Four preconceived ideas about zero trust
Publié le 21/12/2021
Author : Nicolas Tondre, Product Marketing Manager
Zero trust is a term that Forrester popularized in 2010, and Gartner cemented its use a few years later. It builds on the concept of de‑perimiterization, which dates back to the early 2000s. While the term is essentially a buzzword and has disheartened more than one IT Security Officer, zero trust nevertheless covers a set of useful principles and practices.
Overall, the concept is worthy of attention, particularly considering that the National Institute of Standards and Technology (NIST) ended up imposing it on the United States federal government. It can be considered as a set of rules and practices aimed at improving the security of a company’s or organization’s information systems (IS). It consists in implementing multiple and complementary security components (MFA, SSO, IAM, VPN, least privilege, network segmentation, SIEM, etc.) to reduce the risk of intrusion and data leakage.
However, it is still enshrouded in a number of persistent misconceptions and hampered by inaccuracies. This article aims to demystify four preconceived ideas about zero trust:
What should we do? As Einstein said “Concern for man and his fate must always form the chief interest of all technical endeavors.”, so, work agile which means that cybersecurity questions should be taken in account from your project day one until the end. Turn cyber-security topics into daily ones, make it the new normal to avoid having people taking it “lightly”. It is important for people to understand that cyber-security isn’t an option, when a hospital isn’t working for 3 days (Dax Hospital in France), the consequences of people not getting care or surgery are real.
- Zero trust replaces the use of corporate VPNs
- Zero trust only applies to the cloud
- Zero trust frees us from recommended cyber hygiene rules
- Corporate VPNs do not offer any zero trust features
1. Zero trust replaces the use of corporate VPNs
Some vendors of security solutions pit zero trust against VPNs in their marketing presentations. However, zero trust solutions support end-to-end encryption of communications, guaranteed data integrity, as well as server-side user authentication and vice versa—the exact same services a VPN provides.
It then becomes quite obvious that all zero trust solutions include VPN tunnels, but they do so within an architecture in which VPNs are only one of many security components, with which they integrate natively.
There are also many situations in which zero trust is not the appropriate solution for the network architecture that has been implemented.
For example, when it comes to controlling a nuclear power plant, no solution is more comprehensive and simple than using a VPN access from a secure workstation that is restricted to a limited number of people.
Likewise, accessing sensitive data or restricted data from critical market operators and government bodies warrants the use of a VPN on a dedicated workstation.
2. Zero trust only applies to the cloud
The preconceived notion that zero trust only applies to the cloud is equally hard to budge.
When accessing cloud services, such as Microsoft 365, Google Workspace, or Salesforce, it is the browser that provides authentication, encryption, and data integrity through TLS tunnels. In this context, the software provider or operator of the cloud service becomes responsible for securing communications. This also means that the software provider or cloud service operator has control over your data, which raises concerns with regard to independence, trust, and sovereignty—but that is another debate. Software vendors and cloud service operators often provide mechanisms to delegate authentication (SSOs), so as to reduce the number of accounts and passwords they need to manage.
However, it is with on-premises networks that zero trust makes the most sense, as it aims to give employees access to no more information than they are entitled to in the local information system, a public cloud, or a private cloud, regardless of whether they access it from a remote location or on premises.
3. Zero trust frees us from recommended cyber hygiene rules
Zero trust is in fact a set of cyber hygiene and common sense rules that everyone should follow to ensure network and data security.
These rules can, for example, be found on the ANSSI’s website (in French). Among other things, they consist in the following:
- Granting users no more privileges than they require, centralizing their identification as well as the management of their rights
- Regularly updating the operating system and software to avoid leaving known security vulnerabilities unpatched
- Implementing a workstation compliance check, e.g. using the mechanisms built into Microsoft Windows GPO
- Limiting access to the IS to the sole workstations that the IT Security Department manages and blocking any internet connection from these workstations established outside a VPN tunnel
- Using robust data encryption protocols, i.e. IPsec and IKEv2
- Using strong authentication based on certificates, where possible with smart cards or security tokens
- Blocking split tunneling to prevent data from leaking outside the IS
- Using software and network devices that have received recognized security certifications
4. Corporate VPNs do not offer any zero trust features
Vendors of enterprise VPNs did not wait for the concept become a buzzword before they started integrating features to support the implementation of zero trust concepts.
For instance, administrator logs in TheGreenBow VPN Clients keep track of all security-related events, so that SIEM tools can process them to detect any inconsistencies that may reflect an intrusion attempt.
Support for USB security tokens and smart cards enable our Windows and Linux VPN Clients to implement multi-factor authentication (physical object + PIN code).
Administrators can easily block split tunneling to prevent data from leaking outside the secure tunnel.
The “GINA mode” allows users to automatically open a secure connection even before they open their Windows session.
The filtering mode in version 6.8 of the Windows Enterprise VPN Client can be configured to block unauthorized ports and protocols, sealing the workstation against intrusions from outside the trusted network.
TheGreenBow VPN Clients implement the IKEv2 protocol and the most robust encryption algorithms recommended by global cybersecurity agencies, such as ANSSI. Version 6.52 for Windows and version 1.5 for Linux both have achieved EAL3+ certification and obtained security visas from the ANSSI.
At TheGreenBow, our credo is to design software that is both robust and easy to use, as the more a system is easy to implement, the less vulnerable it becomes.
Download a free trial of our VPN Clients to put all the features described above to the test free of charge for 30 days. Feel free to contact us should you need help with implementing your zero trust concept.