Zero Trust Defined & Implemented

What is a Zero Trust Environment? NCoded Communications provides a Zero Trust Overlay on all OT Environments ensuring that you are completely protected at all times on every device. Zero Trust Environment starts with a security posture of default deny. Zero Trust must follow Trust No One & Trust Nothing.

No One includes:

• Developers or IT people

• IT Management

• Executive Management

Nothing includes but is not limited to:

• Operating Systems

• Platform Devices

• ISPs

• Telecommunications Vendors and their networks

• App Stores

• Public IP addresses

• 3rd Party source code not allowing complete source code inspection

• Any Partner Network or server you connect to

• PKI

• Anything that uses a KeyStore

• Monolithic encryption

• Unknown email or text message sources

• Social Media apps

• Open source applications or services

Effectively, you start with default deny on everything.

You trust no one & trust nothing.

Trust must be earned, not expected.

To achieve Zero Trust, at a high level, these steps must be taken using unconventional means:

• Reduce Your Attack Surface

• Secure User Access

• Encrypt data-in-transit

• Neutralizing Adversaries  

In detail, Zero Trust is achieved through unconventional methods. Zero Trust is:

• Completed at the initiation of network connectivity from one trusted node to another trusted node.

• Encryption must be dynamic & is achieved through high methods of authentication with the use of symmetric encryption.

• Achieved through the use of creating trust perimeters around your servers, the location of your IP, along with the implementation of services on client devices. Together the perimeter devices and client authenticate each other in real time generating one time use dedicated encryption keys.

• Achieved through blocking and blacklisting network packet replays by evil actors to achieve access to the perimeter.

• Achieved through use of multiple dynamically generated encryption keys in a digital communication. The keys are never to be stored!

• Uniquely encrypt a data layer​.

• Uniquely encrypt a metadata layer.

• A final unique encryption to achieve obfuscation of the previous layers, achieving a "cloaking" effect on the data.

• It is dynamically created and terminated when complete without human intervention

Additional elements:

• Encryption is not achieved through standard encryption source code. It must be achieved through a dynamic matrix of ciphers and bit lengths.

• Encryption keys are generated dynamically and nothing is ever stored.

• Access into the Zero Trust perimeter must not accept a single packet of untrusted communications from the Internet. Access must only accept network communications from a trusted source and reject all other communications.

Once complete, you have cloaked your IP from any enemy.

There are those that state there must be a method for interconnectivity not requiring high trust on two trusted node endpoints. They state it is needed for the work of digital business to be completed.

THIS IS A MISNOMER!

Either you have a high level of trust on a series of factors, or you do not. Determining trust is binary. An end point is trusted or not. Anything less than this does not provide a trusted environment. This position implies implicit trust. This is the problem today in the world of cybersecurity. Today there is an adaptive risk/trust model and the cybersecurity attack surfaces of today prove, in results, that an adaptive risk/trust model does not work. Analysis of anything else implies they do not know how to achieve a Zero Trust Network. An adaptive risk/trust model requires waste and cost to the organizational model. It leads to a strategy of reacting to attacks as opposed to shutting them down before they get in.

Implications:

Trust is explicitly a good thing. Trust is what we use to achieve absolute certainty.

Trust must be absolute, binary and dynamically created without human intervention. It is an indication of the absolute level of strength of the assurance of the belief.

There are those that believe that an adaptive risk/trust model can compensate for the risk of extending capabilities. Here, the belief is, that we should monitor for the expected behaviors during interactions. If behaviors deviate from expectations in a risky way, access to the capabilities should be adapted or removed entirely. That thinking is antiquated. We must ask ourselves isn't that what we have had access to for the past two decades?

Has monitoring kept up with the explosion of attack vectors?

NO!

Can a SOC - Security Operations Center - keep up with 18 million new attack vectors per day and protect their IP?

NO!

Can checking the boxes in high level compliance audits stop the evil actors from attacking?

NO!

A new approach is called for - Zero Trust Environments...NCoded Communications is the answer.