Zero Trust Networks: Building Secure Systems in Untrusted Networks

Preface
	Who Should Read This Book
	Why We Wrote This Book
	Zero Trust Networks Today
	Navigating This Book
	Conventions Used in This Book
	O’Reilly Safari
	How to Contact Us
	Acknowledgments
1. Zero Trust Fundamentals
	What Is a Zero Trust Network?
		Introducing the Zero Trust Control Plane
	Evolution of the Perimeter Model
		Managing the Global IP Address Space
		Birth of Private IP Address Space
		Private Networks Connect to Public Networks
		Birth of NAT
		The Contemporary Perimeter Model
	Evolution of the Threat Landscape
	Perimeter Shortcomings
	Where the Trust Lies
	Automation as an Enabler
	Perimeter Versus Zero Trust
	Applied in the Cloud
	Summary
2. Managing Trust
	Threat Models
		Common Threat Models
		Zero Trust’s Threat Model
	Strong Authentication
	Authenticating Trust
		What Is a Certificate Authority?
		Importance of PKI in Zero Trust
		Private Versus Public PKI
		Public PKI Strictly Better Than None
	Least Privilege
	Variable Trust
	Control Plane Versus Data Plane
	Summary
3. Network Agents
	What Is an Agent?
		Agent Volatility
		What’s in an Agent?
	How Is an Agent Used?
		Not for Authentication
	How to Expose an Agent?
	No Standard Exists
		Rigidity and Fluidity, at the Same Time
		Standardization Desirable
		In the Meantime?
	Summary
4. Making Authorization Decisions
	Authorization Architecture
	Enforcement
	Policy Engine
		Policy Storage
		What Makes Good Policy?
		Who Defines Policy?
	Trust Engine
		What Entities Are Scored?
		Exposing Scores Considered Risky
	Data Stores
	Summary
5. Trusting Devices
	Bootstrapping Trust
		Generating and Securing Identity
		Identity Security in Static and Dynamic Systems
	Authenticating Devices with the Control Plane
		X.509
		TPMs
		Hardware-Based Zero Trust Supplicant?
	Inventory Management
		Knowing What to Expect
		Secure Introduction
	Renewing Device Trust
		Local Measurement
		Remote Measurement
	Software Configuration Management
		CM-Based Inventory
		Secure Source of Truth
	Using Device Data for User Authorization
	Trust Signals
		Time Since Image
		Historical Access
		Location
		Network Communication Patterns
	Summary
6. Trusting Users
	Identity Authority
	Bootstrapping Identity in a Private System
		Government-Issued Identification
		Nothing Beats Meatspace
		Expectations and Stars
	Storing Identity
		User Directories
		Directory Maintenance
	When to Authenticate Identity
		Authenticating for Trust
		Trust as the Authentication Driver
		The Use of Multiple Channels
		Caching Identity and Trust
	How to Authenticate Identity
		Something You Know: Passwords
		Something You Have: TOTP
		Something You Have: Certificates
		Something You Have: Security Tokens
		Something You Are: Biometrics
		Out-of-Band Authentication
		Single Sign On
		Moving Toward a Local Auth Solution
	Authenticating and Authorizing a Group
		Shamir’s Secret Sharing
		Red October
	See Something, Say Something
	Trust Signals
	Summary
7. Trusting Applications
	Understanding the Application Pipeline
	Trusting Source
		Securing the Repository
		Authentic Code and the Audit Trail
		Code Reviews
	Trusting Builds
		The Risk
		Trusted Input, Trusted Output
		Reproducible Builds
		Decoupling Release and Artifact Versions
	Trusting Distribution
		Promoting an Artifact
		Distribution Security
		Integrity and Authenticity
		Trusting a Distribution Network
	Humans in the Loop
	Trusting an Instance
		Upgrade-Only Policy
		Authorized Instances
	Runtime Security
		Secure Coding Practices
		Isolation
		Active Monitoring
	Summary
8. Trusting the Traffic
	Encryption Versus Authentication
		Authenticity Without Encryption?
	Bootstrapping Trust: The First Packet
		fwknop
	A Brief Introduction to Network Models
		Network Layers, Visually
		OSI Network Model
		TCP/IP Network Model
	Where Should Zero Trust Be in the Network Model?
		Client and Server Split
	The Protocols
		IKE/IPsec
		Mutually Authenticated TLS
	Filtering
		Host Filtering
		Bookended Filtering
		Intermediary Filtering
	Summary
9. Realizing a Zero Trust Network
	Choosing Scope
		What’s Actually Required?
	Building a System Diagram
	Understanding Your Flows
	Controller-Less Architecture
		“Cheating” with Configuration Management
		Application Authentication and Authorization
		Authenticating Load Balancers and Proxies
		Relationship-Oriented Policy
		Policy Distribution
	Defining and Installing Policy
	Zero Trust Proxies
	Client-Side Versus Server-Side Migrations
	Case Studies
	Case Study: Google BeyondCorp
		The Major Components of BeyondCorp
		Leveraging and Extending the GFE
		Challenges with Multiplatform Authentication
		Migrating to BeyondCorp
		Lessons Learned
		Conclusion
	Case Study: PagerDuty’s Cloud Agnostic Network
		Configuration Management as an Automation Platform
		Dynamically Calculated Local Firewalls
		Distributed Traffic Encryption
		Decentralized User Management
		Rollout
		Value of a Provider-Agnostic System
	Summary
10. The Adversarial View
	Identity Theft
	Distributed Denial of Service
	Endpoint Enumeration
	Untrusted Computing Platform
	Social Engineering
	Physical Coercion
	Invalidation
	Control Plane Security
	Summary
Index