On December 6th, we visited Cloud Expo 2023 in Houten EXPO. As usual, we are happy to share the lessons learned. The overarching theme was undeniably Zero Trust. But what is Zero Trust and what role does it play in today’s cyber-security landscape?
Introduction
In our fast-moving digital world, old security methods aren't enough anymore. This is where the Zero Trust paradigm comes in. It's a new way of thinking about safety in cyberspace. It says we shouldn't automatically trust anything, whether it's inside or outside our computer networks.
In this blog article, we will explore the significance of Zero Trust in today's threat landscape, and discover the posture of myDRE and identify areas where we can still improve.
Zero Trust principles
Zero trust principles are the cornerstone of modern cyber-security, redefining the traditional approach to network security. In a Zero Trust framework, the fundamental belief is that no entity, whether inside or outside the network, should be automatically trusted. Instead of relying on a perimeter-based security model, Zero Trust advocates for continuous verification of identity, devices, and applications. This approach assumes that threats can come from anywhere, even within the network, and emphasizes the need for strict access controls, least privilege access, and constant monitoring. By adopting Zero Trust principles, organisations aim to enhance their resilience against evolving cyber threats, protect sensitive data, and ensure a more robust and adaptive security posture in today's dynamic digital landscape.
Zero Trust isn’t a product, it is a mindset and strategy.- No Automatic Trust: Neither entities inside nor outside the network are automatically trusted.
- Continuous Verification: Identity, devices, and applications are continuously verified.
- Threats Can Be Anywhere: Remember that dangers can come from anywhere, even from inside your own network.
- Strict Access Controls: Implementing controls on who can access what.
- Minimum Access: Each user or device has only the minimal level of access needed.
- Constant Monitoring: Always keep an eye out for any signs of danger in the network.
- Resilience Against New Dangers: Be ready to protect against new kinds of cyber threats.
- Protection of Sensitive Data: Make sure important data is protected.
- Robust and Flexible Security: Maintaining a strong and flexible approach to security in the digital environment.
Zero Trust at myDRE
System Aspect: Close To Zero Trust
At anDREa, we're making good progress towards Zero Trust, especially in the systems part. This includes service principles, APIs, and how we move data around. We're pretty close to achieving Zero Trust here. Our systems often work
on-behalf-of (OBO), which fits well with Zero Trust ideas.
System Areas Which Are Not Yet Zero Trust
However, there are parts that aren't quite there yet. For example, downloading data from a Workspace. For this functionality, it is necessary which files are present in the Workspace storage account, so the user knows which files can be downloaded. To be able to list this, the anDREa system needs permissions on the storage account. While this is necessary for the functionality, it doesn't fully match Zero Trust ideas. Also, our self-service system, which sets up resources in subscriptions, doesn't fully align with Zero Trust yet. While this is efficient, it may not involve the continuous verification of each user’s identity.
Human Aspect: More Work Needed
When it comes to the human aspect of myDRE, we have a bit more work to do in moving towards Zero Trust. Right now, all myDRE users exist in anDREa’s Azure Active Directory (AAD; nowadays known as
Microsoft Entra ID). Considering the existing roles on Microsoft Azure, the local Research Support possesses slightly more privileges than are deemed optimal. For instance, permissions needed to create new myDRE users also allow other actions such as deleting users, resetting passwords and assigning groups to all users. These actions however are logged and need activation of
Privileged Identity Management (PIM) roles and justification. The logs are reviewed monthly by anDREa’s Security Officer, while local Research Support is extensively trained by anDREa’s Customer Support Specialist. That said, we have made the first steps by automating the user creation flow and making this process follow the OBO flow and so local Research Support will no longer need the elevated privileges in the anDREa AAD. This moves this aspect closer to least-privileged and closer to Zero Trust.
A next step would be to host each customer's subscription in their own AAD, with the core system still in our own systems subscription. This way, only people from a specific customer can access their own resources. We're looking into the possibilities of using
Azure Lighthouse to accomplish this. Of course this should not be at the expense of the collaboration possibilities, which are an essential cornerstone of myDRE. There will always be trade offs to be made. The guiding principles used are documented in the
Security Manifesto. And we follow the comply-or-explain rule transparently.
Finally, as mentioned above, privileged actions in our AAD require specific PIM roles. A next step would be PIM roles for all Azure actions to gain even better control and move closer to Zero Trust.
Why Aren't We Fully Zero Trust Yet?
Some reasons why we're not fully Zero Trust yet include technical limits and the need to balance security with usability. For example, needing to see what's in the Workspace for downloads is necessary for the functionality.
Conclusion
While we've made good progress towards Zero Trust at myDRE, there's still room for improvement, especially in managing human access and permissions. By focusing on these areas, we aim to create a more secure and resilient trusted processing environment for our customer organisations.
We would love to hear your input and ideas regarding Zero Trust. Feel free to reach out to us!