Introduction
The Zero Trust cybersecurity model, emphasizes the importance of continuous verification and security controls in modern network environments. A Zero Trust approach is primarily focused on data and service protection, further expanded to include all enterprise assets (devices, infrastructure components, applications, virtual and cloud components) and subjects (end users, applications and other non-human entities that request information from resources).
Zero Trust requires that a subject should never be trusted implicitly, based on location or prior activities, but must be continually evaluated. Zero trust architecture attempts to secure enterprise resource and data security that encompasses identity (person and non-person entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure. NIST guidelines state that the initial focus should be on restricting access to resources and granting only the minimum privileges needed to perform the operation, as opposed to granting access to a broad collection of resources within the internal network for authenticated subjects. With this change, unauthorized lateral movement within the environment can be restricted.
In practice, the applications have been architected with Role based access control (RBAC):
- ●The subject identity is converted as a set of roles which are assigned to the subject (or to which the subject belongs);
- ●If any of the roles in this set "can" perform the operation, the subject is permitted to perform this operation.
- ●Some applications provide fine grained permission model in addition to, or in place of, RBAC.
Both RBAC and fine-grained access control are tricky to implement, and to keep track of. This is mainly because the "check" whether an operation should be permitted is (rightly) made closer to the action (DB access, CRUD operation on data objects, etc.), where the user's identity and role list are not available, or not available in precise details.
This is especially true for the microservices architecture or modern applications, where multiple "server" entities running in their own "containers" (whether local or remote) perform operations on behalf of each other, each running with their own "user id" / privilege within the local system / container.
cyberSecurist Expertise
cyberSecurist excels in comprehensive review of trust and privileges granted to each user, user role, and each application workflow / operation. In a white box or crystal box security review, our team understands the threat model required to check every operation, every API, every combination of application state. Subsequently, the team can simulate the real-world attack scenarios with potentially a large number of operations, users, user roles and system state are forced to exist. This enables the team to find security issues arising from trust model within the application which are largely undiscovered by your product teams as well as your present security vendor.
Considering that the trust model and threats arising from the access to resources and operations which can be performed is the initial focus of NIST Zero Trust initiative, it is evident that cyberSecurist is uniquely positioned to perform Zero Trust implementation and verification / security audit. In fact, cyberSecurist has been delivering on this promise for the last 8 years to our customers, including large MNCs. As your product teams and organizations position themselves to Zero Trust requirements, it will be evident that the Zero Trust expertise of cyberSecurist is a boost, whether you are looking for obtaining expertise to implement the access control and privilege management or need verification and audit for Zero Trust compliance.