Zero Trust is a new concept to many but one I believe will be of increasing importance over the coming years. With this post, I wanted to introduce newcomers to the concept, talk about why it’s an exciting approach to improving security, and explore how you can leverage File Integrity Monitoring
(FIM) and Security Configuration Management
(SCM) tools like Tripwire Enterprise
(TE) to assist you on your Zero Trust (ZT) journey.
What is Zero Trust?
First off – let’s start with a definition.
ZT takes the approach that just because your devices or users are behind a corporate firewall, you can't let your guard down--even a little. The reality is that every new device or user connection is a potential source of risk, and ZT encourages you to react accordingly. If you treat every interaction on your LAN as if it could be a potential source of, or indeed, the result of a breach, the security mandate to apply verification and tracking becomes just as critical for “trusted” users and devices as it does to your traditional untrusted networks.
Once we start to think of all interactions as being unverified, we end up having to consider moving our security focus towards efforts to establish controls that ensure all requests are authenticated and secured (via encryption for example) before access can be granted to corporate resources, and through the use of security intelligence and analytics, responses must be targeted to provide accurate detection, verify authorization, and provide methods to respond to suspicious behavior in real-time.
So what does that mean in real life, and how can you tool up to support a Zero Trust approach inside your network? Zero Trust can be built on a number of key fundamentals, but perhaps the most important are the three items outlined in Microsoft’s Zero Trust Maturity Model
- Verify explicitly. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
- Use least privileged access. Limit user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive policies, and data protection to protect both data and productivity.
- Assume breach. Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end-to-end. Use analytics to get visibility, drive threat detection, and improve defenses.
Whilst it might not be immediately obvious, FIM and SCM can be very useful tools for these objectives.
How File Integrity Monitoring and Security Configuration Management can help
The first two points focus require you to have robust RBAC
that you are continuously verifying. Whilst TE won’t track your user’s every network interaction, it does offer a key check for ZT trust by facilitating Directory server auditing that can monitor changes that occur to both your user and your organization's security groups. Combining this with your Change Management system (Service Now
, Remedy, Unicenter, etc) can help to ensure that only approved requests to change user permissions are implemented. (That principle should apply for changes equally to changes to permissions on your file system.)
“Access Creep” (whereby a user’s permissions grow over time but are never reassessed or reduced when access to a particular resource is no longer needed) is something I’ve seen a lot of over the years and is where the concept of “Just Enough Access” comes in. On the file system in particular, it’s easy for permissions to become excessive, so having a tool like TE that can provide SCM policy-based audits means that you can assess the application of minimal controls consistently across your devices and save time and effort. Such a tool also offers you a way to alert on changes that might result from unnecessary access.
Keeping with the theme of compliance policies, Tripwire Enterprise’s Security Configuration Management combined with the ability to automatically scan any new devices added to the network on registration (a new feature recently added to Tripwire Enterprise Axon Agents earlier this year) means that whenever a new server is provisioned you can get the relevant security configuration assessment faster, granting you insight into whether a new device should be trusted or not and potentially driving your endpoint approval process. With SCM in place, you can also ensure you keep on top of changes over time so you can constantly reassess whether a device may need quarantining or removal from the network entirely.
Finally, Tripwire Enterprise offers tagging, severity and custom properties that you can use to classify change data, giving you a rich dataset to work with so you can understand normal and abnormal behavior. File Integrity Monitoring has always differed from many traditional security models of trust by capturing any change and allowing you to choose how to respond/manage any deviations – a key element to helping enforce a zero-trust network. Combined with our agent’s ability to do real-time monitoring, FIM can be a critical control that helps you to identify and even classify changes, especially when tied into your other security tools that can prevent, report or respond to risks.
Zero trust, in reality, isn’t something you will “achieve” but rather an approach to constantly hardening and increasing awareness of the risks on your network. I’m personally very excited to see more companies look at a Zero Trust model for operations, and I am hopeful that even if you only ever “dip your toes” into applying some of these concepts, you’ll see some real benefits to your organization’s security.