The now infamous SolarWinds hack highlights the vulnerabilities of a "supply chain attack" and how ZTA can help to lower the chances of such an incident. The Committee on National Security Systems defines supply chain attacks as "attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle." SolarWinds' widely used software called Orion, which was used by many government agencies and large corporations, was infiltrated by third-party actors. Once inside SolarWinds' system, hackers to insert malicious code into the Orion software, which was then installed, unknowingly, via updates sent out by SolarWinds.
The hackers exploited SolarWinds' systems rather than the networks of SolarWinds customers, hitching a ride on the back of a software service that could introduce malware deeply to thousands of these customers. In a generalized, non-technical description, what I mean by system is a company's software and hardware, whereas a network concerns the connections of the computers to each other and any connections facing the public internet. A common example, as explained by Ted Claypoole, is a castle. The castle is protected by a moat that isolates it from the broader world (i.e. the internet), but once someone is in the castle, if there are not additional security measures, then the intruder has the keys to the kingdom. Sure there are guards walking around inside the castle, but unless something looks particularly suspicious, out of place, or bizarre nothing is questioned.
ZTA is not focused on a single moat protecting against the outside, but instead on a series of checkpoints to ensure the access request is authenticated. Think of an airport where you first check-in with the airline and they make sure your ID matches the name on the printed ticket, then TSA checks your ID again and the gate agent scans your printed ticket. You are already in the airport, but the airport has trust issues which is why you rarely if ever hear about people getting on the wrong flights.
Dialing down, NIST boils down ZTA into seven tenets:
- First, any data sources and computing services are considered resources.
- Second, network location alone is not a sufficient basis to determine whether an access request meets the security requirements. Just because the device is inside the moat does not mean that it deserves to be trusted.
- Third, access to individual resources is limited to a per-session basis. Basically, don’t let users leave the pantry door open because they are going to come back later; the dog always manages to find the treats in the meantime.
- Fourth, a dynamic access policy should consider the user's identity, application or service, and the requested asset. This means helps to create a type of log to note the software version, network location, time and date of the request, and installed credentials among a host of other attributes. An analogy here is how the insurance company makes you repeat your name, date of birth, and last four of your social security number even though you already typed it in and told the last two representatives.
- Fifth, monitor and measure the integrity and security of all devices and applications. Some devices have inherent vulnerabilities or do not need the same access as others. For example, your phone that connects to your employer's network should not be able to access the same company information as your laptop. The phone is a less secure device and may not be managed by the company.
- Sixth, authentication and authorization to resources is dynamic, strictly enforced, and continually reevaluating trust. This tenant may sacrifice efficiency and speed in the name of security. For example, requiring users to authenticate their identity after two hours or when trying to open new documents. Companies may tailor these requirements to divisions or teams to help balance efficiency.
- Seventh, collect, evaluate, improve, and repeat. A company should be collecting as much data about the access requests, network traffic, and security posture in order to evaluate and improve the policies.