Zero trust design principles

Trust has been an important factors of human life so as IT. A few months back I heard an interesting buzz word from my boss (No, he is really not a buzz word architect) a.k.a Zero Trust security design. Here is some of my thought. My upcoming blog will contain detailed implementation of those principles who believe on “Show me the code” Or “Trust on Code”.

Zero trust is a security concept that requires all users, even those inside the organization's enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture, before being granted or keeping access to applications and data. It is like never trust anyone here in the context of user of a system, could be identities or devices or applications or data or infrastructure, and network. Among the COVID-19 pandemic crisis various governments and regulatory authorities mandate both public and private organizations to embrace new practices for working remotely and maintaining social distancing. With the widespread use of BYOD device, WFH trend, and internet penetration across the corners of the globe, individuals are progressively inclined towards the use of digital technologies such as cloud solutions. This seems to be the driving factor of Zero Trust Design. the market size seems to grow by USD 51.6 billion by 2026 and whispered across following solution type.

  1. Network Security
  2. Data Security
  3. Endpoint Security
  4. Security Orchestration Automation and Response
  5. API Security
  6. Security Analytics
  7. Security Policy Management

Is Zero Trust a Tool? – No it is more of enterprise initiative, approach to make enterprise more secure though Identity and Access Management solution always plays a key role here. Infect Microsoft has gone one step ahead and build a high level Microsoft Zero Trust Maturity Model and actionable items. On a high level here are some of my understanding on approach and check list to proceed with Zero Trust Security design model.

  1. Verify identities before granting anyone to the right level of access to workplace systems and information: When any identity attempts to access any resource, security controls should verify the identity with strong authentication, ensure access is compliant and typical for that identity, and confirm that the identity follows least privilege access principles. Now in any standard enterprise, having bespoke identity control system is very difficult to manage, hence having a central Identity and Access Control system is becoming a key focus. In simple word, every request requires continuous authentication and the old school implementation of Imprecision or Trusting just the Front Layer/API layer is a clear NO-NO.
  2. Uplift authentication: Two or more verification factors to gain access to enterprise resource is now a common standard. If you do not have, consider it as part of Zero Trust Design.
  3. Implement password less authentication: Over a decade of time Passwords based authentication are known to be a weak point in computer systems (due to reuse, sharing, cracking, spraying etc.) and are regarded a top attack vector responsible for a huge percentage of security breaches. Password less Authentication as an authentication method that allows a user to provides some other form of evidence such as a fingerprint, proximity badge, or hardware token code. The fundamental implementation factors can be
    • Ownership factors (“Something the user has”) such as a cellular phone, OTP token, Smart card or a hardware token.
    • Inherence factors (“Something the user is”) like fingerprints, retinal scans, face or voice recognition and other biometric identifiers.
Key benefits reside on 
    • Greater security 
    • Better user experience – No need to remember complicated password and comply with different security policies.
    • Reduced IT costs – No password storage and management so as Password management regulations
    • Better visibility of credential use -Access management becomes more tight.
    • Scalability – Managing multiple logins without additional password fatigue or complicated registration. 

4.Segment your corporate network: Since all business-critical data is accessed over network infrastructure, Networking controls provide critical functionality to enhance visibility and help prevent attackers from moving laterally across the network. Segmenting networks and conducting deeper in-network micro-segmentation is important for Zero Trust.
5.Segment your applications: Like network segmentations, application segmentation such as (Cloud, on –Premise, Mobile, Shadow IT) and ensuring that apps, and the data they contain, are protected is a necessity for Zero Trust Design
6.Uniform Security Policy across Device: With the Zero Trust model, the same security policies are required to be applied whether the device is corporately owned or a personally owned phone or tablet, a.k.a “bring your own device” (BYOD). the plain old MDM solution are again brighter side.
7.Define roles and access controls: With clear network, application segmentations and password less authentication each Role the user is tied upon need to be managed and governed. And that is where rationalizing and managing the Roles at enterprise level and separate it from application level is one of the key need of Zero Trust Design Principles.

From an implementation aspect, every IAM products are in to the rat race of marketing their IAM product in to this space though nothing wrong on this but somehow I feel it is diluting the core principles of what an enterprise need versus what is the core offering.

I borrowed this diagram from Microsoft 12 steps to implementing Zero Trust identity management principles in Azure as an example for the same (Any Offense to any one is not intended here)

 


Comments

Post a Comment

Popular posts from this blog

Image
  Composable Gen AI: The Smart Way to Build AI Systems (With Real Examples) After 20+ years in tech, I've seen every architecture trend come and go. When Gartner started pushing "composable architecture" a few years back, I'll admit—I rolled my eyes. "Great, another buzzword," I thought. But after seeing how AI is actually being used in the real world? This time, it's different. Composable Gen AI isn't just theory—it's the only sane way to keep up with AI's breakneck evolution. Let me explain why (with real examples you can steal). What is Composable Gen AI Architecture? (No Jargon) Imagine building with AI Lego blocks : Instead of using one giant, expensive model (like GPT-4) for everything... You snap together smaller, specialized models for each task.  Why This Beats the "Monolithic AI" Approach                                                   ...
Read more

Is Model Context Protocol Replacing Enterprise Service Bus?

Image
An Airport Conversation That Completely Changed My Thinking Last week, I had one of those unexpected moments of insight that hits you outside work, outside meetings, outside architecture thinking— in an airport lounge of all places. I was sipping a cold coffee, waiting for my flight, when I overheard a Sales Head from a tier-1 consulting firm seated next to me. He wasn’t speaking — he was shouting into his phone. And this is what he said: “Forget ESB and middleware… we should be selling Model Context Protocol –based AI solutions. This is the future. Push MCP hard.” He said it with the conviction of someone giving orders to conquer a territory. At first, I laughed internally. You can’t just shout away 20 years of enterprise integration patterns . But the line stuck in my head. And the more I thought about it, the more I realized: he’s wrong in conclusion, but right in direction. This blog is the result of that airport moment — and everything it triggered i...
Read more
When “Hello World” Needed Kubernetes (…and Azure Functions, and GPT-5) When “Hello World” Needed Kubernetes (…and Azure Functions, and GPT-5) A light, sarcastic read for anyone who has watched a tiny task blossom into a full-blown cloud transformation project. #sarcasm #cloud #devlife #overengineering Quick jumps Step 1 — The Wrong Prompt, The Wrong Rabbit Hole Step 2 — The Permission Drama Step 3 — Enter the Cloud Circus Step 4 — GPT-5 to the Rescue (or Not) Step 5 — The Buzzword Buffet Step 6 — Hydra Problems Multiply Step 7 — The Grand Confusion Final Thought There’s a new kind of developer on the loose—let’s call them the new-gen dev . Brilliant? Yes. Ambitious? Absolutely. But allergic to the word simple . Give them the tiniest task and suddenly you’re not watching coding; you’re watching an over-engine...
Read more