Zero Trust and DevOps Strengthening Cybersecurity in Complex Environments

Celebrate Cybersecurity Awareness Month with a Lesson on Zero Trust. 

As technology moves by leaps and bounds forward, cybersecurity challenges multiply. Today, the go-to security strategy is based on the principle of ‘never trust, always verify,’ and is vital to squashing malware, phishing, data exfiltration and other attacks. 

The traditional approach to securing corporate information resources assumed several things: ​ 

  • Every endpoint being used to access resources was owned, issued and managed by the enterprise. ​ 
  • All users, devices and applications were in fixed and predictable locations, usually on a corporate network behind a firewall. ​
  • A single method of verification at the point of initial access was sufficient. ​
  • Corporate-managed systems with the same classification could all inherently trust one another. ​ 
These assumptions no longer hold true thanks to mobility, BYOD (bring your own device), cloud and increased collaboration among partners. The consumerization of IT has prompted users both to demand a more customized environment and to insist on using their personal devices without corporate management. Attackers that make it past one verification point (such as a firewall or a user login) can exploit inherent trust and move laterally within a network, application or environment to target sensitive data. An insider that starts within a trusted zone can escalate privileges. We can no longer assume that “internal” entities are trustworthy, that they can be directly managed to reduce security risk or that checking them one time is enough. ​ 

Threats are Everywhere 

Cyber criminals are getting better every day at attacking IT infrastructure. Many of these exploits are created by a hacker and then spread to others through the Internet. Many attacks can even be bought for peanuts as a service. Meanwhile with the dramatic increase in mobile and remote work, the Internet of Things (IoT), not to mention the bevy of new applications, services and equipment, the attack suface is ever widening. 

The Evolving Threat Landscape

What is Zero Trust?

Zero Trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside the network perimeter. No single specific technology is associated with Zero Trust; it is a holistic approach to network security that incorporates several different principles and technologies.

Foundations of Zero Trust

The DevOps Angle       

While the foundations of Zero Trust are well known – identify, device, environment, application and data – it’s interesting to think about Zero Trust in the context of DevOps principles, including visibility and analytics, automation and orchestration and governance.​ 

All these aspects need to come together to ensure software delivery velocity. However, additional risk must not be introduced at the expense of speed and efficiency. An ideal approach ensures that you optimize what humans and tech do using the concept of a human-free zone. Zero Trust forces IT to answer a number of questions, such as what applications users access and what data they need access to? So, who are you, where are you and on what application with what data? But DevOps also needs to do orchestration and automation. With automation, DevOps gains analytics and can strengthen efforts around governance to meet both DevOps and Zero Trust principles. But it becomes even more complex when we are doing DevOps, because IT is no longer dealing with just access to the corporate network. 

The DevOps Angle

“The first basic principle is to authenticate and verify access tool resources. Each time a user accesses a file share and application or cloud storage device, we need to re-authenticate that user's access to the resourcing question. You have to assume that every attempt and access to your network is a threat until confirmed otherwise, regardless of location or access or hosting model,” said Rick Brown, Principal Sales Engineer for Progress Chef. “To implement this set of controls, row authentication and access protocols, premise security and network access controls, the least privileged access concept is a security paradigm that limits each user's access to only the access they need to do their job. By limiting each user's access, you prevent an attacker from gaining access to a large amount of data with a single compromised account.” 

Rick Brown, Principal Sales Engineer for Chef
Rick Brown, Principal Sales Engineer for Chef 

DevOps Zero Trust Best Practices 

A key best practice involves access to data. Here, you should discover where your folder permissions expose sensitive data and remediate overly-permissive access. Create new groups and assign data owners to manage those groups, and then use these new groups to implement a least privileged access audit. DevOps should access group memberships on a regular schedule and put data owners in charge of who can access their own data. For example, IT shouldn't control access to the finance team's data. Instead, the finance team should implement Zero Trust principles, require inspection and verification of everything. This means logging every network call file access and email for malicious activity.  

Monitoring and logging are arguably the most important capabilities to maintaining a Zero Trust security model. With monitoring and data security analytics in place, you can differentiate between a normal login or a compromised user account. You will know that a ransomware attack is in progress or if a malicious insider is trying to upload files to their cloud drive. This kind of cybersecurity intelligence is difficult to achieve. Most tools in this category require you to code overly complicated rules or generate a significant number of false positives. The right system will use individualized baselines per user account and detect abnormal behaviors based on perimeter telemetry data access and user account behavior.  

These efforts move from the triangular DevSecOps approach that includes DevOps and security to include a fourth dimension: compliance.  

Chef and Zero Trust 

How do we incorporate Zero Trust with Chef? There are three parts to it:

  1. Establishing the Trust: The devices that are within the network are identified and checked. Then a local agent is installed which gives regular status of the devices from time to time. After installing this local agent, one can establish trust with that device by checking the device context and identity, the health and status alongside all the relevant attributes like the compliance state and so forth.​ 
  2. Enforcing Trust Based Access: Just because a local agent has been installed within the device doesn’t mean that the user of that particular device gets to access everything within the server. There are certain limitations imposed over the network – like applications that can only be accessed by connecting to the VPN. Limitations based on the types of work are also imposed on the users. The users are granted access to those applications and resources which are needed based on his/her job profile. ​ 
  3. Continuous Trust Verification: The users within the network are continuously verified from time to time. They are asked to change passwords and once changed the users are automatically logged out of their devices and asked to carry out the verification steps again. IT Managers can continuously keep an eye on the list of devices, along with their activity and behaviors. A unified dashboard to track the current status of nodes in terms of configuration, health and compliance makes it easier to track security and configuration management data across the entire IT resource fleet. 

“The benefits of using these approaches include the prevention of network access and lateral movement using compromised or stolen credentials. It also offers a single pane of glass visibility to the entire fleet. We're talking about workstations here as well as what's in the production systems. It offers monitoring and inspection but doesn't interfere with the user experience for accessing applications,” said Jacob George, Product Manager for Chef.  

Jacob George, Product Manager for Chef
Jacob George, Product Manager for Chef 

Single sign-on remains critical. “The single sign-on method you go through from your workstation hasn't changed. But we 're putting extra checks in the background. Those policies can be deployed to every workstation or to every server for access to specific resources. And we can restrict access to the high value resources on managed devices,” George concluded.  

Learn More About Zero Trust and Take a Dive Deep into How Chef Helps 

Learn all you need to know from Chef experts in our half hour webinar Zero Trust and DevOps: Strengthening Cybersecurity in Complex Environments

Posted in:

Doug Barney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.

Rick Brown

Rick Brown is a Solutions Engineer at Progress Chef.

Jacob George

Jacob was part of the product management group at Progress Chef.