Taking Back Zero Trust: Bank Policy Institute (BPI) provides a fairly reasoned take on Zero Trust

December 3, 2024

Bad actors in a Financial Institution’s network should be assumed.

The combination of ineffective network perimeter controls and the porous enterprise perimeter means we must let go of the concept of a trusted network protected primarily at the perimeter. Instead, we must develop an approach to enforcing security based on the sensitivity of data, user and application identity and device security posture.

Here at Pomerium, we’re huge proponents of implementing Zero Trust Architecture. However, even we recognize that the market has rendered the term nearly meaningless. So to help combat the jargon-ification of Zero Trust, we figured we should start to provide our input on “Zero Trust” pieces we find out in the wild.
For this Taking Back Zero Trust piece, we’re going to take a look at “Adaptive Trust: Zero Trust Architecture in a Financial Services Environment”, a white paper put out by the Bank Policy Institute

Fighting the fluff

Why does the term Zero Trust tend to provoke involuntary eye rolling? It’s likely because Zero Trust is not a product even though vendors have been trying to pitch it as such. Zero Trust is a set of principles and it operates on the simple premise of “never trust, always verify”. Therefore, adopting a Zero Trust security environment means that you must do the following:

  • Provide no implicit trust – trust should not be granted exclusively based on network topology, instead you should assume the user is nefarious

  • Continuously verify – don’t just authenticate a user on to your network, re-authenticate and re-authorize every single request

  • Grant least privileged access – users only need the bare minimum access required for their role, and for as little time as necessary 

  • Assume a breach mentality – focus on minimizing the blast radius of an attacker by assuming that you’re already breached

  • Shift access control to the application layer – instead of creating a single point of failure at the network layer, or multiple single points of failure with similarly buzz-wordy “microsegmentation”.

Key takeaways

Much like our approach, the authors of the paper leaned on the NIST Zero Trust Architecture (800-207) as their canonical Zero Trust document.

The BPI’s key takeaways are very much the same reasons why we have built Pomerium. Whether it’s for businesses in highly regulated environments like Financial Services institutions, or for hobbyists looking to implement secure remote access, Zero Trust provides (in BPI’s words):

  • Stronger, continual authentication

  • Risk-based authentication to enterprise resources that includes attributes and real-time signals from the environment

  • Fine grain access to enterprise resources

We couldn’t agree more!

Castle and Moat Analogy

Rather than building a perimeter wall to keep the bad actors out, we move the controls closer to the resources we are protecting.

A "Castle model" where all users and data are inside the castle's fortifications

The paper’s authors present the following analogy that we would like to build on. Yes, the existing security model is like a castle and moat. All your users, data, devices are inside of the castle and under your control. You have defense-in-depth because your castle has fortifications, guards, a moat, a drawbridge, maybe some alligators. 

The reality is a proliferation of people and data outside of the castle's protection

However, today’s reality is far from that. Your users and their devices, your data, your vendors, all these things are living inside and outside the “castle” aka the network. So what do you do? How do you stop this? Well as the authors say, “move the controls closer to the resources [you] are protecting”. But how do you do that?

Crawl, Walk, Run framework for Zero Trust

Well, luckily, BPI provides a crawl, walk, run framework for institutions to adopt Zero Trust. We’ve summarized it below and provided a handy table you can print out for reference. However, in our view, adopting Zero Trust, does not necessarily require you to crawl, walk and then run. In many cases, you can easily leapfrog the walking and go directly to running. 

Some areas where our opinion differs from BPI’s include the following:

  • “Network & Infrastructure Segmentation” cannot be truly Zero Trust. Organizations that have adopted a truly Zero Trust security posture are able to open their entire network up to the public internet because they have assumed a breach mentality. Therefore, all their resources are secure from unauthorized access by default and do not require any segmentation.

  • Adopting Zero Trust for “Application Security” shouldn’t require the use of “Breach and Attack Simulation Tools (BAS) to identify how attackers would laterally move within a network”, because those attackers should not, by design, have the ability to move laterally across your network since all AuthN and AuthZ is occurring at the application layer.

Download this chart

Component

Crawl

Walk

Run

Identity & Access Management (IAM)

Organizations implement basic, central identity management capabilities such as: role-based

access control (RBAC); strong privileged access management capabilities; and ensure that shared services such are mature.

Organizations implement fine grain identity capabilities such as: attribute-based access (ABAC) model … Additionally, applications need to be integrated into or (through existing federation) into MFA.

Organizations have strong identity leveraging the risk components of Zero Trust…The Attribute Based Access Control (ABAC) model is used to define access policies across the enterprise…This allows for granular, yet flexible access control policies.

Network & Infrastructure

Organizations can segment and define their network infrastructure using large perimeter and employ macro-segmentation.

Organizations can segment their network infrastructure by configuring ingress and egress

micro-perimeters and include some internal micro-segmentation. Granular policies can be defined at

the perimeter.

Organizations have internal micro-segmentation based around all application flows and

application traffic is encrypted end-to-end.

Endpoint Device & Mobility

Organizations should have central management of all end user and central devices.

Organizations can establish the identity of devices on the network, disallowing unknown

devices from connecting...Technologies are put in place to perform device posture assessments when connecting to the network from any location.

Organizations allow or disallow devices to connect to enterprise resources based upon policy…. Device posture assessments are

performed continuously during the lifetime of a device connected to the network.

Application Security

Organizations control access to applications using local authorization. On-premises applications are

accessed through the physical network or VPN.

Centralized authentication and authorization technologies are employed to control access to

applications. SSO technology is configured for the workforce to access on-premises applications.

Access to applications is authorized based on real-time risk analysis and authentication and authorization happens continuously throughout the connection…Use Breach and Attack Simulation Tools (BAS) to identify how attackers would laterally move within a network. 

Data Security

Organization uses static controls for restricting access to data. Organization partially encrypts data

at rest and leverages least privilege to control access to data. 

Organization encrypts all data at rest and leverages least privilege to control access to data. Device risk and other attributes are also considered when making access decisions to data.

Organizations encrypt all data at rest and in-motion... Access to data is controlled using dynamic and contextual risk-based

decision and only allows just-in-time and just-enough access. 

Visibility & Analytics

Organizations send all logs to a centralized system. 

Organizations send most of their logs to a centralized SIEM. 

Organizations collect logs across all ZTA components to a central SIEM and integrate analysis across multiple sensor types to create automated alerts. 

Automation & Orchestration

Organizations determine hosting location and access of the application during provisioning.

Applications inform the infrastructure and network components of a changing state. 

Applications adapt to ongoing environmental changes for security and performance optimization.

Summary (Score: 8.7/10)

The BPI document discussed here is long and detailed. We recommend reading it and drawing your own conclusions. For us, we were excited to see that it laid out a roadmap for financial institutions looking to shift from a traditional perimeter-based security model to an identity-centric model that follows Zero Trust principles. While we may not agree with some of the key components like micro-segmentation, overall, the document did a good job avoiding the Zero Trust buzzword trap, and educating its readers on how to achieve Zero Trust in practice.

If you’re interested in learning more about Zero Trust, or seeing how Pomerium can upshift your security posture, feel free to reach out to us. Or if you have a Zero Trust related white paper, one pager, or other marketing material you’d like us to do a review of, send it over!

Share:

Stay Connected

Stay up to date with Pomerium news and announcements.

More Blog Posts

See All Blog Posts
Blog
What is a "Pomerium"?
Blog
How Pomerium Supports FedRAMP Compliance
Blog
Controlling for Humans with Usable Security

Revolutionize
Your Security

Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.

Pomerium logo
© 2024 Pomerium. All rights reserved