Table of Contents

Preface ix

1 Zero Trust Fundamentals 1

What Is a Zero Trust Network? 1

Introducing the Zero Trust Control Plane 3

Evolution of the Perimeter Model 4

Managing the Global TP Address Space 4

Birth of Private TP Address Space 6

Private Networks Connect to Public Networks 6

Birth of NAT 7

The Contemporary Perimeter Model 8

Evolution of the Threat Landscape 9

Perimeter Shortcomings 12

Where the Trust Lies 15

Automation as an Enabler 15

Perimeter Versus Zero Trust 16

Applied in the Cloud 18

Summary 19

2 Managing Trust 21

Threat Models 23

Common Threat Models 23

Zero Trusts Threat Model 24

Strong Authentication 25

Authenticating Trust 28

What Is a Certificate Authority? 28

Importance of PKI in Zero Trust 29

Private Versus Public PKI 29

Public PKI Strictly Better Than None 30

Least Privilege 30

Variable Trust 33

Control Plane Versus Data Plane 36

Summary 38

3 Network Agents 41

What Is an Agent? 42

Agent Volatility 42

What's in an Agent? 43

How Is an Agent Used? 43

Not for Authentication 44

How to Expose an Agent? 45

No Standard Exists 46

Rigidity and Fluidity, at the Same Time 46

Standardization Desirable 47

In the Meantime? 48

Summary 48

4 Making Authorization Decisions 51

Authorization Architecture 51

Enforcement 53

Policy Engine 54

Policy Storage 55

What Makes Good Policy? 56

Who Defines Policy? 58

Trust Engine 58

What Entities Are Scored? 59

Exposing Scores Considered Risky 60

Data Stores 60

Summary 62

5 Trusting Devices 65

Bootstrapping Trust 65

Generating and Securing Identity 66

Identity Security in Static and Dynamic Systems 67

Authenticating Devices with the Control Plane 70

X.509 70

TPMs 73

Hardware-Based Zero Trust Supplicant? 77

Inventory Management 78

Knowing What to Expect 79

Secure Introduction 80

Renewing Device Trust 81

Local Measurement 83

Remote Measurement 83

Software Configuration Management 85

CM-Based Inventory 85

Secure Source of Truth 87

Using Device Data for User Authorization 88

Trust Signals 89

Time Since Image 89

Historical Access 89

Location 89

Network Communication Patterns 90

Summary 90

6 Trusting Users 93

Identity Authority 93

Bootstrapping Identity in a Private System 95

Government-Issued Identification 95

Nothing Beats Meatspace 96

Expectations and Stars 97

Storing Identity 97

User Directories 97

Directory Maintenance 98

When to Authenticate Identity 99

Authenticating for Trust 99

Trust as the Authentication Driver 99

The Use of Multiple Channels 100

Caching Identity and Trust 101

How to Authenticate Identity 101

Something You Know: Passwords 102

Something You Have: TOTP 103

Something You Have: Certificates 104

Something You Have: Security Tokens 104

Something You Are: Biometrics 105

Out-of-Band Authentication 106

Single Sign On 106

Moving Toward a Local Auth Solution 107

Authenticating and Authorizing a Group 108

Shamir's Secret Sharing 108

Red October 109

See Something, Say Something 110

Trust Signals 110

Summary 111

7 Trusting Applications 113

Understanding the Application Pipeline 114

Trusting Source 115

Securing the Repository 116

Authentic Code and the Audit Trail 116

Code Reviews 118

Trusting Builds 118

The Risk 118

Trusted Input, Trusted Output 120

Reproducible Builds 120

Decoupling Release and Artifact Versions 121

Trusting Distribution 122

Promoting an Artifact 122

Distribution Security 123

Integrity and Authenticity 123

Trusting a Distribution Network 125

Humans in the Loop 126

Trusting an Instance 127

Upgrade-Only Policy 127

Authorized Instances 128

Runtime Security 130

Secure Coding Practices 130

Isolation 131

Active Monitoring 132

Summary 134

8 Trusting the Traffic 137

Encryption Versus Authentication 137

Authenticity Without Encryption? 138

Bootstrapping Trust: The First Packet 139

Fwknop 140

A Brief Introduction to Network Models 142

Network Layers, Visually 142

OSI Network Model 143

TCP/IP Network Model 145

Where Should Zero Trust Be in the Network Model? 145

Client and Server Split 147

The Protocols 150

IKE/IPsec 150

Mutually Authenticated TLS 155

Filtering 163

Host Filtering 164

Bookended Filtering 167

Intermediary Filtering 169

Summary 171

9 Realizing a Zero Trust Network 173

Choosing Scope 173

What's Actually Required? 174

Building a System Diagram 178

Understanding Your Flows 180

Controller-Less Architecture 182

"Cheating" with Configuration Management 182

Application Authentication and Authorization 183

Authenticating Load Balancers and Proxies 184

Relationship-Oriented Policy 185

Policy Distribution 185

Defining and Installing Policy 186

Zero Trust Proxies 187

Client-Side Versus Server-Side Migrations 189

Case Studies 190

Case Study: Google BeyondCorp 190

The Major Components of BeyondCorp 192

Leveraging and Extending the GFE 194

Challenges with Multiplatform Authentication 196

Migrating to BeyondCorp 197

Lessons Learned 199

Conclusion 201

Case Study: PagerDuty's Cloud Agnostic Network 202

Configuration Management as an Automation Platform 202

Dynamically Calculated Local Firewalls 203

Distributed Traffic Encryption 204

Decentralized User Management 205

Rollout 206

Value of a Provider-Agnostic System 207

Summary 207

10 The Adversarial View 209

Identity Theft 210

Distributed Denial of Service 210

Endpoint Enumeration 211

Untrusted Computing Platform 212

Social Engineering 212

Physical Coercion 213

Invalidation 214

Control Plane Security 215

Summary 216

Index 217