The best way to explain some zero trust concepts is to first break down a data breach into easily identifiable stages. Before looking at how you can prevent lateral movement and reduce attack surface, consider a typical breach as occurring in four distinct steps:
Of the four stages of breach, stage 1 (attack surface) and stage 3 (lateral movement) are the least understood by IT and security professionals. Traditional network security using firewalls is not designed to tackle these issues. To illustrate this point, consider two analogies that describe and contrast zero trust and firewall-based architectures: a guest visiting a business’s HQ and a phone book listing.
How to prevent lateral threat movement on your network
The first step toward reducing the attack surface is not putting users on the network, but instead connecting them directly to applications. How does one reach an application without being on the network? Consider a simple analogy.
When a guest comes to the company headquarters, a receptionist greets her and checks her ID. If the identity is verified, she’ll receive a badge. Suppose next she is told to go to a specific meeting room. If not escorted, the visitor may wander around and enter any unlocked room instead. Since everything is interconnected, she may also go into adjacent buildings, snoop around, steal data, leave behind dangerous material, and depart unnoticed. Simply checking her ID at the entry point is not a good idea. Prudent companies do not allow unescorted visitors.
Applying this analogy to lateral threat movement, once a user gets on the network (either by being in the office or through a VPN), she can traverse laterally and find a multitude of applications and systems. How does one avoid this? The answer is adopting zero trust architecture (ZTA). To continue with the visitor analogy from above, ZTA would:
- Remove any identifying company logos and scrub its location from any internet and map sites so visitors can’t even find the campus.
- Remove the tunnels connecting the campus buildings so each building is isolated, preventing lateral movement.
- Move the receptionist far away from the building, so outsiders can't determine which building the receptionist manages.
With ZTA, she still stops at the receptionist, has her ID verified, and receives a badge. This time, an escort will take her to a specific room. Before entering the meeting room, her luggage is checked for dangerous material (malware, from a security standpoint). If all is good, she’s escorted directly with no loitering allowed. Once the meeting is over, she is escorted out. Before she exits, however, her suitcase is checked for any stolen goods; in ZTA, this translates to data loss prevention (DLP).
So the first building is like the data center, which hosts the applications. A room is like an application. The buildings represent public clouds like Azure and Amazon Web Services (AWS). ZTA acts as a switchboard that connects the user to a particular application within a specific data center or cloud (or a visitor to a meeting room to extend the analogy).
Preventing lateral movement is a core principle of ZTA that traditional technology, like firewalls, does not address. If a user needs to access a specific file share, that is all they connect to, not the company network. The user can’t move laterally to access SAP or other applications.
How to prevent an attack surface
Another tenet of zero trust is removing the attack surface, as every breach starts by discovering vulnerable users, devices, or applications to attack.
To provide a parallel, using a traditional approach, Amy publishes her phone number in a phone book to make it easy for her friends to call her. Chris, a good friend, can find Amy's phone number, call her, and they can converse. The problem is that a million other people can also find Amy’s number and call her. Scam artists and spammers can take advantage of this public information. By exposing her phone number, good and bad people can call Amy.
This is similar to the way applications on the internet are published. Applications are published so employees can traverse the internet, discover them, use credentials to get in, and connect. This means bad guys can also find them. They may access apps by using stolen credentials or exploiting their vulnerabilities. They can DDoS applications exposed to the internet. Hence, exposing apps has risks. Before zero trust architecture, we tried to mitigate this risk by creating a DMZ (demilitarized zone) with DDoS prevention solutions and firewalls – again, we built a moat around the castle. As attackers became more sophisticated, old solutions no longer worked.
How does one fix this problem?
In Amy’s case, she would not publish her phone number. She'd hire a smart switchboard service and provide a list of people who can connect with her. Chris calls the switchboard, and since he's authorized, the switchboard connects the call without sharing Amy’s whereabouts or phone number. Anyone else who tries to call Amy is simply dropped because she does not authorize them to connect.
Pushing these principles of private and secure connectivity is another pillar of ZTA. The user comes to a switchboard. They never see where and what the applications are. They are validated, and they get dropped if they are allowed access to an application.
Remember: if they can't find you, they can't attack you. That’s why preventing lateral movement and shielding your attack surface from the open internet is critical to securing against modern-day attacks.
What to read next
No more network, no more network security