top of page
Logo & Title Cropped_edited.png

Zones of Trust

Updated: Jan 9




Our last blog post spoke about security and its relationship with trust. Prior to delving into this blog post, it’s a good idea to read “Security - A Complex Term?”. Trust me it’s a really good read…. Yes, unfortunately that was a Dad Joke!

In this post we are going to explore one of two common trust models within the cyber security arena: Zones of Trust.


Zones

The Zones of Trust model is better suited to your traditional on-premises ICT environments and to IaaS in cloud environments. So, what is it? Well, the Zones of Trust model involves the segmenting of an ICT environment into different zones. Each zone will have a pre-determined trust level. Of course, as you have already read the blog post “Security - A Complex Term?” (If you haven’t here is the link) and so will be familiar with the concept that the more security controls you have, the more control you have and naturally the greater the trust you achieve. The Zones of Trust model starts with a zone normally called Untrusted and progresses up through the zones to the most trusted zone (if Management is excluded), Restricted. As traffic progresses up through the zones towards the Restricted zone, the security controls increase i.e., each zone having a greater level of security controls than its predecessor. See Figure 1. Traffic cannot skip a zone to get to another zone lower or higher up. For example, traffic coming from the Untrusted zone must pass through the Semi-Controlled zone to get to the Controlled zone. Figure 2 shows the example zones, traffic flows, and trust levels. The zones need not be restricted to a physical implementation. They can be logical zones spanning multiple environments and seen as multiple instances.



Zone

Example Purpose

Untrusted

​The Untrusted Zones are networks, systems, environments, or organisations in which you have no control over in terms of security controls, hence no trust. Examples include traffic traversing the internet or private networks which the organisation may not have any trust in the data it is receiving.

Semi-Controlled

  • ​May depict a zone used to apply security controls to ingress traffic from the internet and egress traffic from higher trusted zones.

  • Partner organisations with contractual (administrative) controls defining security.

Controlled

  • Office user endpoints such as workstations, and laptops.

  • Internal hosting environments

  • Majority of the business application processing and repositories of frequently accessed corporate data.

  • Authorised end users and business partner staff employees.

Trusted

  • Critical systems and applications performing most of the processing.

  • Sensitive data stores that are frequently accessed.

  • Sensitive corporate data.

  • Highly restricted access for a a reduced subset of organisational employees with the correct security clearance.

Restricted

  • Critical services that allow data access to only a small number of authorised users and services.

  • Data that is classified at the highest level.

Management

​Systems involving perimeter management, systems management, network management, operations management, and security management.

Table 1 - Zones


Subzones

Subzones are a further type of zone within a parental zone, where the parental zones are those listed in Table 1. Subzones provide a mechanism to further segment the network where additional risk mitigation is required. See figure 3.


Environments

The Zones of Trust model defines a concept called an Environment. An Environment is the combination of hardware, software and network resources working together for a particular purpose. Normally environments are used to depict a particular phase of the IT service lifecycle (e.g., development, testing, pre-production, and production). Environments typically have different security controls and policies, and may have separate administrative and support owners. See figure 3.


Compartments

Another concept in the Zones of Trust model is called a Compartment. A Compartment is a logical construct of associated subzones which span one or more zones (effectively a “vertical container” within the zone model). A Compartment provides a further mechanism for network-based security zoning, within an environment, based on certain criteria. For example, a line of business or highly regulated system which requires further isolation may be split into its own compartment consisting of Semi-Controlled, Controlled and Trusted subzones. Traffic within subzones of a Compartment may be less controlled than traffic between compartments. See Figure 3.




Now there are a few things to note about the model:


  1. As you progress through to the more secure zones you will get to a point, say the Restricted zone, where security controls can be reduced. This sounds counter intuitive but realistically as the description above states the Restricted zone is essentially a secure repository for sensitive data. The traffic entering the Restricted zone is generally only accessed through the Management zone and data in and out of the Restricted zone is performed by systems in this zone carrying out push or pull operations i.e., systems outside this zone never initiated connections into the restricted zone. In addition, due to the Restricted zone primarily being a data repository, you may find several security controls are not relevant due to the traffic type. For example, if standard data transfer protocols such as SFTP or SCP are being utilised to transfer data in and out of the Restricted zone then a Web Application Firewall is not applicable. Whilst individual controls may be reduced, control is supplemented by the security policy restricting access from only the management zone, and data ingress and egress carried out only by Restricted systems initiated connections.

  2. The Management zone is the only zone that can go direct into other zones without flowing through another zone or series of zones. Not only can it initiate connections into other zones, but it also can receive connections from other zones except Untrusted. Wait a minute there! Do you mean by this definition you can access the Management zone via the Semi-Controlled zone? This is a contentious point about the model. I have seen some implementations of this model where this is not allowed and the systems in this Semi-Controlled zone then become unmanaged and standalone systems to a point. This makes them less secure if we can’t easily manage these systems especially in a timely manner. Note that that the Semi-trusted zone doesn’t mean having little to no security controls. Due to the Semi-Trusted zone allowing traffic in from the Untrusted zone we have less control over the originating systems. Any traffic coming from the Semi-Controlled zone into the Management zone should be restricted to traffic coming from your systems within this zone and be for the purpose of managing and keeping the systems secure. It is essential to ensure systems in the Semi-Controlled zone are managed for greater security and this means as most software these days are designed, they need to talk in a bi-directional manner to their management servers. In addition to this point the Management zone is the most trusted, secure zone in the model and should be able to deal with connections coming from the Semi-Controlled zone.

  3. The Untrusted Zone is allocated to networks and systems that we have absolutely no control over such as the internet. One mistake I see organisations make is that they class partner organisations that assist them in delivering products and/or services as Untrusted. If you are a responsible organisation, you are going to have a contractual agreement in place with numerous security clauses defining compliance to the organisation’s security standards, security policies, industry security standards and regular audits. Now a contract is in fact a contractual (administrative) security control, which means you have a level of trust in the organisation. So clearly the partner organisation is not Untrusted.

  4. There is no predefined number of zones you should have in your ICT environment. The more zones you have the more segmentation you can achieve that will provide greater security. This of course comes at the expense of cost, complexity, and management overhead. Having the five zones which are depicted in Table 1 will be sufficient for most organisations and provides the right balance.



By Security Truth


1 Comment

Rated 0 out of 5 stars.
No ratings yet
Add a rating
Marco Ashworth
Marco Ashworth
Nov 19, 2024

This is a really good read! Well Done.

Like
bottom of page