system's resources at their security level. Stolen passwords, especially those with high levels of access, have resulted in catastrophic releases of vast swaths of personal information (like credit card numbers), government secrets (witness WikiLeaks' releases of classified information), and related crimes (including ransomware).

Now the trust bestowed on authenticated users is being rescinded. The perimeter defense architecture is being superseded by the Zero Trust Architecture (ZTA), which authenticates each user action before it is executed. The U.S. government mandated ZTA and other measures in the May 12, 2021 Executive Order on Improving the Nation's Cybersecurity, which reads, in part: "The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS)…and invest in both technology and personnel to match these modernization goals."

The Executive Order also charged the National Institute of Standards and Technology (NIST) with detailing these best practices in a Zero Trust Architecture report.

Said Steve Turner, an analyst at Forrester Research, "Public policy has finally acknowledged that the current model of cybersecurity is broken and outdated, mandating that the model of Zero Trust Architecture become the default method for implementing cybersecurity. With the relentless destructive attacks on computer systems, such as ransomware, there's been a collective realization that Zero Trust should be the de facto standard to secure organizations."

At the same time, the computer hardware itself must be adapted to the ZTA, starting with end-to-end encryption of all data before, after, and ideally even while it is inside the processor. Ubiquitous encryption is just the start. Today, any component—from wireless routers to individual server chips—can offer unauthorized access to intruders. Firmware—from unauthorized swapping of solid state disks (SSDs) in the datacenter, to thumb-drives plugged into user-access devices—are especially vulnerable. Even hardware components without firmware can become dispensers of malware via, for instance, hidden hardware Trojan horses that are impossible to detect by visually inspecting chips. As a result, hardware Roots-of-Trust with certifiable validation followed by chain of custody verification also are being incorporated into the ZTA—starting from the hardware for an initial computer installation, and continuing unabated through firmware and hardware updates, until its eventual retirement.

According to Forrester, online computers have their best chance at true cybersecurity through ZTAs that address the entire range of intrusion methodologies, from multi-level authentication, to out-of-date firmware exploits, to unpatched known software vulnerabilities, to side-channel attacks, to hardware tampering, to outright counterfeiting of chips with added undocumented back-doors.

Azure's ZTA

The Microsoft Azure cloud platform has fully embraced ZTA, starting with Intel's Software Guard Extensions (SGX) built into its newest Xeon processors. According to Microsoft Azure CTO Mark Russinovich, Azure's Intel-based hardware "includes full memory encryption and accelerated cryptographic performance for confidential computing…the most tested, researched, and deployed hardware trusted execution environment in the market."

Azure's ZTA will capitalize on Xeon's on-chip security hardware by extending beyond reliance on network perimeter firewalls and virtual private networks (VPN) toward complete end-to-end encrypted security coverage for every transaction. Each computer access request will follow a "never trust, always verify" model, according to Russinovich, regardless of where and from whom it originates. Each user's identity is continuously authenticated, their location logged, and their access device verified as trustworthy, plus analytics are run constantly to evaluate the workload being requested and the class of data used in order to detect anomalies and automatically notify security personnel before granting access—a process called Just-In-Time authorization.

User credentials will default to the user's lowest level of clearance required for an access request (unlike today's practice of defaulting to its highest clearance level). Called Just-Enough access privileges, the practice minimizes the risk of confidential data exposure.

Just-Enough access privileges, together with database segmentation, mitigate data exposure by hackers moving laterally on the same security level. Data access logging also will reveal what hackers access, with after-the-fact analytics suggesting how to patch each detected vulnerability so it cannot be exploited again.

Root of Trust Hardware

Besides Microsoft, Oracle, Cisco, and many other cloud providers are choosing Intel not just for the security hardware on its newest Xeon processors, but also because it already has in place programs for extending root of trust hardware beyond zero-trust multi-factor authentication to the security of the entire computer system, all its internal hardware components, and in every phase of its lifecycle.

Intel's Transparent Supply Chain includes tools, policies, procedures, and a hardware root of trust implemented on the factory floor of the server manufacturers. Verification of secure authenticity of firmware versions and hardware components is backed up by validity certificates that are securely stored on each device. These certificates are provided to customers with their system's full bill of materials. A traceability report accompanies the system, its components, and firmware versions from the factory to the installation site using verifiable chain-of-custody certificates—ensuring what was shipped from the factory was not tampered with before the customer installs an operating system on the bare metal.

Likewise, during the life of the system, provisioning, daily usage, software updates, and new hardware components also require prior verification—from their manufacturer, through the entire chain of custody, all the way to the datacenter where they are installed. Self-authentication also allows tracing back to a fixed hardware root of trust every time the network is accessed, ensuring the system is in a known secure state, has tamper-free up-to-date firmware installed, and has not had solid-state drives swapped out with unverified replacements.

Finally, Intel's Computer Lifecycle Assurance securely erases memory systems that are being repurposed before being re-provisioned with software for a new function. At the end of the system's life, its memories are again erased before being retired.

Oracle/Cisco

In addition to using Intel's Zero-Trust hardware and least privilege access, Oracle has added built-in tenant isolation, automatic capturing of user credentials, and secure orchestration of access privileges. Offered as an Executive Ordered software as a service (SaaS), Oracle's Zero Trust Access uses policy-based access controls and fine-grained segmentation in cooperation with NetFoundry. Its Edge Routers embed proactive secure management of user connections. The resulting zero-trust environment is based on multi-factor identity authentication, automated detection of malicious behaviors, and automatic alerting of security personnel before access is granted.

Oracle also offers a Zero Data Loss Recovery Appliance (hardware) that continually validates the integrity and recoverability of user data across the full lifecycle of disk backup and cloud and tape archiving. Instead of nightly backups, it sends database changes constantly to local and remote off-sight Zero Data Loss Recovery Appliances, which independently manage backup and archiving.

Cisco also supports its version of ZTA, called Secure Workload, running on its own Intel Xeon-based servers along with Oracle software.

"We have a very large Oracle environment using the entire Oracle E-Business Suite, Database, and Real Application Clusters. It is one of the biggest installations in the world, running on over 1,200 Cisco Unified Computing System blade servers. The combination of Cisco Secure Workload, Cisco Workload Optimization Manager, and Cisco AppDynamics running on Cisco Unified Computing System makes our Oracle environment the best it can possibly be. These tools work better together," said Sidney Morgan, a Distinguished Engineer in Cisco IT.

Cisco cites its dynamic policy enforcement as allowing it to manage zero-trust procedures using segmentation, constant monitors on user behavior, automatic security personnel notification of vulnerabilities, policy recommendations to better secure transactions, anomaly identification, and ongoing remediation.

R. Colin Johnson is a Kyoto Prize Fellow who ​​has worked as a technology journalist ​for two decades.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account