Zero Trust is a security model that shifts away from the traditional perimeter-based approach of implicitly trusting everything inside an organization's network while regarding everything outside that perimeter as untrusted. Instead, Zero Trust operates on the principle of "never trust, always verify." Zero Trust addresses a key limitation of the perimeter-centric approach: ensuring that once access is approved, individuals can only perform actions within the scope of their associated role. In a Zero Trust architecture, no user, device, or application is inherently trusted—no matter where they are located. Strict identity verification and access controls are required for every access attempt.
A lot of the focus of Zero Trust in the enterprise has been on regular users, leaving the protection of privileged users– who have the power to cause catastrophic loss–unprotected. It is no coincidence that the spate of high-profile breaches that have hit the news recently started with the compromise of a privileged administrator.
Zero Trust in Action: Vegas
I’ll use real-world examples from a place that applies Zero Trust principles: a Las Vegas casino. I was at AWS Re:Invent a few weeks ago, so the examples are fresh and relevant.
Identity
One of the foundational elements of Zero Trust is identity. Zero Trust is an identity-centric approach versus a perimeter-centric one. In the case of the casino examples, identity was derived in numerous ways. The room key in my pocket is an identity. So is the MGM app I downloaded which required verifying my identity via Clear, and obviously, all the CCTV footage from every inch of the casino is used to recognize who I am.
Access to various facilities and areas of the casino are limited by my identity. For example, access to the elevator is limited to hotel guests. You need a key to activate the elevator. Additionally, my room key allows me to access my room but not other guests’ room.
On the other hand, the hotel employees, who also use similar card keys, can have far more pervasive access than I can as a guest. Access is gated by the user’s identity (room key) and the access policies that the casino has granted them. These policies could be very fine-grained and limited to a single room, or coarser, and gated to an entire floor, in the case of a housekeeping employee.
Not all access is equal
Have you ever wondered into an area designated to high-rollers in a Vegas casino? If you have, you’d noticed a few things about these areas. First, they are set aside from the main casino floor and second they are usually accessed only once you speak to a casino employee. This seclusion and gated access - via the employee - is meant to admit the very few that can afford to play thousands of dollars per Blackjack hand.
Compare that with the rest of the Blackjack tables around the casino floor. Anyone can sit at them. Access to the casino floor is open to all, yet access to the high-rollers area is selective. Access isn’t equal.
I continue my casino exploration and approach an area designated for high-rollers. Before entering the area, I was approached by a casino employee who asked me some questions to try and understand why I wanted access to this area. The challenge questions are all meant to validate if I fit the profile of a high-roller (I am absolutely not). Now consider this same interaction if Elon Musk walked into that same area. The reaction will be very different.
These examples, although all quite simple, highlight the building blocks of Zero Trust.
Continuous Visibility and Monitoring
Zero Trust requires continuous visibility and monitoring, which Vegas casinos excel at. Every square inch of the casino is covered by CCTV cameras with continuous and live footage. Additionally, casinos rely on pit managers and their employees who continuously observe all interactions within a specific area, for example, a set of tables and so on.
Distributed Enforcement
Another important Zero Trust principle is that of distributed enforcement. The pit managers and various casino employees who manage different areas of the casino can apply enforcement policies within their own perimeters.
Consider the example I gave about me approaching the high-roller section. The person who approached me was enforcing a policy: check if Karim is high-roller-worthy. Similarly, the pit manager who would have escorted me out of the casino had I grabbed the dealer's chips was applying a different policy. Each policy is applied to a different area of the casino, and each is enforced within that area.
Importance of Context in Access
Context is yet another very important element of Zero Trust. Me walking into the high-roller section would trigger a behavior that would have been very different had it been Elon Musk and not me.
Let’s imagine that I am playing Blackjack and notice a bag of chips on the table. I proceed to grab the bag and eat some. That action - albeit a bizarre one - won’t trigger any alarm bells by the casino employees. Now, consider what happens if I reach for different chips: the dealer’s chips. I would be immediately evicted from the table, if not from the entire casino.
Two very similar operations resulted in very different outcomes. They differed because the context and potential impact of each are very different. Action matters, but action with context matters even more.
Context aims to capture as much about the operation that the user is performing to infer if the operation is permissible or not. This includes who the user is, can they afford the high-roller area, and so on.
It should be evident that implementing Zero Trust has become crucial as organizations adopt cloud computing, support remote workforces, and interconnect with third parties more than ever before. Traditional network security that relies on firewalls to block threats is no longer sufficient in the modern IT environment. Attackers have many avenues to infiltrate networks, such as phishing emails, unsecured devices, or compromised third-party access. High-profile data breaches have demonstrated that once attackers gain an initial foothold, lateral movement within the network allows them to target crown jewels like intellectual property or customer data.
StrongDM's Approach to Zero Trust
We’ll still remain in Vegas and switch gears to an announcement StrongDM - my current employer - made during Re:Invent: Continuous Zero Trust Authorization. StrongDM’s
Continuous Zero Trust Authorization is the real-time monitoring of access and operations across your infrastructure and the ability to enforce contextual access policies in real time. Source: StrongDM
Key Elements of StrongDM's Approach
StrongDM’s approach to achieving ZT is predicated on a few key elements, which are analogous to our casino example.
Visibility
The first element is that of visibility. Organizations need to track all critical operations and alert on them, much like casinos track and are able to monitor every critical action within their premises. This visibility must also elevate the action along with the context in which it is happening.
Fine-Grained Access Policies
The second element of StrongDM’s ZT approach is being able to compose very fine-grained access policies, which extend an organization’s RBAC and ABAC policies. StrongDM’s policies are composed in Cedar, a simple yet expressive language that is purpose-built to support authorization use cases for common authorization models such as RBAC and ABAC.
Context Signals and Actions
Additionally, StrongDM elevates many contextual signals that can be used within an access policy written in Cedar. For example, StrongDM’s Cedar-based policies can gate access to a resource based on the device posture of the connecting machine, its IP address, geolocation, the action the requesting entity is about to undertake, and many more contextual signals.
StrongDM’s policies can additionally introduce extra actions that the requesting entity has to perform before gaining access to resources. Examples include an MFA prompt, just-in-time (JIT) access, or an approval process, which allows an administrator to add more gates or friction between sensitive assets and requesting principals.
Policy Evaluation and Enforcement
The last element is that of policy evaluation and enforcement. The expressive nature of Cedar allows for the composition of very fine-grained access policies. Applying them in real-time and in a distributed manner is another. This is where StrongDM’s Policy Engine comes into play. The engine allows for the distributed evaluation and enforcement of access policies in sub-milliseconds. This policy engine is analogous to the pit manager escorting me out of the Blackjack table or the employee validating my worthiness of entering the high-roller section.
MGM Cybersecurity Attack: A Real-World Example
We’ll remain in Vegas for the final chapter of this post to highlight the importance and criticality of Zero Trust.
The Breach
A few weeks ago, MGM suffered a significant cybersecurity attack. A group of US and UK-based cybersecurity experts known as Scattered Spider used social engineering to trick MGM’s internal help desk employees into resetting the passwords and multi-factor authentication (MFA) codes of highly-privileged MGM employees. This gave Scattered Spider access to the social media accounts of these employees.
Using this sensitive information, these malicious users were able to obtain access to MGM’s Managed IT Service, Okta, to install an identity provider to create SSOs (Single Sign On) for themselves. This technology is available for Okta users to expedite user access during mergers of companies. Alongside the compromise of Okta, the Microsoft Azure cloud environment became compromised, jeopardizing not only the managed applications, but all assets stored on the digital cloud. This resulted in multiple system vulnerabilities, exposure of customer data, and more access to MGM’s critical assets.
An action as simple as disabling MFA on an employee resulted in hackers taking down an entire casino for days and a loss of ~$100M for the casino. This example highlights the complexity of protecting critical assets, which now extend outside the traditional network perimeter. In MGM’s case that was a user’s profile in a corporate directory. Try protecting that with a firewall.
Continuous Authorization Importance
Implementing continuous authorization is an important part of adopting a Zero Trust security model. With StrongDM’s approach to continuous authorization, access is constantly evaluated and granted based on factors like device security posture, user behavior, and resource sensitivity. This allows organizations to make real-time, context-aware access control decisions rather than just approving access at the initial point of authentication.
By leveraging StrongDM’s robust continuous authorization capabilities, organizations can minimize their risk of data breaches and unauthorized access. Granular control over resource access prevents both insiders and external actors from abusing credentials or accounts to access more data and systems than necessary. Continuous evaluation also simplifies policy management and enforcement by centralizing access control across cloud, hybrid, and on-premises environments. Factoring device trust and anomalies into access decisions further strengthen data and system protection. In the case of the MGM breach, a single policy that required approval for an action to disable MFA on a user’s profile would have stopped this breach.
References and suggesting readings
This week’s edition of Authorized: an epic battle & baseball caps featured some of the announcements I mentioned in this article.
➿ The neverending authz story:
have you ever heard of continuous authorization? StrongDM just launched it, and it’s based on Cedar, Amazon’s provably secure authorization language. Amazing new functionality. Source:
- had a great post covering identity
Identity has, historically, acted as an adjacency to cybersecurity. Identity stood at the beginning to make sure no bad actors got in. Security was in place to look out for that bad behavior if something at the entryway failed. But increasingly, that just isn’t the case. Identity has stepped into the very center of the security paradigm. Source: Contrary Research
This - Architectures for Protecting Cloud Data Planes - is a great paper from Google that is relevant Zero Trust. The authors evaluate different architectures to protect data and prevent unwanted data exfiltration.
The Zero Trust Maturity model by CISA. A must read.