## **Zero Trust Architectureal Model**

### Simplified overview of ZTA
<center><img src="https://github.com/moaldeen/trustzone/blob/main/ZTA.drawio.png?raw=true" alt="sup-learning.png" width="70%"></center>



### Core Zero Trust Logical Components




<center><img src="https://img.netwrix.com/best_practices/image_1715873626.png" alt="sup-learning.png" width="60%"></center>


- **System:** is untrusted by default and is only allowed access to
trusted resources via the Policy Enforcement Point (PEP).

- **Policy Decision Point (PDP):** The PE and PA working in conjunction with one another within the Control Plane.


In the center of the figure are the policy components:
<center><img src="https://github.com/moaldeen/trustzone/blob/main/policies.jpg?raw=true" alt="sup-learning.png" width="50%"></center>



<!-- - **Policy enforcement point (PEP):** This system is responsible for enabling, monitoring, and eventually terminating connections between a subject and an enterprise resource via communicating with the Policy Administrator (PA).

- **Policy Administrator (PA):** The PA executes the Policy Engine’s decision to either approve or deny access by signaling the PEP to create or block a connection.

- **Policy engine (PE):** responsible for the ultimate decision to grant access to a resource for a given subject. The PE uses enterprise policy as well as input from external sources as input to a trust algorithm to grant, deny, or revoke access to the resource. -->

On the left and right sides are the data sources that feed the PE:

- **Continuous Diagnostics and Mitigation (CDM) System:** Collects and updates information on the current state and vulnerabilities of enterprise assets, helping policy engines make informed access decisions.


- **Industry Compliance System:** Ensures the enterprise adheres to regulatory requirements by including necessary policy rules for compliance.

- **Threat Intelligence Feeds:** Supplies the policy engine with data on new attacks, vulnerabilities, blacklists, and malware from various internal and external sources.

- **Data Access Policies:** Defines and generates rules for accessing enterprise resources, tailored to organizational roles and needs.

- **Enterprise Public Key Infrastructure (PKI):** Manages the creation and logging of certificates for enterprise resources, integrating with global and Federal PKI ecosystems.

- **Network and System Activity Logs:** Aggregates logs, network traffic, and resource access actions to provide real-time (or near-real-time) feedback on the security posture of enterprise information systems.

- **Security Information and Event Management (SIEM) System:** Collects and analyzes security-centric information to refine policies and warn of potential attacks on enterprise assets.


- **ID Management System:** Manages and stores user accounts and identity records, integrating with other systems and possibly part of a larger federated community for broader collaboration.


### NIST ZTA Implementations

https://airgap.io/modern-zero-trust-segmentation/  # it has autonomus stuff


- **Enhanced identity governance:** Identity governance is the process of managing the identity lifecycle from the time you first grant a user or entity access to any resource until you terminate that access. Enhanced identity governance includes restricting network access according to the principle of least privilege and requiring multi-factor authentication (MFA).


- **Micro-segmentation:** is the process of protecting resources, either in groups or individually, by placing them on a unique network segment using a switch, firewall, or another gateway device. Although this approach incorporates identity governance, it also relies on network devices to prevent unauthorized access. When using micro-segmentation to protect data, organizations need to ensure that the devices can respond to threats or changes in workflow.

- **Network infrastructure and software-defined perimeters (SDP):** An SDP approach often uses technologies like Software-Defined Networks and Intent-based networking. Under this approach, the organization deploys a gateway at the application layer that establishes a secure channel between the user and resource without expose network access.

## Real World ZTA Solutions


**The Netskope One Platform**:

https://www.netskope.com/products/cloud-exchange

<center><img src="https://www.netskope.com/wp-content/uploads/2022/12/netskope-one-marketecture-630x430-1.svg" alt="sup-learning.png" width="50%"></center>





**Microsoft’s internal Zero Trust architecture**:

https://www.microsoft.com/insidetrack/blog/implementing-a-zero-trust-security-model-at-microsoft/

<center><img src="https://www.microsoft.com/insidetrack/blog/uploads/prod/2023/01/8743-img-002.png" alt="sup-learning.png" width="50%"></center>



## Zero Trust Deployment Models

### Device Agent/Gateway-Based Deployment
https://www.securitymagazine.com/articles/96025-zero-trust-architecture-zta-modern-work-anywhere-architecture-without-vpn

<center><img src="https://www.securitymagazine.com/ext/resources/images/Capco3.png" alt="sup-learning.png" width="50%"></center>

This model entails device agent and gateway-based Policy Enforcement Point (PEP). To implement this model, integration is required with two major components: the user endpoint and the application the user is trying to access. This model is not much different from the API Gateway-based model; however, the key point of decision-making lies with the Policy Engine. The Policy Engine is a separate component that collects heuristics and access rules from diverse systems.

### Resource Enclave-Based Deployment

<center><img src="https://www.securitymagazine.com/ext/resources/images/Capco2.png" width="50%"></center>

This model is similar to the Device Agent/Gateway-Based Deployment; however, the Policy Enforcement Point (PEP) is in front of a cluster or “enclave” of resources rather than a single resource.

### Resource-Based Deployment Model

<center><img src="https://www.securitymagazine.com/ext/resources/images/Capco3.png" alt="sup-learning.png" width="50%"></center>

Like the other two models, a gateway is placed in front of the resources to control user access. The key difference is that the Policy Enforcement Point (PEP) is not integrated with the user endpoint nor the application the user is trying to access, which reduces control based on contextual information.

## Trust Algorithem

The trust algorithm is the process used by the policy engine to grant or deny access to resources based on risk. The policy engine takes input from multiple sources (and policy database ) to compute a trust score and make authorization decisions. The policy database contains:
- Observable Information About Subjects.
- Subject Attributes and Roles.
- Historical Subject Behavior Patterns.
- Threat Intelligence Sources.
- Other Metadata Sources.

https://blog.gigamon.com/2023/07/25/zero-trust-architecture-data-normalization-is-key/



<center><img src="https://blog.gigamon.com/wp-content/uploads/2023/07/zero-trust-architecture-data-normalization-blog-diagram-071123-2.png" alt="sup-learning.png" width="50%"></center>


- **Access Request:** The actual request from the subject.

- **Subject Database:** This database contains known subjects.

- **Asset Database:** This database contains known assets, both enterprise-owned and BYOD.

- **Resource Policy Requirements:** Requirements for allowing access to trusted resources, set forth by the organization.

- **Access Request:** Information feeds about cyber threats, malware, and vulnerabilities.

## Zero Trust Authorization

- **Role Based:** Uses roles in managing user permissions based on group.
- **Attribute Based:** Access is based on several attributes and information from multiple data

Role-based access control (RBAC) alone is not enough to enable Zero Trust Continuous Authentication. In addition, Attribute-Based Access Control (ABAC), Policy-Based Access Control (PBAC), and *BAC (Anything-based Access Control) are needed.

https://www.strongdm.com/rbac

<center><img src="https://github.com/moaldeen/trustzone/blob/main/attributebased.png?raw=true" alt="sup-learning.png" width="50%"></center>


## An Example of a Breach Response in ZTA

In the event that a breach does occur—for example, when an attacker obtains an employee's credentials and tries to access sensitive data, the Zero Trust Architecture helps contain and respond to the threat.

Here’s how it works:

- **Alert and Investigation:**

  - The continuous monitoring system detects unusual activity, such as the attacker trying to access a restricted resource or logging in from an unexpected location.

  - An alert is triggered, and the security team investigates. They can trace the activity back to a specific user or device.

- **Containment and Isolation:**
  - The security team uses network segmentation to contain the breach, isolating the compromised segment or user.
  
  - They might cut off the attacker's access by disabling the compromised user's credentials and locking down the affected segment.

- **Root Cause Analysis and Remediation:**

  - After containing the breach, the security team conducts a root cause analysis to determine how it happened and what steps to take to prevent future
  incidents.

  - They might implement additional security measures, like stronger MFA,
  enhanced monitoring, or stricter access controls.

  
This scenario illustrates how Zero Trust Architecture provides comprehensive security by verifying all access, imposing appropriate restrictions, and continuously monitoring for threats. By implementing these principles, organizations can better protect their data and systems from internal and external threats.

## Securing Zero Trust Architectural Pillars

<center><img src="https://github.com/moaldeen/trustzone/blob/main/zero%20trust%20pillars.jpg?raw=true" alt="sup-learning.png" width="60%"></center>


### Key Functions of the **Users** Pillar:

- **Multi-Factor Authentication (MFA):** users are authenticated through multiple verification methods.

- **Privileged Access Management (PAM):** Limit access to sensitive resources and ensure that privileged accounts are closely monitored and controlled.

- **Identity and Access Management (IAM):** This identity is used to authenticate users and determine their access rights, ensuring that only authorized individuals can access specific resources.

- **Least Privileged Access:**  users have access only to the resources they need to fulfill their job functions. Also, provide just-in-time (JIT) access, allowing users to gain temporary elevated privileges when necessary for specific tasks

### Key Functions of the **Devices** Pillar:

- **IT Asset Management Software (ITAM):** manage and track IT assets, including devices, throughout their lifecycle. It helps in maintaining an accurate device inventory and ensuring compliance with security policies


- **Endpoint Detection and Response (EDR)**: constantly monitor endpoint devices for suspicious activities, unusual behavior, and potential security threats.

- **Mobile Device Management (MDM)**: Used to secure and enforce policies on smartphones and tablets. (to be changed)


### Key Functions of the **Network & Environment** Pillar:

- **Micro-Segmentation:** This involves dividing the network into smaller, isolated segments to limit lateral movement by attackers. This can be achieved using Software Defined Networking (SDN) solutions, which allow for dynamic and granular network segmentation

- **Access Control:** Implementing role-based and attribute-based access controls ensures that users and devices have access only to the resources necessary for their roles.

- **Encryption and Authentication:**  Ensuring that all data in transit is encrypted and using strong authentication mechanisms, such as multifactor authentication, helps protect against unauthorized access and data breaches



### Key Functions of the **Applications & Workloads** Pillar:

- **Identity and Policy-Based Access:** only authorized users can connect to authorized applications, eliminating lateral movement potential. This is achieved through app-specific authorization and outbound-only connections, which make applications invisible to unauthorized users.

- **Security in Development Processes:** integrating security into software development and deployment practices. This includes using tools like GitHub Advanced Security and Microsoft Entra ID for secure access management and code remediation as part of the CI/CD and DevSecOps processes.

- **Continuous Monitoring and Threat Protection:** Continuous application security monitoring and re-authorizing access to applications and services.

- **Application Segmentation:** Segmentation of applications and services, including VMs and containers. (to be changed)

### Key Functions of the **Data** Pillar:
https://www.vastdata.com/blog/deploying-a-data-pillar-within-the-zero-trust-architecture-framework
- **Data Categorization:** Classifying and labeling data to determine its sensitivity and the security controls needed is the first step. This foundational function is crucial for applying Zero Trust principles effectively.

- **Data Protection:** Implementing encryption and access controls to protect data at rest and in transit is vital. This function ensures that sensitive information is shielded from unauthorized access and potential exfiltration.

- **Data Encryption:** Encrypting sensitive data in transit and at rest with FIPS-validated algorithms protects it from unauthorized interception or access.

- **Data Access Management:** Controlling and monitoring data access is imperative. By implementing least privilege access controls, only necessary data is accessible to users and systems based on their roles.




### Key Functions of the **Visibility & Analytics** Pillar:

- **Continuous Monitoring:** observing data characteristics and events to ensure that only authorized users and devices access sensitive resources.

- **Centralized Logging and Analysis:** Capturing relevant activity logs from network devices, user devices, applications, authentication services, and data access points is crucial. These logs should be gathered into a central repository, such as a **Security Information and Event Management (SIEM)** system, for analysis to detect suspicious or malicious activities

### Key Functions of the **Automation & Orchestration** Pillar:

- **Integration with AI and Machine Learning:** The use of AI and machine learning enhances the pillar's capabilities by automating analysis and providing actionable insights. These technologies help in detecting patterns and anomalies in large datasets, which are crucial for threat detection and response.

- **Security Orchestration, Automation, and Response (SOAR):** automating repetitive tasks and orchestrating workflows, organizations can enhance the speed and accuracy of their security operations, and to streamline threat detection and response processes.



- **Policy Decision and Enforcement:** Automation involves using software to control repetitive tasks, while orchestration coordinates IT processes to ensure efficient management. This is achieved through policy decision points (PDPs) and policy enforcement points (PEPs), which dynamically enforce security policies across the enterprise.



- **integration of Security Operations Centers (SOC) and Incident Response (IR).:** This integration helps manage the influx of data and alerts, reducing response times and improving security outcomes.

### Foundational components:

## The key challenges in implementing a Zero Trust model


https://www.netwrix.com/7-pillars-of-zero-trust.html
- **Migrating from legacy systems:** Most organizations cannot implement Zero Trust from the ground up; instead, they must gradually replace existing systems and processes with Zero Trust alternatives. Throughout the migration period, they need to maintain strong security by ensuring that old and new components work together smoothly.

- **Building robust data sources**: Another implementation challenge lies in collecting sufficient data to feed to the PE to enable reliable authentication decisions. This requires detailed knowledge of enterprise assets, subjects and business processes.  

- **Securing policy components**: To prevent disruption to authentication processes and therefore business operations, organizations need to protect the PE, PA and PEP. They should be placed in a secure environment or replicated to several environments. In addition, they should be carefully monitored, with any configuration changes logged and audited.

- **Fostering user acceptance**: Since Zero Trust requires minimizing permissions and requesting reauthentication for riskier access requests, users may experience frustration at the changes. To reduce security fatigue, be careful not to remove access rights that users actually need and require MFA only when it is warranted. More broadly, fostering a Zero Trust mindset by explaining the security benefits. It is also worth clearing up the misconception that "Zero Trust" means a lack of trust in employees as people; explain that it simply refers to not automatically trusting any device, system, user or other entity.

- **Managing the right level of permissions**: Minimizing permissions is not equal to zero permissions, users will still have a set of permissions once they are authenticated but should not get all the permissions that are available. A Microsoft report from 2023 highlights a risky gap between permissions granted and permissions used in the cloud, as identities use just 1% of the permissions granted to them. To handle that, make sure that a user's role(s) and the granted permissions for that role are well-managed and reduced to the minimum possible. In addition, having a process in place that allows for either just-in-time exceptions or an audited self-service way of assigning the needed right will make operations of zero trust easier.