Zero Trust - Model, Architecture

...with a Plus!
By 2025, you will regret not having implemented Zero Trust.

– Santosh Pandit, September 2021

Okay, you are here as you are curious about Zero Trust ("ZT"). A simple Google search gives over 3 million results. People will use other terms such as ZT Model, ZT Architecture, ZT Framework, etc. They all mean the same. I will make it easier for you. We will start with the basics of ZT. We will then explore Zero Trust Plus, my own academic proof-of-concept. Let us start!

Zero Trust - High level overview

I will expand each concept over weekends, starting with an introduction and then cover advanced concepts.
What is Zero Trust ("ZT")? Imagine you have the responsibility for cyber security. Assuming a cybersecurity breach of users, applications and network, your challenge is to protect the other users, applications and parts of the network. This is where the ZT model plays a role. It requires the constant verification of the authorisation to access resources. ZT builds on a framework of the least privilege necessary for regular use. Read an in-depth introduction and the nuances of different terms e.g. ZT Model, ZT Architecture, ZT Network, etc.
"Trust, but verify."

– Comments from the Regan - Gorbachev summit

Why ZT?

The cyber attack surface and threats are increasing and cyber criminals leverage one breach of users, applications or networks to compromise other resources.

For example, if you make a mistake of opening an attachment containing a virus, the damage should not go beyond your own machine.

Another example, if one of your employees is an associate of a cyber crime gang (yes, that happens), you do not want them to steal your information.

"Every ransomware attack would hurt much less with ZTA. Same as the difference between a knock-out punch and a kiss."

– Santosh Pandit

How to implement ZT? The ZT model requires strong authentication, authorization and verification of the least privilege access to networks, information and resources.
What are the advantages of ZT? A ZT framework has the advantage of limiting the damage through spread of ransomware and data theft and prohibiting unauthorised access to resources.
What are the disadvantages of ZT? A practical implementation of the ZT model requires cyber threat intelligence, intelligent professionals that are not cheap and a cybersecurity culture.
Zero Trust

Zero Trust Plus - High level overview

About Zero Trust Plus ("ZTP") ZTP is an academic proof-of-concept to implement the ZT Model and lead the research on the TTPs used by sophisticated cyber criminals.
ZTP - What is the concept? ZTP extends the ZT Model to the supply chain ecosystem and keeps pace with the evolution of the TTPs used by sophisticated threat actors.
ZTP - Why is it needed? ZT is becoming a fashion and risks its abuse by vendors and the CISOs. Ongoing research helps to establish the effectiveness of the ZT Model.
ZTP - What makes it successful? The only way to be resilient to cyber crime is to think like a criminal; be aware of the latest TTPs used by sophisticated hackers; and deploy the trio of reactive, proactive and aggressive cyber defence.
ZTP - Current Research Topics I am currently working on the following applied research topics.

(1) "ZT implemention using an automated dual-band mutual authentication with ultra-short validity periods."

(2) "Real-time reconciliation of users and applications authorized access to resources under ZT."

(3) "Essential features for a hypermodern Security Operations Centre in a ZT Model."

(4) "ZT and Confidential Computing - What do we do with the bloody AES!"

(5) "ZT and Quantum Safe Computing - The backdoor paranoia"

Etc.

About me, BeatQuantum and Zero Trust Plus

My name is Santosh Pandit and I am based in London. In my personal time, I do a lot of cybersecurity research. I have a day job too; but my research is not connected to my employer.

In 2020 I founded BeatQuantum Labs which successfully withstood serious cybersecurity attacks. It was fun and a lot of friends enjoyed my servers. The remaining BeatQuantum servers will be phased out over the next 18 months.

In 2021 I founded Zero Trust Plus - which is still under development. So watch this space!