What is Zero Trust?
Despite what some may think, Zero Trust is not just a marketing buzzword that cybersecurity vendors love to trot out in their pitch decks.
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. The overarching concept is to “mistrust” every user until they are affirmatively authenticated.
Zero Trust is not a singular solution, but a recipe made up of cross-functional organizational capabilities and organized into the following seven tenets by the National Institute of Standards and Technology (NIST):
1) All data sources and computing services are considered resources;
2) All communication is secured regardless of network location;
3) Access to individual enterprise resources is granted on a per-session basis;
4) Access to resources is determined by dynamic policy;
5) The enterprise monitors and measures the integrity and security posture of all owned and associated assets;
6) All resource authentication and authorization are dynamic and strictly enforced before access is allowed;
7) The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
QWERX technology was designed to address many of the Zero Trust tenets. This blog post will focus on #6: All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
Machines (and Attackers) Are Users Too
Much of the energy around provisioning, tracking, and controlling access to resources is focused on the human user. There is some logic to this approach; after all, humans are responsible for both directly malicious attacks and attacks where malicious actors leverage user negligence for entry. However, the port and point of entry for both the authorized and unauthorized user is the machine. This makes machine identity authentication mission critical.
QWERX technology is focused exclusively on one category of users: machines. Machine users include any endpoint or device that connects to a network, whether it is used by a human or not. Servers, computers, phones, IoT devices, applications, cloud instances, microservices, clusters, APIs, and smart algorithms are all examples of machine users.
Each machine user carries a unique machine identity to enable the network to recognize it and allow or deny access according to policy. Today, most machines use static digital credentials (keys and certificates) to establish identity and authenticity. These credentials have to be managed, stored and most importantly – protected. That’s because they last a long time. Static credentials are difficult to effectively secure and therefore an easy target to steal. Unfortunately, the static credential still carries the trust – even in a zero-trust environment!
Static Credentials Can’t Be Trusted
QWERX solves this problem by removing the vulnerability of static credentials. Our core platform, QWERX Enterprise Secure Perimeter (QESP) is built on a patented and tested authentication protocol that eliminates the use of static digital certificates and private keys.
With this breakthrough secure device authentication technology, temporary keys are generated locally on each connected device in the instant they are needed for authentication. Once authenticated, the temporary keys disappear. These ephemeral keys are never exchanged or stored. They never exist anywhere or long enough to be stolen and even if they were, they are useless because their ability to open the handshake lock expires essentially in the same instant the key was created. You can think of it as the snapchat of secure device authentication.
Automated Continuous Verification of Every Device
QESP uses frequently rotating symmetric keys — which are not stored or exchanged — to enable devices to handshake multiple times a second. Rather than authenticate once and trust forever, the automated continuous verification protocol assumes that every device is an adversary until proven otherwise. Each device is “mistrusted” multiple times per minute and must prove each time that it belongs. Devices that are not enrolled in the network can never gain access, even for a moment. A massive threat surface is immediately reduced because there are no credentials to steal or copy and all of the downstream vulnerabilities, such as lateral attacks using Active Directory, are eliminated.
Contact us today to explore our cloud-native SaaS tools for secure device authentication, continuous verification, and simplified machine identity management. QWERX can help you move the needle toward Zero Trust maturity.