Adopting PUF to Implement Zero Trust Architecture

The Executive Order issued by the US White House on May 12, 2021, requires the federal government to modernize its approach to cybersecurity by advancing toward Zero Trust Architecture (ZTA) [1].

A physically unclonable function (PUF) is a key technology that supports the identity-centric policy model of ZTA. A PUF enables inborn ID and self-generated keys within a semiconductor for security services that can facilitate device identification, authentication, encryption and platform integrity verification.

This article gives a comprehensive overview of Zero Trust and its implications for PUF based Hardware Security.

Introduction to ZTA Model

Zero Trust is a new security model which requires strict identity verification: i.e., “never trust, always verify”, “explicit permission” and “least privilege” for every user and device trying to access resources on an enterprise’s network, regardless of whether an entity (human or machine) is within the network or accessing the network remotely. A detailed discussion of Zero Trust can be found in footnotes [2,3,4].

The five foundational technology components for ZTA are as follows:

1. Identity and Access Management (IAM): IAM systems are used by ZTA to authenticate entities and as a source of context for making policy decisions. ZTA must enforce a dynamic context-based policy to manage factors such as devices used, asset status and environmental attributes, and so a strong identity governance and administration strategy for both human and machine identities plus a more adaptive authentication must be in place. Cryptographical keys and digital certificates are generally used for machine identities. A hardware-based root-of-trust (RoT) device like Trusted Platform Module (TPM) or Hardware Security Module (HSM) is used for secure certificate and key management.      
2. Multi-Factor Authentication (MFA): MFA requires two or more factors/credentials (i.e., authentication information) to verify users’ identity. MFA helps make informed access control decisions and is the cornerstone of ZTA for verification of human identity.
3. Privileged Access Management (PAM): PAM allows organizations to enforce the principle of least privilege. Thus, PAM technology can add an extra layer of security to protect the organization’s sensitive information.  
4. Micro-Segmentation: Micro-segmentation is the practice of using security perimeters to compartmentalize small zones with separate access for parts of a network. Micro-segmentation facilitates tighter networking controls, a critical functionality to enhance visibility and help prevent attackers from moving laterally across the network in ZTA.
5. Software Defined Perimeter (SDP): A SDP is a zero-trust alternative to virtual private networks (VPN) for secure remote access to any application, located anywhere. SDPs require endpoints to authenticate and gain authorization before obtaining network access. Encrypted connections are created in real time between requesting systems and application infrastructure. In ZTA, an identity-based solution is needed for micro-segmentation so that ZTA makes decisions based on information such as device type, location and ownership.

In summary, Zero Trust is a holistic model for securing network, application, and data resources, with a focus on providing an identity-centric policy model for controlling access.

Zero Trust Implementation Strategies

Experts remain undecided on the best strategy to implement Zero Trust for all organizations. Google’s BeyondCorp system and Microsoft’s internal implementation of the ZTA model are two best-practice implementations. Since BeyondCorp is an internal Google program and platform that’s unavailable for licensing or re-use, Microsoft provides the best example.

Microsoft uses the internet as the default network with strong identity, device health enforcement and least privilege access to implement ZTA. The company identified four core scenarios and used a combination of four pillar technologies to help achieve different goals. The technologies recommended include: “verify identity”, “verify device”, “verify access” and “verify service” [6].

There are seven successful Zero Trust strategies [7] for implementing controls and technologies across all foundational elements including identities, devices, applications, data, infrastructure, and networks:

1. Use identities to control access.
2. Elevate authentication.
3. Incorporate password-less authentication.
4. Segment corporate network.
5. Secure devices.
6. Segment applications.
7. Define roles and access controls.

PUF

A Root-of-Trust (RoT) is a set of hardware functions that are trusted by a device’s operating system. A RoT contains keys for cryptographic functions and enables a secure boot process.

A PUF works like a semiconductor “fingerprint” providing a unique identity for a chip with tamper-proof qualities for secure authentication. As an excellent source of high entropy, a PUF can generate a unique intrinsic identity that lasts the life of a chip. A PUF can provide a strong RoT for security measures (e.g. firmware signing), as well as device identification/authentication to assure a given chip/device is genuine. For this reason, a chip-based PUF can provide a strong foundation for security [8].

Lessons Learned

Security leaders say it’s best to implement ZTA in a phased approach that targets specific areas by layering new functions on top of existing security infrastructure components, eliminating the need to scrap earlier investments. Once an organization has built confidence, they can extend ZTA throughout the digital estate, while embracing it as an integrated security philosophy and end-to-end strategy [7,9].

Vendor surveys show [9,10] the top ZTA solutions include technologies, policies and processes that authenticate user access, segment and manage access to data and continuously monitor the organization’s network for malicious network activity. Most vendors check users by MFA and shun VPNs in favor of micro-segmentation and authentication throughout the network. Most zero-trust vendors offer either purely software-based or software-centric solutions for key features such as authentication methods, policies, monitoring and reports. 

However, Google and Microsoft require hardware as a fundamental part of ZTA [4,6,11]. Microsoft implemented MFA using smart cards to control administrative access to servers, while Google requires a corporate-issued certificate stored in each device’s TPM.

Based on NIST IR8320 [12], hardware-enabled security technologies such as RoT, HSM, TPM, Chain of Trust (CoT) for data protection and confidential computing are necessary to improve server platform security and data protection for cloud and edge computing. The same hardware security should be adopted to implement ZTA as well.

Adopt PUF in ZTA Implementation

The value that a PUF adds to ZTA is as follows:

1. Provides a unique device identifier for secure authentication of a chip.
2. Performs secure key generation and storage and serves as a reliable source of randomness — a holy grail of HRoT for electronic systems.
3. Provides a foundation for verifying the authenticity of data and identifying devices as well as an effective and efficient encryption method to provide secure communication between IoT/5G nodes.
4. Helps implement IAM and TPM components for ZTA model.
5. Adds essential support for the mainstream “SDP approach” to ZTA because PUFs can support strong endpoint device identification and authentication for network access control while providing secure cryptographic keys for creating encrypted connections in real time within an entity-and-application infrastructure.

Therefore, hardware-anchored security like PUF is critical to support ZTA.

The device ID and keys provided by eMemory’s NeoPUF IP solutions [13] can improve security and data protection for server and end-device platforms as part of Microsoft’s three pillars of ZTA — “Verify identity”, “Verify device” and “Verify access”.

Conclusions

Using identities to control access is the central concept of ZTA. PUF supports the “identity-centric policy model” by providing a secure foundation with functions like non-forgeable user identities and credentials, robust authentication and secret keys for code signing, as well as secure boots, updates and access controls.

The path to Zero Trust starts with identity. A PUF-based HRoT and key management approach are central to every ZTA program.

References

1. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ 
2. Zero Trust Architecture (nist.gov)
3. What is a Zero Trust Architecture – Palo Alto Networks
4. Garbis, Jason and Chapman, Jerry “Zero Trust Security- An Enterprise Guide”, ISBN-13 (pbk): 978-1-4842-6701-1 published by Apress 2/26/2021
5. CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF (defense.gov)
6. Implementing a Zero Trust security model at Microsoft
7. Zero Trust: 7 adoption strategies from security leaders – Microsoft Security
8. Hsu, Charles, “A Must for AI/IOT Era PUF based Hardware Security”, A keynote speech to The 30th VLSI Design/CAD Symposium, 8/8/2019.
9. The 10 Hottest Zero-Trust Vendors To Watch In 2021 (crn.com)
10. The Top 10 Zero Trust Security Solutions | Expert Insights
11. Zero trust 2.0: Google unveils BeyondCorp Enterprise (techtarget.com)
12. Draft NISTIR 8320, “Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases”, May 2021, NCCoE, NIST https://doi.org/10.6028/NIST.IR.8320-draft
13. Run by Chips, Secured with Chips – Hardware Security with NeoPUF solutions (design-reuse.com)