SY0-701 Security+: 1.2 Zero Trust

Zero Trust

An approach to network security where nothing is trusted by default, even inside the network. It means that every device, process, and person must be verified before accessing resources.

• You need to authenticate your identity each time you try to access something, and everything is subject to security checks.

• Uses tools like multi-factor authentication, encryption, system permissions, firewalls, and continuous monitoring to keep the network secure.

Planes of operation

Divide the network into different functional areas, and this applies to physical, virtual, and cloud components.

Data plane

Responsible for the actual security processes and handling data on the network. It processes and forwards frames, packets, and other data, and manages tasks like encryption, NAT, and trunking to move data across the network.

Control plane

Manages the data plane's actions by defining policies and rules. It decides how packets should be forwarded and maintains tables like routing, session, and NAT tables to guide the network traffic.

Extend The Physical Architecture

To better understand the data plane and control plane, we can look at how they work on a physical device, like a network switch.

• At the bottom of the switch, there are interfaces that move data across the network. All traffic forwarding happens on the data plane of the device.

• The switch also requires configurations, such as network address settings or adjustments to how data is trunked. These changes are handled within the control plane.

This separation of the data and control planes isn't limited to physical devices—virtual switches and firewalls also function this way, and the concept applies to cloud-based security controls as well.

Adaptive identity

Where we look at more than just the user’s claim during authentication. We consider additional information, like the user's relationship to the organization, their physical location, type of connection, and their IP address.

• For instance, if someone tries to access data in the United States but their IP address is from China, we may decide to apply extra security measures to verify their identity.

• Controlling trust

Threat Scope Reduction

Limiting the number of ways someone can access the network. This can be done by restricting entry points, such as only allowing access for people physically inside the building or those connecting through a VPN.

• You eliminate other methods of network access, reducing the potential for unauthorized entry.

• Controlling trust

Policy-driven Access Control

Refers to a broader system where access decisions are made based on predefined rules and policies, taking into account various user attributes and environmental factors to grant or deny access to resources.

• Controlling trust

Security Zones

Are a way to understand and manage where a person is connecting from, and they help verify identity based on location.

• Rather than looking at security as a simple, one-to-one relationship, we use broad categories to create a security framework.

• These zones include things like trusted or untrusted networks, internal or external networks, or even different types of VPNs or departments (like Marketing, IT, HR, etc.).

• Access can be denied just based on the zone a person is in, and rules can be set about which zones are allowed to connect with others.

  • Some zones are automatically trusted. For example, someone in the corporate office (a trusted zone) may be allowed to access data from a database server in the internal zone.

Policy Enforcement Point (PEP)

Enforces security policies within a network. It acts as the "gatekeeper," allowing, monitoring, or terminating connections based on the defined rules.

• Applies to various subjects and systems, including end users, applications, and even non-human entities.

• Ensures that all network traffic passes through it to determine whether it should be allowed or blocked.

• Doesn't make the final decision on traffic

  

Policy Decision Point (PDP)

Responsible for analyzing authentication data to determine if network traffic should be allowed. It follows a defined process to make this authentication decision.

Policy Engine

Reviews incoming requests and checks them against predefined security policies. Based on this evaluation, it decides whether to grant, deny, or revoke the request.

• Part of PDP

Policy Administrator

Communicates the decision made by the Policy Decision Point (PDP) to the Policy Enforcement Point (PEP). It generates access tokens or credentials and instructs the PEP to either allow or deny access based on the decision.

• Part of PDP

Zero Trust Across Planes

• Subjects and systems communicate from an untrusted zone over the data plane, passing through the Policy Enforcement Point (PEP).

• If policy enforcement is needed, the PEP sends the request to the Policy Administrator.

• The Policy Administrator works with the Policy Engine to decide whether the traffic should be allowed.

• Once the decision is made, it's sent back to the Policy Administrator, which relays it to the PEP.

• If the traffic is allowed, the PEP grants access to the trusted zone, providing the requested resource to the subjects or systems.

Basically

• PEP (Club Bouncer): The bouncer checks who’s allowed in based on the rules. If you don’t meet the criteria, you're kicked out.

• Policy Administrator (Club Manager): The manager creates the rules about who’s allowed in, what behavior is acceptable, etc.

• Policy Engine (Supervisor): The supervisor ensures the bouncer is following the rules correctly, verifying whether each person should be allowed in based on the established policies.