What is Zero-Trust Architecture?
Zero-trust architecture (ZTA)—or zero-trust security—is a security approach designed to prevent unauthorized access to data and computing services by enforcing fine-grained access controls between users, systems, applications, and data.
The term "zero-trust" has become a bit of a buzzword in the world of cybersecurity. It's become the most recent “solution to all of our security problems." And, like all buzzwords, it can be hard to understand what it all means, how it works, if it’s even real, or what to do with it. Let's demystify some of this.
Unfortunately, there is no simple checklist or set of requirements for zero-trust compliance. Instead, zero-trust requires IT professionals to rethink their approach to infrastructure and network security by assuming that all users are malicious actors and that all networks, systems, and applications are compromised. Instead, it’s up to each entity to verify that it’s trustworthy.
The implications of this paradigm shift are not always obvious.
The traditional security model approach
The traditional approach to security is perimeter-based. Organizations would secure their network perimeter and, once inside a datacenter, users, devices, workloads, and apps would be trusted by default. However, this approach has become outdated as organizations move away from centralization to distributed services in the cloud, and adopt mobile / remote working. This opens up a host of potential vulnerabilities.
Zero-trust is a significant departure from traditional security models, which rely on perimeter-based defenses. In these models, security is focused on protecting the network perimeter, with the assumption that everything inside the perimeter is trusted. However, with the rise of cloud computing, mobile devices, and remote work, the traditional perimeter-based approach is no longer sufficient. Zero-trust architecture is designed to provide a more comprehensive approach to security that addresses the challenges of modern computing environments.
At its core, zero-trust security is about creating a security model based on the principle of: never trust, always verify. All users and devices, whether inside or outside of your network, are considered potentially hostile and must be authenticated and authorized before they are allowed to access any resources.
Common zero-trust principles
Implementing zero-trust security requires a shift in mindset. It's not just about implementing new technology but also about changing the way you think about security.
Zero-trust & OpenNMS products
Many legacy network monitoring protocols were design in the era when perimeter-based security was sufficient to protect sensitive resources. Of course, OpenNMS products understand and can use these legacy protocols in environments that still rely on traditional SNMP, ICMP, and other protocols.
However, OpenNMS has also evolved over the years to support newer protocols that use SNMPv3, TLS, HTTPS, and NTPv4 (with NTS) to enforce authentication and network encryption. The OpenNMS support team can provide guidance on how to harden an OpenNMS Horizon or Meridian installation to take advantage of these secure options.
OpenNMS Appliance comes preconfigured with these zero-trust features:
- Network Time Protocol v4 with Security (NTPv4/NTS) to protect against time synchronization tampering
- Encrypted transport using TLS 1.2/1.3 for all back-end communications
- Disk encryption to protect against software tampering
- OpenNMS and Linux software is digitally signed and automatically updated from cloud-based servers that use strong authentication to ensure software integrity
- Secure boot using TPM features to access an encrypted disk
- Certificate, token, and password-based multi-factor authentication where possible
- Authorization used to validate access to message queues and back-end OpenNMS servers
These allow the OpenNMS Appliance to communicate from a remote network to a core OpenNMS Meridian installation without requiring a VPN.
OpenNMS in the cloud
The OpenNMS Appliance service is one component of the overall OpenNMS cloud environment.
All OpenNMS cloud services are built following similar zero-trust principles:
- Encrypted transport using TLS 1.2/1.3 for all customer communications
- Multi-factor authentication for customers and their self-hosted OpenNMS components that communicate to OpenNMS Cloud
- Mutual authentication using TLS 1.2/1.3 for gRPC application-to-application communications
- Encrypted data storage in our cloud environment
How to get started with zero-trust
Start with a pilot project. Implementing zero-trust security can be a daunting task. Start with a small pilot project to test the waters and gain some experience.
Develop a zero-trust security strategy. Develop a strategy for implementing zero-trust architecture in your organization. This should include a roadmap for implementation, a list of resources required, a cybersecurity response plan, and a timeline for completion.
Work with a trusted partner.Working with a trusted partner, like OpenNMS, can help you navigate the complex world of zero-trust security as you implement network monitoring solutions. We can provide consulting, guidance, and support as you implement your strategy.
Educate your employees. The human factor in security is the most difficult hurdle—and where many security policies fail. Educating your employees about zero-trust security is essential. They need to understand the principles behind it and how it affects their day-to-day work.
- NIST has a document that defines zero-trust architecture with use cases and deployment models where this approach can benefit overall security posture.
- Okta offers a (2022) report, “The State of Zero Trust Security.”
- The United States Cybersecurity & Infrastructure Security Agency (CISA) also offers their “Zero Trust Maturity Model Version 2.0.”
What is Network Segmentation?
Network segmentation is the process of dividing a network into smaller, more manageable pieces (segments) to improve its security posture. [...]
Security update: Mandatory GPG key rotation for Meridian and Horizon
In the wake of the CircleCI breach, we have been reviewing policies and updating keys and tokens used in our [...]