NSA's Zero Trust CSI in an AWS VPC Context
3/8/2024
The NSA released a Cybersecurity Information Sheet (CSI) on March 5, 2024, entitled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar.” The guidance is excellent and easy to follow. For me, it stems from two strategies I've used since the beginning of my career: defense in depth, and the principle of least privilege. As most of my network architecture experience is with production networks on AWS VPC, I wanted to share some thoughts in that context.
The CSI outlines four capabilities:
- Data flow mapping
- Macro segmentation
- Micro segmentation
- Software defined networking
What are some practical ways to achieve these capabilities on AWS?
Data flow mapping
Using your diagramming tool of choice (my go-to is draw.io with an AWS shape library), draw your VPC. Show all of your subnets, servers, and load balancers, and indicate how data flows between them. Indicate where data is encrypted in transit, and where it is not. While traffic on the AWS internal network is encrypted by default, that only protects your traffic from threat actors outside your VPC. Inside your VPC, however, it is up to you to encrypt data in transit. Use AWS Network Access Analyzer to validate your data flow mapping is accurate. As a side note, having a data flow mapping or diagram is essential to building a threat model for the system you are protecting.
Macro segmentation
This means "breaking up a network into multiple discrete components." In an AWS VPC, for me, this means having at least one subnet for each type of server. For example, application servers go in their own subnet, database servers in theirs, caching servers in theirs. Then, you use a separate NACL for each subnet, defining what specific ports are allowed in and out of the subnet. This is key: if you use multiple subnets but apply the default NACL to all of them (allowing all traffic on all ports) then you have not achieved macro segmentation.
Micro segmentation
The idea here is to "limit how data flows laterally through strict access policies." For me, this is about security groups. Note this line from the CSI: "employees in the same department should not have access to each other's resources unless explicitly required." Let's rewrite that in an AWS VPC context: "servers in the same subnet should not have access to each other's resources unless explicitly required." Do your application servers need to talk to each other? Probably not. So apply a security group to your instances and clearly define what should be connecting to them, what they should be connecting to, and on what ports. Remember: this is about lateral movement. If a threat actor has a foothold on one of your servers, they should not be able to move laterally to compromise an unlike server (macro segmentation) nor a like server (micro segmentation).
Software defined networking (SDN)
This is done for you when using AWS VPC. Quoting from the article: "SDN enables the control of packet routing by a centralized control server via a distributed forwarding plane, provides additional visibility into the network, and enables unified policy enforcement." That is exactly what AWS VPC provides. AWS provides APIs for managing your network as software. This allows you to take an Infrastructure as Code approach to managing your network. Personally, I use the AWS provider for Terraform for this. Lastly, use VPC Flow Logs to capture traffic moving through your network, and use the alerting capabilities provided by GuardDuty and Detective to flag anomalies for follow up.
Concluding thoughts
The CSI is about zero trust maturity. Read the whole information sheet, determine what level of maturity corresponds to your network for each of the four capabilities, and perform a gap analysis to identify how to get to the next level of maturity. Just using a cloud provider like AWS will not make your network secure. Proper application of the strategy of defense in depth and the principle of least privilege will help you architect zero trust networks.