Recently, I had the pleasure of speaking at the VMware Anywhere Workspace event, which I wrote about here. This brought me to think about Zero Trust security a bit more. We often get stuck in this maze of inescapable buzz words. Zero Trust might be one of the more difficult ones to escape because of its emphasis today. We’re going to talk about what Zero Trust is, my interpretation of Zero Trust, and some of the ways you can leverage Zero Trust without breaking the bank.
What is Zero Trust?
So what exactly is Zero Trust? Microsoft actually has a nice little visual that helps you think about Zero Trust to a degree, which they also write about here.
The most simplistic way to understand Zero Trust is that nothing is inherently trusted. Historically, we believed that a corporate device on the internal network using Kerberos to authenticate to your company was safe/trusted/etc.
Zero Trust adopts the idea that authentication that is this simplistic is just not good enough. The idea is that EVERY network and EVERY device is potentially compromised so you must build in/layer in multiple validations.
What are some of the ways that vendors are addressing Zero Trust?
Before getting into my opinions, let’s discuss how some vendors offer Zero Trust solutions. We’ll cover off a few vendors and the various solutions they offer to provide a more comprehensive security landscape for an enterprise.
Microsoft’s Zero Trust Story
Microsoft as mentioned above offers a few ways to combat Zero Trust:
- Azure AD Conditional Access which I have discussed is how they deliver real-time policy evaluation of access validating Intune-managed devices, requiring MFA, location-based access, and more.
- Azure Information Protection is an interesting spin on Zero Trust where they focus on classification and encryption of content
- Azure AD Identity Protection is another good area where they monitor and evaluate the risk profile of user accounts
VMware’s Zero Trust Story
VMware’s Zero Trust story is well-documented at this point by myself and countless others, but simply:
- Workspace ONE Access Device Compliance that combines certificate-authentication with device compliance to deliver seamless Zero Trust evaluation of devices every time they authenticate.
- Workspace ONE Trust Network is a collaborative effort by other vendors working with VMware to empower Zero Trust by validating at different layers like Cisco Network Access Control, zScaler, Crowdstrike, and much more.
- VMware Unified Access Gateway empowers a number of exciting Zero Trust capabilities, such as pre-authenticating Horizon with certificates before doing SSO and the VMware Tunnel Just-in-Time policy evaluation recently announced at VMworld.
- Anywhere Workspace also announced more of their integrations in a collective suite, like Carbon Black Cloud and SASE.
Mobile Jon’s Interpretation of Zero Trust Security
Depending if you’re optimistic or pessimistic, you may consider Zero Trust as a marketing ploy by vendors to increase revenue. My main focus in Zero Trust is leveraging capabilities that don’t require you to spend more money.
I have a few main tenets when it comes to Zero Trust:
- The technology must validate the connection with no fewer than two separate methods (e.g. two different services must be a source of truth).
- The validation must be completely seamless a.k.a. security through obscurity.
- Your Zero Trust architecture MUST meet your actual requirements and not “perceived ones” a.k.a. NOT the kitchen sink approach.
- Your Zero Trust design must achieve true synergy and control access based on pass/fail criteria e.g. you must have a way to deny access seamlessly when someone fails validation.
- The user experience must remain the same.
- Users must be provided guidance when they are denied access.
Some Additional Thoughts
Overall, my thought process focuses on delivering Zero Trust without punishing people. The idea is to protect your users and your organization. This isn’t how you show people how “smart” you are. Countless situations have surfaced over the last 20 years where basic failures have led to major IT incidents.
You can build and layer in Zero Trust architecture if you understand how your technological stack functions from client to server. We should understand the path that a user takes to accessing resources from their client device, to the wireless network, to your SSO platform, etc. Often, we fail at implementing technologies like this because we are trying to validate a huge InfoSec department or “prove” something.
A Few Examples of Implementing Zero Trust
When it comes to implementing Zero Trust, we have a few potential areas that we can integrate with today.
UEM-Level Zero Trust
As I mentioned earlier, the first area that you should focus on is leveraging compliance with your UEM solution to control access. Whether its Intune or Workspace ONE, we use compliance in a few different ways.
In Workspace ONE for example, we use compliance to enterprise wipe devices, revoke Azure tokens, or force a device to sync. You “could” argue this is actually Zero Trust-adjacent as it is more about ensuring that a device is compliant to begin with before even trying to access company data.
Additionally, we also enforce compliance at the point-of-access whether its Workspace ONE or Intune. Workspace ONE as mentioned earlier will check device compliance when you authenticate (provided you set it up). Intune offers similar capabilities with Azure AD Conditional Access enforcement that a device must be compliant to access an application.
One last thing to note is when you move to a Zero Trust approach with Workspace ONE, you will need to transition PCs/Macs from Kerberos to Certificate-Based Authentication. It presents a great opportunity to modernize your authentication patterns and tear down silos because it matches an attribute in the certificate to the device to ensure compliance.
Network-Layer Zero Trust
A few areas that I think about network-layer Zero Trust are at the NAC (Network Access Control) level and VMware NSX. With NAC integration, you can ensure that only compliance devices are using your network. One of the nice things about this approach is you can put non-complaint devices on their own network until they are healthy again. It’s a great way of incentivizing users. Also, don’t forget that you should be doing certificate-based authentication for your WiFi:
Zscaler also offers an interesting integration that is adjacent to NAC. When using Zscaler Internet Access, Private Access, and the ZScaler Application only compliance users can connect to applications by leveraging the Trust Network Ingest API. It’s particularly powerful as Workspace ONE is notified of real-time threats and enables user behavior analytics to quickly remediate issues.
I think that overall there is one true thing. Don’t ever let a vendor or anyone tell you that you can’t do something. The point of being an engineer is understanding what the limitations of your technology stacks are and seeing how far you can push them. In the modern world, REST APIs have enabled us to do things we could have never imagined before. Now, we write integrations, build scripts, and creatively-engineer solutions to solve real problems.
My belief is that you can do almost anything, but sometimes it can be very challenging. Just because something isn’t documented doesn’t mean it can’t be done. It just means it hasn’t been done yet!