Hamid Jahankhani - Strategy, Leadership, and AI in the Cyber Ecosystem: The Role of Digital Societies in Information Governance and Decision Making

Zero-Trust; BeyondCorp; Carta; CASB; Firewall; Reauthentication

When Matt Soseman, security architect at Microsoft made the announcement that firewalls were no longer needed () this might have appeared at first sight that Microsoft were throwing caution to the wind and are giving the impression that network security is no longer important.

Following this announcement in April 2019, Microsoft announced that they were dropping the baseline password expiration policy from Windows 10. The direction of travel might appear rash and imply that Microsoft are pandering to the users that hate IT people who disrupt and hinder business by blocking websites and emails with firewalls, web proxies, and email filters and frustrate users by enforcing password changes. The user is king, and any slight inconvenience caused by security is maligned as a nuisance and hindrance to business. Users want security, but they want security to be unobtrusive. The words false positive, quarantined, undeliverable, unavailable, and not found are no longer acceptable, yet at the same time if a spam email gets through an explanation is demanded as to why it was allowed.

Microsoft's view why firewalls are no longer useful as a first line of defence though is based on the following argument:

What has made the trusted technology obsolete is the variety of devices employees use to access corporate data from far-flung places outside the corporate offices.

Although Microsoft's statements appear rather frivolous, it goes without saying that Microsoft has put considerable thought into how security is evolving. Microsoft see the future with technologies like Windows Hello, authentication using biometrics, facial recognition, and leveraging Azure AD Conditional Access Policies with artificial intelligence checking for user and physical abnormalities and restricting access as needed. AI has long been used in card payment systems, where a suspicious transaction triggers a teleworker to investigate. Tomorrow's network authentication systems like Azure AD Conditional Access are already pursuing this approach. Taking this a stage further, have proposed methods whereby firewalls learn rules based on assets and zones.

The world is digital, and banking systems are online, and tax and national insurance submissions are now only accepted in digital format. Validating who, what device, and from what location is connected to a service is essential to reduce fraud.

This chapter will attempt to reconcile the concepts from the latest research from Forrester Research and others and discuss the concepts of a Zero Trust framework.

The Zero Trust model was initially proposed by John Kindervag of Forrester Research in 2010 (). This proposal is very much an academic work considering the network, network zones, the need for central network visibility, and the logging necessary to create a data acquisition network (DAN) for reporting.

The concept of Zero Trust starts with the preposition that everything is untrusted () and all traffic should be monitored, so that a threat should trigger an alert and be isolated.

Cloud providers who are not responsible for client internal networks may advocate that perimeter firewalls and proxy servers are no longer needed. This is based on the premise that all data is secured in the cloud and that firewalls interfere with access. This though is naive as a rogue keylogger installed on a remote workstation could capture passwords and other information which could then be used to compromise a cloud service.

The key element of Zero Trust approach is to treat the internal network as untrusted to the same degree as the internet.

Where some data are held on the internal network, the model proposes the network be divided into zones based on the assets to be protected by the zone, which implies that traffic between zones should be controlled by firewalls!

Some of the concepts are not new; the age-old practice of least privileged access as extolled in ISO27001 is an example of microsegregation which is a principle of Zero Trust.

The five core concepts of Zero Trust Networks are as follows (, p. 1):

1. The Network is always assumed to be hostile.
2. External and internal threats exist on the network at all times.
3. Network locality is not sufficient for deciding trust in a network.
4. Every device, user, and network flow are authenticated and authorised.
5. Policies must be dynamic and calculated from as many sources of data as possible.

The other two important elements that John Kindervag includes are:

1. MCAPmicrocore and perimeter. This is about microsegmentation of networks. Each of the switching zones attached to an interface is referred to as a microcore switch. A physical interface may support multiple MCAPs. Although Kindervag promotes the concept of network segmentation, it must be remembered that there is not a trusted network segment. The rational is that segmentation allows for the isolation of a network segment by software if necessary.
2. DANData Acquisition Network. This relates to network visibility of traffic flows. Monitoring network traffic means having access to the traffic on all MCAP's which needs to be planned as part of the implementation strategy.

These two aims, MCAPS and DANS, are clearly slightly at odds because providing greater visibility gets problematic as the network is segregated.

The Zero Trust model is also known by other names. This is because Zero Trust is a very general concept; when it comes to implementing Zero Trust, choices must be made and implemented in a consistent way. The strategies of Googles BeyondCorp and Cisco Trusted Access (CTA) are different approaches based on the strategies chosen by Google and Cisco, respectively.