Principles of Information Security: Zero Trust Architecture and Network Access Control (NAC)

Zero Trust Architecture and Network Access Control (NAC)

Zero Trust Architecture (ZTA) & Network Access Control (NAC) – Exam-Ready Study Guide

What This Is

Zero Trust Architecture (ZTA) is a security model that eliminates implicit trust—no user, device, or system is trusted by default, even inside the network perimeter. Network Access Control (NAC) enforces this by dynamically granting or denying access based on identity, device posture, and context. These concepts are critical because traditional perimeter-based security (e.g., firewalls, VPNs) fails against modern threats like lateral movement attacks (e.g., the 2020 SolarWinds breach, where attackers moved undetected across internal networks) or insider threats (e.g., a compromised contractor account exfiltrating data). ZTA + NAC reduces attack surfaces by enforcing least-privilege access and continuous authentication.

Key Terms & Concepts

• Zero Trust (ZT): A security framework requiring explicit verification for every access request, regardless of location (NIST SP 800-207). No "trusted" internal network.

• Example: Google’s BeyondCorp (2011) shifted from VPNs to identity-based access.

• Network Access Control (NAC): A system that enforces security policies before allowing devices to connect to a network (e.g., Cisco ISE, Aruba ClearPass, Forescout).

• Key functions: Authentication, posture assessment (e.g., up-to-date AV), and segmentation.

• Least Privilege: Users/devices get only the minimum access needed to perform tasks (NIST AC-6).

• Example: A HR employee can’t access finance servers.

• Micro-Segmentation: Dividing a network into small, isolated segments to limit lateral movement (e.g., VMware NSX, Cisco ACI).

• Example: A compromised IoT camera can’t reach database servers.

• Continuous Authentication: Verifying identity throughout a session (not just at login) using behavioral biometrics, MFA, or risk scores (e.g., Okta, Duo).

• Example: If a user’s typing speed changes suddenly, re-authenticate.

• Software-Defined Perimeter (SDP): A ZTA approach where no network resources are exposed until authentication succeeds (Cloud Security Alliance).

• Tools: Zscaler Private Access, Perimeter 81.

• Identity-Aware Proxy (IAP): A gateway that grants access to apps based on user identity and context (e.g., Google IAP, Cloudflare Access).

• Example: Only employees in the "Finance" group can access QuickBooks.

• Device Posture Assessment: Checking a device’s security compliance (e.g., OS patches, AV status) before granting access (NIST IR 8374).

• Example: A laptop with outdated Windows can’t access corporate email.

• Just-In-Time (JIT) Access: Granting temporary, time-bound access to resources (e.g., CyberArk, BeyondTrust).

• Example: A contractor gets 2-hour access to a server for maintenance.

• Deperimeterization: The shift from perimeter-based security (firewalls) to identity-based access (ZTA).

• Why? Cloud, remote work, and BYOD broke the old model.

• MITRE ATT&CK T1550 (Use Alternate Authentication Material): Attackers steal tokens/cookies to bypass MFA. ZTA mitigates this via continuous monitoring.

• OWASP API Security Top 10 (A2: Broken Authentication): APIs are a common ZTA attack vector; NAC can enforce API gateways (e.g., Kong, Apigee).

Step-by-Step: Implementing ZTA + NAC

1. Define the Protect Surface (Not the Attack Surface)

• Action: Identify critical data, assets, and services (e.g., customer PII, payment systems, domain controllers).
• Why? ZTA focuses on protecting what matters most (not the entire network).
• Tools: NIST SP 800-160 (systems security engineering), MITRE ATT&CK for threat modeling.

2. Map Transaction Flows

• Action: Document how data moves between users, devices, apps, and services (e.g., "HR accesses Workday via Okta").
• Why? Helps design micro-segmentation and access policies.
• Tools: Network diagrams, flow logs (AWS VPC Flow Logs, Zeek).

3. Deploy NAC for Device & User Authentication

• Action:
• Pre-admission: Check device posture (e.g., "Is Bitdefender running?").
• Post-admission: Enforce dynamic access policies (e.g., "Contractors can’t access databases").
• Tools: Cisco ISE, Aruba ClearPass, Forescout.
• Example Policy: IF (User-"Finance" AND Device-"Corporate" AND AV = "Updated") THEN Grant Access TO "QuickBooks" ELSE Quarantine

4. Implement Micro-Segmentation

• Action: Use software-defined networking (SDN) to create isolated segments (e.g., separate VLANs for HR, Finance, IoT).
• Why? Limits lateral movement (e.g., ransomware can’t spread from a compromised workstation to servers).
• Tools: VMware NSX, Cisco ACI, AWS Security Groups.

5. Enforce Continuous Authentication & Monitoring

• Action:
• MFA everywhere (e.g., push notifications, FIDO2).
• Behavioral analytics (e.g., "Why is this user downloading 10GB of data at 3 AM?").
• Automated response (e.g., revoke access if anomaly detected).
• Tools: Okta, Duo, Microsoft Defender for Identity.

6. Adopt a "Never Trust, Always Verify" Policy

• Action:
• Default-deny access (explicit allow-lists).
• Log and audit all access attempts (SIEM integration).
• Assume breach (e.g., "If a server is compromised, can it reach other servers?").
• Tools: Splunk, Elastic SIEM, Chronicle.

Common Mistakes

Certification Exam Tips

CISSP

• Focus: Governance, risk, and compliance (GRC)—ZTA is about policy enforcement, not just tech.
• Tricky Question: "Which ZTA principle is violated if a user accesses a database without MFA?"
• Answer: Explicit verification (CISSP loves testing NIST SP 800-207).
• Management Trap: CISSP may ask about cost-benefit analysis of ZTA (e.g., "Is it worth the complexity?").

Security+

• Focus: Technical implementation (e.g., NAC, segmentation, MFA).
• Tricky Question: "Which NAC feature prevents a guest laptop with outdated AV from accessing the network?"
• Answer: Posture assessment (Security+ tests real-world NAC use cases).
• Port/Protocol Trap: Know that 802.1X (EAP) is used for port-based NAC.

CEH

• Focus: Attacker perspective—how to bypass NAC/ZTA (e.g., MAC spoofing, ARP poisoning).
• Tricky Question: "Which MITRE ATT&CK technique is used to bypass NAC by spoofing a trusted MAC address?"
• Answer: T1040 (Network Sniffing) + T1556 (Modify Authentication Process).
• Tool Trap: CEH may ask about NAC bypass tools (e.g., macchanger, Responder).

Quick Check Questions

1. A company implements NAC to block devices without up-to-date antivirus. Which ZTA principle does this enforce?

• A) Least privilege
• B) Explicit verification
• C) Assume breach
• D) Micro-segmentation
• Correct Answer: B) Explicit verification
• Explanation: NAC checks device posture before granting access, aligning with "never trust, always verify."

2. During a penetration test, an attacker bypasses NAC by spoofing a trusted MAC address. Which MITRE ATT&CK technique is this?

• A) T1078 (Valid Accounts)
• B) T1556 (Modify Authentication Process)
• C) T1040 (Network Sniffing)
• D) T1550 (Use Alternate Authentication Material)
• Correct Answer: B) T1556 (Modify Authentication Process)
• Explanation: MAC spoofing modifies how authentication is processed (NAC sees a "trusted" MAC).

3. A SOC analyst notices a user accessing a sensitive database from an unusual location. Which ZTA component should trigger an automated response?

• A) Micro-segmentation
• B) Continuous authentication
• C) Identity-aware proxy
• D) Software-defined perimeter
• Correct Answer: B) Continuous authentication
• Explanation: Behavioral anomalies (e.g., geolocation changes) should trigger re-authentication or access revocation.

Last-Minute Cram Sheet

1. ZTA Core Principles (NIST SP 800-207):
2. Never trust, always verify (explicit verification).
3. Least privilege (minimum access).

4. Assume breach (micro-segmentation, monitoring).

5. NAC Workflow:

6. Pre-admission (posture check)-Authentication-Post-admission (dynamic policies).

7. Key NAC Tools:

8. Cisco ISE, Aruba ClearPass, Forescout, Microsoft NPS.

9. Micro-Segmentation Tools:

10. VMware NSX, Cisco ACI, AWS Security Groups.

11. ZTA Attack Vectors (MITRE ATT&CK):

12. T1556 (Modify Auth) = MAC spoofing.
13. T1078 (Valid Accounts) = Stolen credentials.

14. T1550 (Alternate Auth) = Session hijacking.

15. Ports/Protocols:

16. 802.1X (EAP) = Port-based NAC.

17. RADIUS (1812/1813) = Authentication protocol for NAC.

18. Exam Trap: ZTA-VPN. VPNs extend the perimeter; ZTA eliminates it.

19. OWASP API Security Top 10: ZTA applies to APIs (e.g., OAuth 2.0, API gateways).

20. Cloud ZTA: Use SDP (Zscaler, Cloudflare) instead of VPNs for cloud access.

21. Real-World Example: SolarWinds (2020) = Lateral movement due to lack of ZTA. Colonial Pipeline (2021) = VPN password reuse (ZTA would have enforced MFA).