As the use of zero-trust architecture grows, it's becoming apparent to threat modelers that if they want to reap benefits, they will need to modify their existing practices to do it.
With classic threat modeling, born from the fortified-perimeter school of cybersecurity, the trusted boundary divides protected assets and trusted users from threats and adversaries. Zero trust scraps that idea. And it can also be used to bolster application security, or AppSec.
Chris Romeo, CEO of the threat modeling startup Devici, wrote in a recent blog post that zero trust–based security assumes attackers are in the environment and that data sources and flows can no longer be hidden, which is essential to hardening AppSec.
"[Zero trust] has vast implications for application security and threat modeling. Zero-trust threat modeling means the death of the trust boundary. This uncovers threats never dreamed of in classic threat modeling."
Here's what your team needs to know about zero trust and thread modeling — including key benefits and challenges when extending it to harden your AppSec.
Expanding the zero-trust concept to AppSec
Patrick Tiquet, vice president for security and architecture at Keeper Security, said that instead of relying on traditional perimeter-based security measures, zero trust assumes no implicit trust, so verification is required from anyone or anything trying to access resources — including software, which represents a growing attack surface.
"With a growing majority of ransomware attacks, supply chain vulnerabilities, and insider threats originating from what is traditionally thought to be inside the security boundary, zero-trust threat modeling has become critical."
Tiquet said threat modelers must accept the reality that there is no trusted safe zone and adjust their models to recognize threats that may be anywhere — including inside the traditional boundaries. That's essential when considering the nature of today's software supply chain attacks.
Flexible boundaries are key to zero trust
Dhaval Parekh, senior director for information security at the cloud security company Zscaler, said that rather than disappearing entirely, trust boundaries in zero trust become more fluid and dynamic. “Each component, user, or device is evaluated individually based on their authentication, authorization, and behavior,” he said.
“The trust boundary in a zero-trust environment shifts from being a fixed perimeter to a more granular and context-dependent boundary. It is defined by the access controls, authentication mechanisms, and continuous monitoring in place for each component. The trustworthiness of a component is established through ongoing verification of its identity, behavior, and compliance with security policies.”
Parekh offered four recommendations for zero trust in general threat models — which can also be applied to AppSec.
- Identify and validate assumptions. Challenge traditional assumptions about trust within the network and consider that no user or device should be inherently trusted. Threat modelers should question assumptions about network boundaries and trust relationships between different components.
- Define trust boundaries. Clearly define trust boundaries and enforce strict access controls at each boundary. Threat modelers should consider implementing microsegmentation to create smaller trust zones within the network, allowing for more granular access control and limiting lateral movement in case of a breach.
- Assess and mitigate risks. Analyze potential attack vectors and vulnerabilities within the system. Identify potential threats, such as insider threats, compromised devices, or malicious actors, and evaluate their impact on the system. Implement appropriate security measures to mitigate these risks.
- Consider zero-trust architecture. Threat modelers should recommend evaluation and the adoption of a zero-trust architecture, such as the use of software-defined perimeters (SDP) or secure access service edge (SASE) solutions. These architectures provide comprehensive security controls and help enforce zero-trust principles effectively.
How zero trust benefits all threat modelers
Zero trust can be beneficial to threat modelers because it weans them off the “outside-in” mindset, said Andrew Barratt, managing principal for solutions and investigations at Coalfire. “You’re essentially deeply considering how an assumed bad actor, from any resource, may try to compromise any other resources."
Barratt said zero trust means that all resources should have zero access by default and explicitly look for approved, authorized, and authenticated access. And that applies to locking down your entire software supply chain, including all CI/CD tools, for example.
"From a threat modeling perspective, we now have to consider the threats that might have compromised credentials and are living off the land. Those new threats are actors that look like approved users or activities, and, as such, we need to consider behavioral analysis to determine how likely the actor is to be rogue.”
One of the challenges this new way of thinking imposes on threat modelers is that they must have a very high depth of understanding of the systems being protected.
“The collaboration when modeling these threats will require multiple sets of expertise, as well as the ability to consider that a threat actor may already have found access or has compromised an authorized user, perhaps even physically with threats of violence."
Zscaler's Parekh said that by challenging traditional trust assumptions — and considering all components as potentially untrusted — threat modeling can identify a wider range of attack vectors and vulnerabilities that may have been overlooked in traditional models.
However, Anthony Tam, manager of security engineering at Tigera, said there is some downstream risk with zero trust and AppSec because, as zero trust increases the focus of the security model around application and infrastructure, it can open the door to adversaries elsewhere. Teams need to be aware and account for this risk.
“Vulnerabilities in the application or software dependencies can be attack vectors that bypass the security controls that were designed in a system’s zero-trust model."
Parekh said zero trust’s emphasis on the principle of least privilege can help manage such risks, because it allows potential attack surfaces to be identified and reduced by implementing appropriate access controls, microsegmentation, and network segmentation techniques.
Zero trust also promotes the implementation of granular access controls at every level of a system, so threat modelers can identify and evaluate the specific access requirements for each component and user, enabling more precise threat analysis and risk mitigation strategies, Parekh said.
With continuous monitoring and detection of anomalous activities, threat modelers can leverage zero trust to identify the necessary monitoring capabilities and detection mechanisms to detect potential threats and security incidents.
“By incorporating continuous monitoring into the threat model, organizations can proactively identify and respond to security events in a zero-trust environment."
Key challenges for threat modeling and AppSec
Working with zero trust can be trying for AppSec threat modelers, said Devici's Romeo.
“Zero trust is vast and complex, and securing something complex versus simple is more challenging."
Romeo said that everyone's zero-trust deployment is different.
"Yes, they use the same principles and architecture patterns, but they are not the same. We cannot review and secure the reference architecture once and expect that we will be good to go in perpetuity. [No] reference architectures exist in the real world."
Parekh said implementing a zero-trust architecture can introduce complexity, given the need for granular access controls, micro-segmentation, and continuous monitoring.
And there are always the difficulties that come with any initiative that introducing change to the status quo in security organizations, especially spanning security operations (SecOps) and AppSec.
“Implementing zero trust requires a shift in mindset and culture throughout the organization. Threat modelers may face resistance or challenges in gaining buy-in from stakeholders and ensuring consistent adoption of zero-trust principles across all teams and departments.”
Matt Rose, Field CISO at ReversingLabs, said the concept of zero trust is evolving, "just like the way modern software and applications are being developed is evolving."
"The concept of zero trust needs to be a mindset above and beyond vulnerabilities, but take into account all aspects of the software and applications you develop internally and use from external sources."